Patch for a bug affecting our email list system.

Sebastian Bugge vsbugge at samfundet.no
Wed Sep 4 14:15:43 BST 2024 

Hello!

The email list system for our organization does lookups in Berkeley DB
databases to determine where to send emails. There is however a bug,
introduced with bookworm, that makes exim crash when looking up keys
with no content. In our case, this means that we are unable to deliver
email through the email list system if there exists emtpy email lists. A
description of this bug can be seen in the bug tracker of exim:
https://bugs.exim.org/show_bug.cgi?id=3079

The bug has been patched in upstream
(a7e6ad0ba38cf088e841c321042f81966d846b4b), but it is not included in
the stable release. Would it be possible to include this fix in the
package in debian stable? I've included a patch below my singature. The
patch is an alteration of the commit that fixed the issue. I've replaced
src/src with src, removed the test case (since quilt did not support
binary diffs), and removed the changelog (since it is not included in
the debian source). I've have tested the patch, and it seemed to resolve
our issue!

-- 
Sebastian Bugge
Billig-uansvarlig
ITK, Samfundet
-- 

>From a7e6ad0ba38cf088e841c321042f81966d846b4b Mon Sep 17 00:00:00 2001
From: Jeremy Harris <jgh146exb at wizmail.org>
Date: Sat, 16 Mar 2024 13:50:45 +0000
Subject: [PATCH] Lookups: fix dbmnz crash on zero-length datum.  Bug 3079

Broken-by: 6d2c02560e5c
---
 src/dbfn.c                       |  12 +++++++-----
 src/exim_dbutil.c                |  12 +++++++-----
 src/lookups/dbmdb.c              |   5 ++++-
 3 files changed, 18 insertions(+), 11 deletions(-)

diff --git a/src/dbfn.c b/src/dbfn.c
index 3c51162a4..460fd8bb7 100644
--- a/src/dbfn.c
+++ b/src/dbfn.c
@@ -239,12 +239,13 @@ Returns: a pointer to the retrieved record, or
 */
 
 void *
-dbfn_read_with_length(open_db *dbblock, const uschar *key, int *length)
+dbfn_read_with_length(open_db * dbblock, const uschar * key, int * length)
 {
-void *yield;
+void * yield;
 EXIM_DATUM key_datum, result_datum;
 int klen = Ustrlen(key) + 1;
 uschar * key_copy = store_get(klen, key);
+unsigned dlen;
 
 memcpy(key_copy, key, klen);
 
@@ -260,9 +261,10 @@ if (!exim_dbget(dbblock->dbptr, &key_datum, &result_datum)) return NULL;
 /* Assume the data store could have been tainted.  Properly, we should
 store the taint status with the data. */
 
-yield = store_get(exim_datum_size_get(&result_datum), GET_TAINTED);
-memcpy(yield, exim_datum_data_get(&result_datum), exim_datum_size_get(&result_datum));
-if (length) *length = exim_datum_size_get(&result_datum);
+dlen = exim_datum_size_get(&result_datum);
+yield = store_get(dlen, GET_TAINTED);
+memcpy(yield, exim_datum_data_get(&result_datum), dlen);
+if (length) *length = dlen;
 
 exim_datum_free(&result_datum);    /* Some DBM libs require freeing */
 return yield;
diff --git a/src/exim_dbutil.c b/src/exim_dbutil.c
index 3f70c2fd5..4d213773b 100644
--- a/src/exim_dbutil.c
+++ b/src/exim_dbutil.c
@@ -407,12 +407,13 @@ Returns: a pointer to the retrieved record, or
 */
 
 void *
-dbfn_read_with_length(open_db *dbblock, const uschar *key, int *length)
+dbfn_read_with_length(open_db * dbblock, const uschar * key, int * length)
 {
-void *yield;
+void * yield;
 EXIM_DATUM key_datum, result_datum;
 int klen = Ustrlen(key) + 1;
 uschar * key_copy = store_get(klen, key);
+unsigned dlen;
 
 memcpy(key_copy, key, klen);
 
@@ -426,9 +427,10 @@ if (!exim_dbget(dbblock->dbptr, &key_datum, &result_datum)) return NULL;
 /* Assume for now that anything stored could have been tainted. Properly
 we should store the taint status along with the data. */
 
-yield = store_get(exim_datum_size_get(&result_datum), GET_TAINTED);
-memcpy(yield, exim_datum_data_get(&result_datum), exim_datum_size_get(&result_datum));
-if (length) *length = exim_datum_size_get(&result_datum);
+dlen = exim_datum_size_get(&result_datum);
+yield = store_get(dlen, GET_TAINTED);
+memcpy(yield, exim_datum_data_get(&result_datum), dlen);
+if (length) *length = dlen;
 
 exim_datum_free(&result_datum);    /* Some DBM libs require freeing */
 return yield;
diff --git a/src/lookups/dbmdb.c b/src/lookups/dbmdb.c
index aa930e654..96665b6e4 100644
--- a/src/lookups/dbmdb.c
+++ b/src/lookups/dbmdb.c
@@ -102,7 +102,8 @@ exim_datum_size_set(&key, length);
 
 if (exim_dbget(d, &key, &data))
   {
-  *result = string_copyn(exim_datum_data_get(&data), exim_datum_size_get(&data));
+  unsigned len = exim_datum_size_get(&data);
+  *result = len > 0 ? string_copyn(exim_datum_data_get(&data), len) : US"";
   exim_datum_free(&data);            /* Some DBM libraries need a free() call */
   return OK;
   }
@@ -283,3 +284,5 @@ static lookup_info *_lookup_list[] = { &dbm_lookup_info, &dbmz_lookup_info, &dbm
 lookup_module_info dbmdb_lookup_module_info = { LOOKUP_MODULE_INFO_MAGIC, _lookup_list, 3 };
 
 /* End of lookups/dbmdb.c */
+/* vi: aw ai sw=2
+*/
-- 
2.39.2

More information about the Pkg-exim4-maintainers mailing list