postfix-2.11-20131104

postfix/HISTORY

@@ -19035,19 +19035,36 @@ Apologies for any names omitted.
 	Documentation: added SASL_README example for check_sasl_access.
 	File: proto/SASL_README.html.
 
-20131102
+20131102-3
 
-	Security violation: by default, LMDB 0.9.9 writes fragments
+	Security violation: by default, LMDB 0.9.9 writes uninitialized
-	of uninitialized heap memory to a world-readable database
+	heap memory to a world-readable database file, as chunks
-	file.  This is a basic memory disclosure vulnerability:
+	of up to 4096 bytes.  This is a gross memory disclosure
-	memory content that a program does not intend to share ends
+	vulnerability: memory content that a program does not intend
-	up in a world-readable file. The content of uninitialized
+	to share ends up in a world-readable file.  The content of
-	heap memory depends on program execution history. That
+	uninitialized heap memory depends on program execution
-	history includes code execution in other libraries that are
+	history. That history includes code execution in other
-	linked into the program. To work around this problem we
+	libraries that are linked into the program.
-	disable the use of malloc() in LMDB. However, that does not
-	address several disclosures of stack memory.  File:
-	util/dict_lmdb.c.
 
-	Cleanup: expand TAB characters when generating HTML and
+	This is a problem whenever the user who writes the database
-	README files.  Files: proto/Makefile.in.
+	file differs from the user who reads the database file. For
+	example, a privileged writer and an unprivileged reader.
+	In the case of Postfix, the postmap(1) and postalias(1)
+	commands would leak uninitialized heap memory, as chunks
+	of up to 4096 bytes, from a root-privileged process that
+	writes to a database file, to unprivileged processes that
+	read from that database file.
+
+	To work around this problem the postmap(1) and postalias(1)
+	commands disable the use of malloc() in LMDB. However, that
+	does not address several disclosures of stack memory.  Other
+	Postfix databases do not need this workaround: those databases
+	are maintained by Postfix daemon processes, and are accessible
+	only by the postfix user. File: util/dict_lmdb.c.
+
+20131102-3
+
+	Cleanup: expand TAB characters when generating documentation.
+	This was primarily an issue with non-HTML output, but it does
+	not hurt to do this also for HTML.  Files: proto/Makefile.in,
+	proto/MULTI_INSTANCE_README.html.

postfix/proto/Makefile.in

@@ -139,328 +139,328 @@ clobber:
 	$(SRCTOMAN) - $? | $(AWK) | nroff -man | col -bx | uniq | sed 's/^/# /' >$@
 
 ../html/ADDRESS_CLASS_README.html: ADDRESS_CLASS_README.html
-	$(POSTLINK) $? | $(DETAB) >$@
+	$(DETAB) $? | $(POSTLINK) >$@
 
 ../html/ADDRESS_REWRITING_README.html: ADDRESS_REWRITING_README.html
-	$(POSTLINK) $? | $(DETAB) >$@
+	$(DETAB) $? | $(POSTLINK) >$@
 
 ../html/ADDRESS_VERIFICATION_README.html: ADDRESS_VERIFICATION_README.html
-	$(POSTLINK) $? | $(DETAB) >$@
+	$(DETAB) $? | $(POSTLINK) >$@
 
 ../html/BACKSCATTER_README.html: BACKSCATTER_README.html
-	$(POSTLINK) $? | $(DETAB) >$@
+	$(DETAB) $? | $(POSTLINK) >$@
 
 ../html/CDB_README.html: CDB_README.html
-	$(POSTLINK) $? | $(DETAB) >$@
+	$(DETAB) $? | $(POSTLINK) >$@
 
 ../html/CONNECTION_CACHE_README.html: CONNECTION_CACHE_README.html
-	$(POSTLINK) $? | $(DETAB) >$@
+	$(DETAB) $? | $(POSTLINK) >$@
 
 ../html/CONTENT_INSPECTION_README.html: CONTENT_INSPECTION_README.html
-	$(POSTLINK) $? | $(DETAB) >$@
+	$(DETAB) $? | $(POSTLINK) >$@
 
 ../html/CYRUS_README.html: CYRUS_README.html
-	$(POSTLINK) $? | $(DETAB) >$@
+	$(DETAB) $? | $(POSTLINK) >$@
 
 ../html/BASIC_CONFIGURATION_README.html: BASIC_CONFIGURATION_README.html
-	$(POSTLINK) $? | $(DETAB) >$@
+	$(DETAB) $? | $(POSTLINK) >$@
 
 ../html/BUILTIN_FILTER_README.html: BUILTIN_FILTER_README.html
-	$(POSTLINK) $? | $(DETAB) >$@
+	$(DETAB) $? | $(POSTLINK) >$@
 
 ../html/DATABASE_README.html: DATABASE_README.html
-	$(POSTLINK) $? | $(DETAB) >$@
+	$(DETAB) $? | $(POSTLINK) >$@
 
 ../html/DB_README.html: DB_README.html
-	$(POSTLINK) $? | $(DETAB) >$@
+	$(DETAB) $? | $(POSTLINK) >$@
 
 ../html/DEBUG_README.html: DEBUG_README.html
-	$(POSTLINK) $? | $(DETAB) >$@
+	$(DETAB) $? | $(POSTLINK) >$@
 
 ../html/DSN_README.html: DSN_README.html
-	$(POSTLINK) $? | $(DETAB) >$@
+	$(DETAB) $? | $(POSTLINK) >$@
 
 ../html/ETRN_README.html: ETRN_README.html
-	$(POSTLINK) $? | $(DETAB) >$@
+	$(DETAB) $? | $(POSTLINK) >$@
 
 ../html/FILTER_README.html: FILTER_README.html
-	$(POSTLINK) $? | $(DETAB) >$@
+	$(DETAB) $? | $(POSTLINK) >$@
 
 ../html/INSTALL.html: INSTALL.html
-	$(POSTLINK) $? | $(DETAB) >$@
+	$(DETAB) $? | $(POSTLINK) >$@
 
 ../html/IPV6_README.html: IPV6_README.html
-	$(POSTLINK) $? | $(DETAB) >$@
+	$(DETAB) $? | $(POSTLINK) >$@
 
 ../html/LDAP_README.html: LDAP_README.html
-	$(POSTLINK) $? | $(DETAB) >$@
+	$(DETAB) $? | $(POSTLINK) >$@
 
 ../html/LINUX_README.html: LINUX_README.html
-	$(POSTLINK) $? | $(DETAB) >$@
+	$(DETAB) $? | $(POSTLINK) >$@
 
 ../html/LOCAL_RECIPIENT_README.html: LOCAL_RECIPIENT_README.html
-	$(POSTLINK) $? | $(DETAB) >$@
+	$(DETAB) $? | $(POSTLINK) >$@
 
 ../html/MAILDROP_README.html: MAILDROP_README.html
-	$(POSTLINK) $? | $(DETAB) >$@
+	$(DETAB) $? | $(POSTLINK) >$@
 
 ../html/LMDB_README.html: LMDB_README.html
-	$(POSTLINK) $? | $(DETAB) >$@
+	$(DETAB) $? | $(POSTLINK) >$@
 
 ../html/MEMCACHE_README.html: MEMCACHE_README.html
-	$(POSTLINK) $? | $(DETAB) >$@
+	$(DETAB) $? | $(POSTLINK) >$@
 
 ../html/MILTER_README.html: MILTER_README.html
-	$(POSTLINK) $? | $(DETAB) >$@
+	$(DETAB) $? | $(POSTLINK) >$@
 
 ../html/MULTI_INSTANCE_README.html: MULTI_INSTANCE_README.html
-	$(POSTLINK) $? | $(DETAB) >$@
+	$(DETAB) $? | $(POSTLINK) >$@
 
 ../html/MYSQL_README.html: MYSQL_README.html
-	$(POSTLINK) $? | $(DETAB) >$@
+	$(DETAB) $? | $(POSTLINK) >$@
 
 ../html/NFS_README.html: NFS_README.html
-	$(POSTLINK) $? | $(DETAB) >$@
+	$(DETAB) $? | $(POSTLINK) >$@
 
 ../html/OVERVIEW.html: OVERVIEW.html
-	$(POSTLINK) $? | $(DETAB) >$@
+	$(DETAB) $? | $(POSTLINK) >$@
 
 ../html/PACKAGE_README.html: PACKAGE_README.html
-	$(POSTLINK) $? | $(DETAB) >$@
+	$(DETAB) $? | $(POSTLINK) >$@
 
 ../html/PCRE_README.html: PCRE_README.html
-	$(POSTLINK) $? | $(DETAB) >$@
+	$(DETAB) $? | $(POSTLINK) >$@
 
 ../html/PGSQL_README.html: PGSQL_README.html
-	$(POSTLINK) $? | $(DETAB) >$@
+	$(DETAB) $? | $(POSTLINK) >$@
 
 ../html/POSTSCREEN_README.html: POSTSCREEN_README.html
-	$(POSTLINK) $? | $(DETAB) >$@
+	$(DETAB) $? | $(POSTLINK) >$@
 
 ../html/QMQP_README.html: QMQP_README.html
-	$(POSTLINK) $? | $(DETAB) >$@
+	$(DETAB) $? | $(POSTLINK) >$@
 
 ../html/QSHAPE_README.html: QSHAPE_README.html
-	$(POSTLINK) $? | $(DETAB) >$@
+	$(DETAB) $? | $(POSTLINK) >$@
 
 ../html/RESTRICTION_CLASS_README.html: RESTRICTION_CLASS_README.html
-	$(POSTLINK) $? | $(DETAB) >$@
+	$(DETAB) $? | $(POSTLINK) >$@
 
 ../html/SASL_README.html: SASL_README.html
-	$(POSTLINK) $? | $(DETAB) >$@
+	$(DETAB) $? | $(POSTLINK) >$@
 
 ../html/SCHEDULER_README.html: SCHEDULER_README.html
-	$(POSTLINK) $? | $(DETAB) >$@
+	$(DETAB) $? | $(POSTLINK) >$@
 
 ../html/SMTPD_ACCESS_README.html: SMTPD_ACCESS_README.html
-	$(POSTLINK) $? | $(DETAB) >$@
+	$(DETAB) $? | $(POSTLINK) >$@
 
 ../html/SMTPD_POLICY_README.html: SMTPD_POLICY_README.html
-	$(POSTLINK) $? | $(DETAB) >$@
+	$(DETAB) $? | $(POSTLINK) >$@
 
 ../html/SMTPD_PROXY_README.html: SMTPD_PROXY_README.html
-	$(POSTLINK) $? | $(DETAB) >$@
+	$(DETAB) $? | $(POSTLINK) >$@
 
 ../html/SOHO_README.html: $(MAKESOHO) $(DEPSOHO)
 	$(MAKESOHO) | $(POSTLINK) | $(DETAB) >$@
 
 ../html/SQLITE_README.html: SQLITE_README.html
-	$(POSTLINK) $? | $(DETAB) >$@
+	$(DETAB) $? | $(POSTLINK) >$@
 
 ../html/STANDARD_CONFIGURATION_README.html: STANDARD_CONFIGURATION_README.html
-	$(POSTLINK) $? | $(DETAB) >$@
+	$(DETAB) $? | $(POSTLINK) >$@
 
 ../html/STRESS_README.html: STRESS_README.html
-	$(POSTLINK) $? | $(DETAB) >$@
+	$(DETAB) $? | $(POSTLINK) >$@
 
 ../html/TUNING_README.html: TUNING_README.html
-	$(POSTLINK) $? | $(DETAB) >$@
+	$(DETAB) $? | $(POSTLINK) >$@
 
 ../html/UUCP_README.html: UUCP_README.html
-	$(POSTLINK) $? | $(DETAB) >$@
+	$(DETAB) $? | $(POSTLINK) >$@
 
 ../html/ULTRIX_README.html: ULTRIX_README.html
-	$(POSTLINK) $? | $(DETAB) >$@
+	$(DETAB) $? | $(POSTLINK) >$@
 
 ../html/VERP_README.html: VERP_README.html
-	$(POSTLINK) $? | $(DETAB) >$@
+	$(DETAB) $? | $(POSTLINK) >$@
 
 ../html/VIRTUAL_README.html: VIRTUAL_README.html
-	$(POSTLINK) $? | $(DETAB) >$@
+	$(DETAB) $? | $(POSTLINK) >$@
 
 ../html/XCLIENT_README.html: XCLIENT_README.html
-	$(POSTLINK) $? | $(DETAB) >$@
+	$(DETAB) $? | $(POSTLINK) >$@
 
 ../html/XFORWARD_README.html: XFORWARD_README.html
-	$(POSTLINK) $? | $(DETAB) >$@
+	$(DETAB) $? | $(POSTLINK) >$@
 
 ../html/TLS_README.html: TLS_README.html
-	$(POSTLINK) $? | $(DETAB) >$@
+	$(DETAB) $? | $(POSTLINK) >$@
 
 ../html/TLS_LEGACY_README.html: TLS_LEGACY_README.html
-	$(POSTLINK) $? | $(DETAB) >$@
+	$(DETAB) $? | $(POSTLINK) >$@
 
 ../README_FILES/ADDRESS_CLASS_README: ADDRESS_CLASS_README.html
-	$(HT2READ) $? | $(DETAB) >$@
+	$(DETAB) $? | $(HT2READ) >$@
 
 ../README_FILES/ADDRESS_REWRITING_README: ADDRESS_REWRITING_README.html
-	$(HT2READ) $? | $(DETAB) >$@
+	$(DETAB) $? | $(HT2READ) >$@
 
 ../README_FILES/ADDRESS_VERIFICATION_README: ADDRESS_VERIFICATION_README.html
-	$(HT2READ) $? | $(DETAB) >$@
+	$(DETAB) $? | $(HT2READ) >$@
 
 ../README_FILES/BACKSCATTER_README: BACKSCATTER_README.html
-	$(HT2READ) $? | $(DETAB) >$@
+	$(DETAB) $? | $(HT2READ) >$@
 
 ../README_FILES/BASIC_CONFIGURATION_README: BASIC_CONFIGURATION_README.html
-	$(HT2READ) $? | $(DETAB) >$@
+	$(DETAB) $? | $(HT2READ) >$@
 
 ../README_FILES/BUILTIN_FILTER_README: BUILTIN_FILTER_README.html
-	$(HT2READ) $? | $(DETAB) >$@
+	$(DETAB) $? | $(HT2READ) >$@
 
 ../README_FILES/CDB_README: CDB_README.html
-	$(HT2READ) $? | $(DETAB) >$@
+	$(DETAB) $? | $(HT2READ) >$@
 
 ../README_FILES/CONNECTION_CACHE_README: CONNECTION_CACHE_README.html
-	$(HT2READ) $? | $(DETAB) >$@
+	$(DETAB) $? | $(HT2READ) >$@
 
 ../README_FILES/CONTENT_INSPECTION_README: CONTENT_INSPECTION_README.html
-	$(HT2READ) $? | $(DETAB) >$@
+	$(DETAB) $? | $(HT2READ) >$@
 
 ../README_FILES/CYRUS_README: CYRUS_README.html
-	$(HT2READ) $? | $(DETAB) >$@
+	$(DETAB) $? | $(HT2READ) >$@
 
 ../README_FILES/DATABASE_README: DATABASE_README.html
-	$(HT2READ) $? | $(DETAB) >$@
+	$(DETAB) $? | $(HT2READ) >$@
 
 ../README_FILES/DB_README: DB_README.html
-	$(HT2READ) $? | $(DETAB) >$@
+	$(DETAB) $? | $(HT2READ) >$@
 
 ../README_FILES/DEBUG_README: DEBUG_README.html
-	$(HT2READ) $? | $(DETAB) >$@
+	$(DETAB) $? | $(HT2READ) >$@
 
 ../README_FILES/DSN_README: DSN_README.html
-	$(HT2READ) $? | $(DETAB) >$@
+	$(DETAB) $? | $(HT2READ) >$@
 
 ../README_FILES/ETRN_README: ETRN_README.html
-	$(HT2READ) $? | $(DETAB) >$@
+	$(DETAB) $? | $(HT2READ) >$@
 
 ../README_FILES/FILTER_README: FILTER_README.html
-	$(HT2READ) $? | $(DETAB) >$@
+	$(DETAB) $? | $(HT2READ) >$@
 
 ../README_FILES/INSTALL: INSTALL.html
-	$(HT2READ) $? | $(DETAB) >$@
+	$(DETAB) $? | $(HT2READ) >$@
 
 ../README_FILES/IPV6_README: IPV6_README.html
-	$(HT2READ) $? | $(DETAB) >$@
+	$(DETAB) $? | $(HT2READ) >$@
 
 ../README_FILES/LDAP_README: LDAP_README.html
-	$(HT2READ) $? | $(DETAB) >$@
+	$(DETAB) $? | $(HT2READ) >$@
 
 ../README_FILES/LINUX_README: LINUX_README.html
-	$(HT2READ) $? | $(DETAB) >$@
+	$(DETAB) $? | $(HT2READ) >$@
 
 ../README_FILES/LOCAL_RECIPIENT_README: LOCAL_RECIPIENT_README.html
-	$(HT2READ) $? | $(DETAB) >$@
+	$(DETAB) $? | $(HT2READ) >$@
 
 ../README_FILES/MAILDROP_README: MAILDROP_README.html
-	$(HT2READ) $? | $(DETAB) >$@
+	$(DETAB) $? | $(HT2READ) >$@
 
 ../README_FILES/LMDB_README: LMDB_README.html
-	$(HT2READ) $? | $(DETAB) >$@
+	$(DETAB) $? | $(HT2READ) >$@
 
 ../README_FILES/MEMCACHE_README: MEMCACHE_README.html
-	$(HT2READ) $? | $(DETAB) >$@
+	$(DETAB) $? | $(HT2READ) >$@
 
 ../README_FILES/MILTER_README: MILTER_README.html
-	$(HT2READ) $? | $(DETAB) >$@
+	$(DETAB) $? | $(HT2READ) >$@
 
 ../README_FILES/MULTI_INSTANCE_README: MULTI_INSTANCE_README.html
-	$(HT2READ) $? | $(DETAB) >$@
+	$(DETAB) $? | $(HT2READ) >$@
 
 ../README_FILES/MYSQL_README: MYSQL_README.html
-	$(HT2READ) $? | $(DETAB) >$@
+	$(DETAB) $? | $(HT2READ) >$@
 
 ../README_FILES/NFS_README: NFS_README.html
-	$(HT2READ) $? | $(DETAB) >$@
+	$(DETAB) $? | $(HT2READ) >$@
 
 ../README_FILES/OVERVIEW: OVERVIEW.html
-	$(HT2READ) $? | $(DETAB) >$@
+	$(DETAB) $? | $(HT2READ) >$@
 
 ../README_FILES/PACKAGE_README: PACKAGE_README.html
-	$(HT2READ) $? | $(DETAB) >$@
+	$(DETAB) $? | $(HT2READ) >$@
 
 ../README_FILES/PCRE_README: PCRE_README.html
-	$(HT2READ) $? | $(DETAB) >$@
+	$(DETAB) $? | $(HT2READ) >$@
 
 ../README_FILES/PGSQL_README: PGSQL_README.html
-	$(HT2READ) $? | $(DETAB) >$@
+	$(DETAB) $? | $(HT2READ) >$@
 
 ../README_FILES/POSTSCREEN_README: POSTSCREEN_README.html
-	$(HT2READ) $? | $(DETAB) >$@
+	$(DETAB) $? | $(HT2READ) >$@
 
 ../README_FILES/QMQP_README: QMQP_README.html
-	$(HT2READ) $? | $(DETAB) >$@
+	$(DETAB) $? | $(HT2READ) >$@
 
 ../README_FILES/QSHAPE_README: QSHAPE_README.html
-	$(HT2READ) $? | $(DETAB) >$@
+	$(DETAB) $? | $(HT2READ) >$@
 
 ../README_FILES/RESTRICTION_CLASS_README: RESTRICTION_CLASS_README.html
-	$(HT2READ) $? | $(DETAB) >$@
+	$(DETAB) $? | $(HT2READ) >$@
 
 ../README_FILES/SASL_README: SASL_README.html
-	$(HT2READ) $? | $(DETAB) >$@
+	$(DETAB) $? | $(HT2READ) >$@
 
 ../README_FILES/SCHEDULER_README: SCHEDULER_README.html
-	$(HT2READ) $? | $(DETAB) >$@
+	$(DETAB) $? | $(HT2READ) >$@
 
 ../README_FILES/SMTPD_ACCESS_README: SMTPD_ACCESS_README.html
-	$(HT2READ) $? | $(DETAB) >$@
+	$(DETAB) $? | $(HT2READ) >$@
 
 ../README_FILES/SMTPD_POLICY_README: SMTPD_POLICY_README.html
-	$(HT2READ) $? | $(DETAB) >$@
+	$(DETAB) $? | $(HT2READ) >$@
 
 ../README_FILES/SMTPD_PROXY_README: SMTPD_PROXY_README.html
-	$(HT2READ) $? | $(DETAB) >$@
+	$(DETAB) $? | $(HT2READ) >$@
 
 ../README_FILES/SOHO_README: $(MAKESOHO) $(DEPSOHO)
 	$(MAKESOHO) | $(HT2READ) | $(DETAB) >$@
 
 ../README_FILES/SQLITE_README: SQLITE_README.html
-	$(HT2READ) $? | $(DETAB) >$@ 
+	$(DETAB) $? | $(HT2READ) >$@ 
 
 ../README_FILES/STANDARD_CONFIGURATION_README: STANDARD_CONFIGURATION_README.html
-	$(HT2READ) $? | $(DETAB) >$@
+	$(DETAB) $? | $(HT2READ) >$@
 
 ../README_FILES/STRESS_README: STRESS_README.html
-	$(HT2READ) $? | $(DETAB) >$@
+	$(DETAB) $? | $(HT2READ) >$@
 
 ../README_FILES/TUNING_README: TUNING_README.html
-	$(HT2READ) $? | $(DETAB) >$@
+	$(DETAB) $? | $(HT2READ) >$@
 
 ../README_FILES/UUCP_README: UUCP_README.html
-	$(HT2READ) $? | $(DETAB) >$@
+	$(DETAB) $? | $(HT2READ) >$@
 
 ../README_FILES/ULTRIX_README: ULTRIX_README.html
-	$(HT2READ) $? | $(DETAB) >$@
+	$(DETAB) $? | $(HT2READ) >$@
 
 ../README_FILES/VERP_README: VERP_README.html
-	$(HT2READ) $? | $(DETAB) >$@
+	$(DETAB) $? | $(HT2READ) >$@
 
 ../README_FILES/VIRTUAL_README: VIRTUAL_README.html
-	$(HT2READ) $? | $(DETAB) >$@
+	$(DETAB) $? | $(HT2READ) >$@
 
 ../README_FILES/XCLIENT_README: XCLIENT_README.html
-	$(HT2READ) $? | $(DETAB) >$@
+	$(DETAB) $? | $(HT2READ) >$@
 
 ../README_FILES/XFORWARD_README: XFORWARD_README.html
-	$(HT2READ) $? | $(DETAB) >$@
+	$(DETAB) $? | $(HT2READ) >$@
 
 ../README_FILES/TLS_README: TLS_README.html
-	$(HT2READ) $? | $(DETAB) >$@
+	$(DETAB) $? | $(HT2READ) >$@
 
 ../README_FILES/TLS_LEGACY_README: TLS_LEGACY_README.html
-	$(HT2READ) $? | $(DETAB) >$@
+	$(DETAB) $? | $(HT2READ) >$@
 
 ../README_FILES/AAAREADME: ../html/index.html $(MAKEAAA)
 	$(MAKEAAA) ../html/index.html | $(HT2READ) | $(DETAB) >$@
@@ -468,8 +468,8 @@ clobber:
 ../man/man5/postconf.5: postconf.man.prolog postconf.proto postconf.man.epilog \
 	../mantools/xpostconf ../mantools/postconf2html ../mantools/postconf2man
 	(cat postconf.man.prolog; ../mantools/xpostconf postconf.proto | \
-	    ../mantools/postconf2html | ../mantools/postconf2man | \
+	    $(DETAB) | ../mantools/postconf2html | ../mantools/postconf2man | \
-		sed 's/\\e&/\\\&/'; cat postconf.man.epilog ) | $(DETAB) > $@
+		sed 's/\\e&/\\\&/'; cat postconf.man.epilog ) > $@
 
 ../html/postconf.5.html: postconf.html.prolog postconf.proto \
 	postconf.html.epilog ../mantools/xpostconf ../mantools/postconf2html \

postfix/src/global/mail_version.h

@@ -20,7 +20,7 @@
   * Patches change both the patchlevel and the release date. Snapshots have no
   * patchlevel; they change the release date only.
   */
-#define MAIL_RELEASE_DATE	"20131103"
+#define MAIL_RELEASE_DATE	"20131104"
 #define MAIL_VERSION_NUMBER	"2.11"
 
 #ifdef SNAPSHOT

postfix/src/postalias/postalias.c

@@ -290,6 +290,7 @@ static void postalias(char *map_type, char *path_name, int postalias_flags,
 	if ((source_fp = vstream_fopen(path_name, O_RDONLY, 0)) == 0)
 	    msg_fatal("open %s: %m", path_name);
     }
+    dict_flags |= DICT_FLAG_WORLD_READ;
     if (fstat(vstream_fileno(source_fp), &st) < 0)
 	msg_fatal("fstat %s: %m", path_name);
 

postfix/src/postmap/postmap.c

@@ -353,6 +353,7 @@ static void postmap(char *map_type, char *path_name, int postmap_flags,
 	if ((source_fp = vstream_fopen(path_name, O_RDONLY, 0)) == 0)
 	    msg_fatal("open %s: %m", path_name);
     }
+    dict_flags |= DICT_FLAG_WORLD_READ;
     if (fstat(vstream_fileno(source_fp), &st) < 0)
 	msg_fatal("fstat %s: %m", path_name);
 

postfix/src/util/dict.c

@@ -590,6 +590,7 @@ static const NAME_MASK dict_mask[] = {
     "fold_mul", DICT_FLAG_FOLD_MUL,	/* case-fold with multi-case key map */
     "open_lock", DICT_FLAG_OPEN_LOCK,	/* permanent lock upon open */
     "bulk_update", DICT_FLAG_BULK_UPDATE,	/* bulk update if supported */
+    "world_read", DICT_FLAG_WORLD_READ,	/* assume writer != reader */
     0,
 };
 

postfix/src/util/dict.h

@@ -96,6 +96,7 @@ extern DICT *dict_debug(DICT *);
 #define DICT_FLAG_FOLD_ANY	(DICT_FLAG_FOLD_FIX | DICT_FLAG_FOLD_MUL)
 #define DICT_FLAG_OPEN_LOCK	(1<<16)	/* perm lock if not multi-writer safe */
 #define DICT_FLAG_BULK_UPDATE	(1<<17)	/* optimize for bulk updates */
+#define DICT_FLAG_WORLD_READ	(1<<18)	/* assume writer != reader */
 
  /* IMPORTANT: Update the dict_mask[] table when the above changes */
 

postfix/src/util/dict_lmdb.c

@@ -551,35 +551,45 @@ DICT   *dict_lmdb_open(const char *path, int open_flags, int dict_flags)
     mdb_path = concatenate(path, "." DICT_TYPE_LMDB, (char *) 0);
 
     /*
-     * Security violation.
+     * Impedance adapters.
-     * 
-     * By default, LMDB 0.9.9 writes uninitialized heap memory to a
-     * world-readable database file. This is a basic memory disclosure
-     * vulnerability: memory content that a program does not intend to share
-     * ends up in a world-readable file. The content of uninitialized heap
-     * memory depends on program execution history. That history includes
-     * code execution in other libraries that are linked into the program.
-     * 
-     * As a workaround we turn on MDB_WRITEMAP which disables the use of
-     * malloc() in LMDB. However, that does not address several disclosures
-     * of stack memory.
      */
     mdb_flags = MDB_NOSUBDIR | MDB_NOLOCK;
     if (open_flags == O_RDONLY)
 	mdb_flags |= MDB_RDONLY;
 
-    /*
-     * Replace with MDB_VERSION_FULL < MDB_VERINT(X, Y, Z) after this is
-     * fixed up-stream.
-     */
-#if 1
-    mdb_flags |= MDB_WRITEMAP;
-#endif
-
     slmdb_flags = 0;
     if (dict_flags & DICT_FLAG_BULK_UPDATE)
 	slmdb_flags |= SLMDB_FLAG_BULK;
 
+    /*
+     * Security violation.
+     * 
+     * By default, LMDB 0.9.9 writes uninitialized heap memory to a
+     * world-readable database file, as chunks of up to 4096 bytes. This is a
+     * gross memory disclosure vulnerability: memory content that a program
+     * does not intend to share ends up in a world-readable file. The content
+     * of uninitialized heap memory depends on program execution history.
+     * That history includes code execution in other libraries that are
+     * linked into the program.
+     * 
+     * This is a problem whenever the user who writes the database file differs
+     * from the user who reads the database file. For example, a privileged
+     * writer and an unprivileged reader. In the case of Postfix, the
+     * postmap(1) and postalias(1) commands would leak uninitialized heap
+     * memory, as chunks of up to 4096 bytes, from a root-privileged process
+     * that writes to a database file, to unprivileged processes that read
+     * from that database file.
+     * 
+     * As a workaround the postmap(1) and postalias(1) commands turn on
+     * MDB_WRITEMAP which disables the use of malloc() in LMDB. However, that
+     * does not address several disclosures of stack memory. Other Postfix
+     * databases do not need this workaround: those databases are maintained
+     * by Postfix daemon processes, and are accessible only by the postfix
+     * user.
+     */
+    if (dict_flags & DICT_FLAG_WORLD_READ)
+	mdb_flags |= MDB_WRITEMAP;
+
     /*
      * Gracefully handle most database open errors.
      */

postfix/src/util/dict_open.c

@@ -126,6 +126,9 @@
 /*	Enable preliminary code for bulk-mode database updates.
 /*	The caller must create an exception handler with dict_jmp_alloc()
 /*	and must trap exceptions from the database client with dict_setjmp().
+/* .IP DICT_FLAG_WORLD_READ
+/*	Assume that the database file will be read by users other
+/*	than the writer.
 /* .IP DICT_FLAG_DEBUG
 /*	Enable additional logging.
 /* .PP

postfix/src/util/slmdb.c

@@ -295,9 +295,11 @@ static int slmdb_recover(SLMDB *slmdb, int status)
     MDB_envinfo info;
 
     /*
-     * Limit the number of recovery attempts per slmdb(3) API request.
+     * Recover bulk transactions only if they can be restarted. Limit
+     * the number of recovery attempts per slmdb(3) API request.
      */
-    if ((slmdb->api_retry_count += 1) >= slmdb->api_retry_limit)
+    if ((slmdb->txn != 0 && slmdb->longjmp_fn == 0)
+	|| ((slmdb->api_retry_count += 1) >= slmdb->api_retry_limit))
 	return (status);
 
     /*