postfix-2.11-20131104

2025-08-22 01:49:47 +00:00 · 2013-11-04 00:00:00 -05:00 · 2013-11-04 00:00:00 -05:00 · 1fa35743a5
commit 1fa35743a5
parent 78fe66320c
20 changed files with 229 additions and 193 deletions
--- a/postfix/HISTORY
+++ b/postfix/HISTORY
@ -19035,19 +19035,36 @@ Apologies for any names omitted.
 	Documentation: added SASL_README example for check_sasl_access.
 	File: proto/SASL_README.html.

-20131102
+20131102-3

-	Security violation: by default, LMDB 0.9.9 writes fragments
-	of uninitialized heap memory to a world-readable database
-	file.  This is a basic memory disclosure vulnerability:
-	memory content that a program does not intend to share ends
-	up in a world-readable file. The content of uninitialized
-	heap memory depends on program execution history. That
-	history includes code execution in other libraries that are
-	linked into the program. To work around this problem we
-	disable the use of malloc() in LMDB. However, that does not
-	address several disclosures of stack memory.  File:
-	util/dict_lmdb.c.
+	Security violation: by default, LMDB 0.9.9 writes uninitialized
+	heap memory to a world-readable database file, as chunks
+	of up to 4096 bytes.  This is a gross memory disclosure
+	vulnerability: memory content that a program does not intend
+	to share ends up in a world-readable file.  The content of
+	uninitialized heap memory depends on program execution
+	history. That history includes code execution in other
+	libraries that are linked into the program.

-	Cleanup: expand TAB characters when generating HTML and
-	README files.  Files: proto/Makefile.in.
+	This is a problem whenever the user who writes the database
+	file differs from the user who reads the database file. For
+	example, a privileged writer and an unprivileged reader.
+	In the case of Postfix, the postmap(1) and postalias(1)
+	commands would leak uninitialized heap memory, as chunks
+	of up to 4096 bytes, from a root-privileged process that
+	writes to a database file, to unprivileged processes that
+	read from that database file.
+
+	To work around this problem the postmap(1) and postalias(1)
+	commands disable the use of malloc() in LMDB. However, that
+	does not address several disclosures of stack memory.  Other
+	Postfix databases do not need this workaround: those databases
+	are maintained by Postfix daemon processes, and are accessible
+	only by the postfix user. File: util/dict_lmdb.c.
+
+20131102-3
+
+	Cleanup: expand TAB characters when generating documentation.
+	This was primarily an issue with non-HTML output, but it does
+	not hurt to do this also for HTML.  Files: proto/Makefile.in,
+	proto/MULTI_INSTANCE_README.html.
--- a/postfix/proto/Makefile.in
+++ b/postfix/proto/Makefile.in
@ -139,328 +139,328 @@ clobber:
 	$(SRCTOMAN) - $? | $(AWK) | nroff -man | col -bx | uniq | sed 's/^/# /' >$@

 ../html/ADDRESS_CLASS_README.html: ADDRESS_CLASS_README.html
-	$(POSTLINK) $? | $(DETAB) >$@
+	$(DETAB) $? | $(POSTLINK) >$@

 ../html/ADDRESS_REWRITING_README.html: ADDRESS_REWRITING_README.html
-	$(POSTLINK) $? | $(DETAB) >$@
+	$(DETAB) $? | $(POSTLINK) >$@

 ../html/ADDRESS_VERIFICATION_README.html: ADDRESS_VERIFICATION_README.html
-	$(POSTLINK) $? | $(DETAB) >$@
+	$(DETAB) $? | $(POSTLINK) >$@

 ../html/BACKSCATTER_README.html: BACKSCATTER_README.html
-	$(POSTLINK) $? | $(DETAB) >$@
+	$(DETAB) $? | $(POSTLINK) >$@

 ../html/CDB_README.html: CDB_README.html
-	$(POSTLINK) $? | $(DETAB) >$@
+	$(DETAB) $? | $(POSTLINK) >$@

 ../html/CONNECTION_CACHE_README.html: CONNECTION_CACHE_README.html
-	$(POSTLINK) $? | $(DETAB) >$@
+	$(DETAB) $? | $(POSTLINK) >$@

 ../html/CONTENT_INSPECTION_README.html: CONTENT_INSPECTION_README.html
-	$(POSTLINK) $? | $(DETAB) >$@
+	$(DETAB) $? | $(POSTLINK) >$@

 ../html/CYRUS_README.html: CYRUS_README.html
-	$(POSTLINK) $? | $(DETAB) >$@
+	$(DETAB) $? | $(POSTLINK) >$@

 ../html/BASIC_CONFIGURATION_README.html: BASIC_CONFIGURATION_README.html
-	$(POSTLINK) $? | $(DETAB) >$@
+	$(DETAB) $? | $(POSTLINK) >$@

 ../html/BUILTIN_FILTER_README.html: BUILTIN_FILTER_README.html
-	$(POSTLINK) $? | $(DETAB) >$@
+	$(DETAB) $? | $(POSTLINK) >$@

 ../html/DATABASE_README.html: DATABASE_README.html
-	$(POSTLINK) $? | $(DETAB) >$@
+	$(DETAB) $? | $(POSTLINK) >$@

 ../html/DB_README.html: DB_README.html
-	$(POSTLINK) $? | $(DETAB) >$@
+	$(DETAB) $? | $(POSTLINK) >$@

 ../html/DEBUG_README.html: DEBUG_README.html
-	$(POSTLINK) $? | $(DETAB) >$@
+	$(DETAB) $? | $(POSTLINK) >$@

 ../html/DSN_README.html: DSN_README.html
-	$(POSTLINK) $? | $(DETAB) >$@
+	$(DETAB) $? | $(POSTLINK) >$@

 ../html/ETRN_README.html: ETRN_README.html
-	$(POSTLINK) $? | $(DETAB) >$@
+	$(DETAB) $? | $(POSTLINK) >$@

 ../html/FILTER_README.html: FILTER_README.html
-	$(POSTLINK) $? | $(DETAB) >$@
+	$(DETAB) $? | $(POSTLINK) >$@

 ../html/INSTALL.html: INSTALL.html
-	$(POSTLINK) $? | $(DETAB) >$@
+	$(DETAB) $? | $(POSTLINK) >$@

 ../html/IPV6_README.html: IPV6_README.html
-	$(POSTLINK) $? | $(DETAB) >$@
+	$(DETAB) $? | $(POSTLINK) >$@

 ../html/LDAP_README.html: LDAP_README.html
-	$(POSTLINK) $? | $(DETAB) >$@
+	$(DETAB) $? | $(POSTLINK) >$@

 ../html/LINUX_README.html: LINUX_README.html
-	$(POSTLINK) $? | $(DETAB) >$@
+	$(DETAB) $? | $(POSTLINK) >$@

 ../html/LOCAL_RECIPIENT_README.html: LOCAL_RECIPIENT_README.html
-	$(POSTLINK) $? | $(DETAB) >$@
+	$(DETAB) $? | $(POSTLINK) >$@

 ../html/MAILDROP_README.html: MAILDROP_README.html
-	$(POSTLINK) $? | $(DETAB) >$@
+	$(DETAB) $? | $(POSTLINK) >$@

 ../html/LMDB_README.html: LMDB_README.html
-	$(POSTLINK) $? | $(DETAB) >$@
+	$(DETAB) $? | $(POSTLINK) >$@

 ../html/MEMCACHE_README.html: MEMCACHE_README.html
-	$(POSTLINK) $? | $(DETAB) >$@
+	$(DETAB) $? | $(POSTLINK) >$@

 ../html/MILTER_README.html: MILTER_README.html
-	$(POSTLINK) $? | $(DETAB) >$@
+	$(DETAB) $? | $(POSTLINK) >$@

 ../html/MULTI_INSTANCE_README.html: MULTI_INSTANCE_README.html
-	$(POSTLINK) $? | $(DETAB) >$@
+	$(DETAB) $? | $(POSTLINK) >$@

 ../html/MYSQL_README.html: MYSQL_README.html
-	$(POSTLINK) $? | $(DETAB) >$@
+	$(DETAB) $? | $(POSTLINK) >$@

 ../html/NFS_README.html: NFS_README.html
-	$(POSTLINK) $? | $(DETAB) >$@
+	$(DETAB) $? | $(POSTLINK) >$@

 ../html/OVERVIEW.html: OVERVIEW.html
-	$(POSTLINK) $? | $(DETAB) >$@
+	$(DETAB) $? | $(POSTLINK) >$@

 ../html/PACKAGE_README.html: PACKAGE_README.html
-	$(POSTLINK) $? | $(DETAB) >$@
+	$(DETAB) $? | $(POSTLINK) >$@

 ../html/PCRE_README.html: PCRE_README.html
-	$(POSTLINK) $? | $(DETAB) >$@
+	$(DETAB) $? | $(POSTLINK) >$@

 ../html/PGSQL_README.html: PGSQL_README.html
-	$(POSTLINK) $? | $(DETAB) >$@
+	$(DETAB) $? | $(POSTLINK) >$@

 ../html/POSTSCREEN_README.html: POSTSCREEN_README.html
-	$(POSTLINK) $? | $(DETAB) >$@
+	$(DETAB) $? | $(POSTLINK) >$@

 ../html/QMQP_README.html: QMQP_README.html
-	$(POSTLINK) $? | $(DETAB) >$@
+	$(DETAB) $? | $(POSTLINK) >$@

 ../html/QSHAPE_README.html: QSHAPE_README.html
-	$(POSTLINK) $? | $(DETAB) >$@
+	$(DETAB) $? | $(POSTLINK) >$@

 ../html/RESTRICTION_CLASS_README.html: RESTRICTION_CLASS_README.html
-	$(POSTLINK) $? | $(DETAB) >$@
+	$(DETAB) $? | $(POSTLINK) >$@

 ../html/SASL_README.html: SASL_README.html
-	$(POSTLINK) $? | $(DETAB) >$@
+	$(DETAB) $? | $(POSTLINK) >$@

 ../html/SCHEDULER_README.html: SCHEDULER_README.html
-	$(POSTLINK) $? | $(DETAB) >$@
+	$(DETAB) $? | $(POSTLINK) >$@

 ../html/SMTPD_ACCESS_README.html: SMTPD_ACCESS_README.html
-	$(POSTLINK) $? | $(DETAB) >$@
+	$(DETAB) $? | $(POSTLINK) >$@

 ../html/SMTPD_POLICY_README.html: SMTPD_POLICY_README.html
-	$(POSTLINK) $? | $(DETAB) >$@
+	$(DETAB) $? | $(POSTLINK) >$@

 ../html/SMTPD_PROXY_README.html: SMTPD_PROXY_README.html
-	$(POSTLINK) $? | $(DETAB) >$@
+	$(DETAB) $? | $(POSTLINK) >$@

 ../html/SOHO_README.html: $(MAKESOHO) $(DEPSOHO)
 	$(MAKESOHO) | $(POSTLINK) | $(DETAB) >$@

 ../html/SQLITE_README.html: SQLITE_README.html
-	$(POSTLINK) $? | $(DETAB) >$@
+	$(DETAB) $? | $(POSTLINK) >$@

 ../html/STANDARD_CONFIGURATION_README.html: STANDARD_CONFIGURATION_README.html
-	$(POSTLINK) $? | $(DETAB) >$@
+	$(DETAB) $? | $(POSTLINK) >$@

 ../html/STRESS_README.html: STRESS_README.html
-	$(POSTLINK) $? | $(DETAB) >$@
+	$(DETAB) $? | $(POSTLINK) >$@

 ../html/TUNING_README.html: TUNING_README.html
-	$(POSTLINK) $? | $(DETAB) >$@
+	$(DETAB) $? | $(POSTLINK) >$@

 ../html/UUCP_README.html: UUCP_README.html
-	$(POSTLINK) $? | $(DETAB) >$@
+	$(DETAB) $? | $(POSTLINK) >$@

 ../html/ULTRIX_README.html: ULTRIX_README.html
-	$(POSTLINK) $? | $(DETAB) >$@
+	$(DETAB) $? | $(POSTLINK) >$@

 ../html/VERP_README.html: VERP_README.html
-	$(POSTLINK) $? | $(DETAB) >$@
+	$(DETAB) $? | $(POSTLINK) >$@

 ../html/VIRTUAL_README.html: VIRTUAL_README.html
-	$(POSTLINK) $? | $(DETAB) >$@
+	$(DETAB) $? | $(POSTLINK) >$@

 ../html/XCLIENT_README.html: XCLIENT_README.html
-	$(POSTLINK) $? | $(DETAB) >$@
+	$(DETAB) $? | $(POSTLINK) >$@

 ../html/XFORWARD_README.html: XFORWARD_README.html
-	$(POSTLINK) $? | $(DETAB) >$@
+	$(DETAB) $? | $(POSTLINK) >$@

 ../html/TLS_README.html: TLS_README.html
-	$(POSTLINK) $? | $(DETAB) >$@
+	$(DETAB) $? | $(POSTLINK) >$@

 ../html/TLS_LEGACY_README.html: TLS_LEGACY_README.html
-	$(POSTLINK) $? | $(DETAB) >$@
+	$(DETAB) $? | $(POSTLINK) >$@

 ../README_FILES/ADDRESS_CLASS_README: ADDRESS_CLASS_README.html
-	$(HT2READ) $? | $(DETAB) >$@
+	$(DETAB) $? | $(HT2READ) >$@

 ../README_FILES/ADDRESS_REWRITING_README: ADDRESS_REWRITING_README.html
-	$(HT2READ) $? | $(DETAB) >$@
+	$(DETAB) $? | $(HT2READ) >$@

 ../README_FILES/ADDRESS_VERIFICATION_README: ADDRESS_VERIFICATION_README.html
-	$(HT2READ) $? | $(DETAB) >$@
+	$(DETAB) $? | $(HT2READ) >$@

 ../README_FILES/BACKSCATTER_README: BACKSCATTER_README.html
-	$(HT2READ) $? | $(DETAB) >$@
+	$(DETAB) $? | $(HT2READ) >$@

 ../README_FILES/BASIC_CONFIGURATION_README: BASIC_CONFIGURATION_README.html
-	$(HT2READ) $? | $(DETAB) >$@
+	$(DETAB) $? | $(HT2READ) >$@

 ../README_FILES/BUILTIN_FILTER_README: BUILTIN_FILTER_README.html
-	$(HT2READ) $? | $(DETAB) >$@
+	$(DETAB) $? | $(HT2READ) >$@

 ../README_FILES/CDB_README: CDB_README.html
-	$(HT2READ) $? | $(DETAB) >$@
+	$(DETAB) $? | $(HT2READ) >$@

 ../README_FILES/CONNECTION_CACHE_README: CONNECTION_CACHE_README.html
-	$(HT2READ) $? | $(DETAB) >$@
+	$(DETAB) $? | $(HT2READ) >$@

 ../README_FILES/CONTENT_INSPECTION_README: CONTENT_INSPECTION_README.html
-	$(HT2READ) $? | $(DETAB) >$@
+	$(DETAB) $? | $(HT2READ) >$@

 ../README_FILES/CYRUS_README: CYRUS_README.html
-	$(HT2READ) $? | $(DETAB) >$@
+	$(DETAB) $? | $(HT2READ) >$@

 ../README_FILES/DATABASE_README: DATABASE_README.html
-	$(HT2READ) $? | $(DETAB) >$@
+	$(DETAB) $? | $(HT2READ) >$@

 ../README_FILES/DB_README: DB_README.html
-	$(HT2READ) $? | $(DETAB) >$@
+	$(DETAB) $? | $(HT2READ) >$@

 ../README_FILES/DEBUG_README: DEBUG_README.html
-	$(HT2READ) $? | $(DETAB) >$@
+	$(DETAB) $? | $(HT2READ) >$@

 ../README_FILES/DSN_README: DSN_README.html
-	$(HT2READ) $? | $(DETAB) >$@
+	$(DETAB) $? | $(HT2READ) >$@

 ../README_FILES/ETRN_README: ETRN_README.html
-	$(HT2READ) $? | $(DETAB) >$@
+	$(DETAB) $? | $(HT2READ) >$@

 ../README_FILES/FILTER_README: FILTER_README.html
-	$(HT2READ) $? | $(DETAB) >$@
+	$(DETAB) $? | $(HT2READ) >$@

 ../README_FILES/INSTALL: INSTALL.html
-	$(HT2READ) $? | $(DETAB) >$@
+	$(DETAB) $? | $(HT2READ) >$@

 ../README_FILES/IPV6_README: IPV6_README.html
-	$(HT2READ) $? | $(DETAB) >$@
+	$(DETAB) $? | $(HT2READ) >$@

 ../README_FILES/LDAP_README: LDAP_README.html
-	$(HT2READ) $? | $(DETAB) >$@
+	$(DETAB) $? | $(HT2READ) >$@

 ../README_FILES/LINUX_README: LINUX_README.html
-	$(HT2READ) $? | $(DETAB) >$@
+	$(DETAB) $? | $(HT2READ) >$@

 ../README_FILES/LOCAL_RECIPIENT_README: LOCAL_RECIPIENT_README.html
-	$(HT2READ) $? | $(DETAB) >$@
+	$(DETAB) $? | $(HT2READ) >$@

 ../README_FILES/MAILDROP_README: MAILDROP_README.html
-	$(HT2READ) $? | $(DETAB) >$@
+	$(DETAB) $? | $(HT2READ) >$@

 ../README_FILES/LMDB_README: LMDB_README.html
-	$(HT2READ) $? | $(DETAB) >$@
+	$(DETAB) $? | $(HT2READ) >$@

 ../README_FILES/MEMCACHE_README: MEMCACHE_README.html
-	$(HT2READ) $? | $(DETAB) >$@
+	$(DETAB) $? | $(HT2READ) >$@

 ../README_FILES/MILTER_README: MILTER_README.html
-	$(HT2READ) $? | $(DETAB) >$@
+	$(DETAB) $? | $(HT2READ) >$@

 ../README_FILES/MULTI_INSTANCE_README: MULTI_INSTANCE_README.html
-	$(HT2READ) $? | $(DETAB) >$@
+	$(DETAB) $? | $(HT2READ) >$@

 ../README_FILES/MYSQL_README: MYSQL_README.html
-	$(HT2READ) $? | $(DETAB) >$@
+	$(DETAB) $? | $(HT2READ) >$@

 ../README_FILES/NFS_README: NFS_README.html
-	$(HT2READ) $? | $(DETAB) >$@
+	$(DETAB) $? | $(HT2READ) >$@

 ../README_FILES/OVERVIEW: OVERVIEW.html
-	$(HT2READ) $? | $(DETAB) >$@
+	$(DETAB) $? | $(HT2READ) >$@

 ../README_FILES/PACKAGE_README: PACKAGE_README.html
-	$(HT2READ) $? | $(DETAB) >$@
+	$(DETAB) $? | $(HT2READ) >$@

 ../README_FILES/PCRE_README: PCRE_README.html
-	$(HT2READ) $? | $(DETAB) >$@
+	$(DETAB) $? | $(HT2READ) >$@

 ../README_FILES/PGSQL_README: PGSQL_README.html
-	$(HT2READ) $? | $(DETAB) >$@
+	$(DETAB) $? | $(HT2READ) >$@

 ../README_FILES/POSTSCREEN_README: POSTSCREEN_README.html
-	$(HT2READ) $? | $(DETAB) >$@
+	$(DETAB) $? | $(HT2READ) >$@

 ../README_FILES/QMQP_README: QMQP_README.html
-	$(HT2READ) $? | $(DETAB) >$@
+	$(DETAB) $? | $(HT2READ) >$@

 ../README_FILES/QSHAPE_README: QSHAPE_README.html
-	$(HT2READ) $? | $(DETAB) >$@
+	$(DETAB) $? | $(HT2READ) >$@

 ../README_FILES/RESTRICTION_CLASS_README: RESTRICTION_CLASS_README.html
-	$(HT2READ) $? | $(DETAB) >$@
+	$(DETAB) $? | $(HT2READ) >$@

 ../README_FILES/SASL_README: SASL_README.html
-	$(HT2READ) $? | $(DETAB) >$@
+	$(DETAB) $? | $(HT2READ) >$@

 ../README_FILES/SCHEDULER_README: SCHEDULER_README.html
-	$(HT2READ) $? | $(DETAB) >$@
+	$(DETAB) $? | $(HT2READ) >$@

 ../README_FILES/SMTPD_ACCESS_README: SMTPD_ACCESS_README.html
-	$(HT2READ) $? | $(DETAB) >$@
+	$(DETAB) $? | $(HT2READ) >$@

 ../README_FILES/SMTPD_POLICY_README: SMTPD_POLICY_README.html
-	$(HT2READ) $? | $(DETAB) >$@
+	$(DETAB) $? | $(HT2READ) >$@

 ../README_FILES/SMTPD_PROXY_README: SMTPD_PROXY_README.html
-	$(HT2READ) $? | $(DETAB) >$@
+	$(DETAB) $? | $(HT2READ) >$@

 ../README_FILES/SOHO_README: $(MAKESOHO) $(DEPSOHO)
 	$(MAKESOHO) | $(HT2READ) | $(DETAB) >$@

 ../README_FILES/SQLITE_README: SQLITE_README.html
-	$(HT2READ) $? | $(DETAB) >$@ 
+	$(DETAB) $? | $(HT2READ) >$@ 

 ../README_FILES/STANDARD_CONFIGURATION_README: STANDARD_CONFIGURATION_README.html
-	$(HT2READ) $? | $(DETAB) >$@
+	$(DETAB) $? | $(HT2READ) >$@

 ../README_FILES/STRESS_README: STRESS_README.html
-	$(HT2READ) $? | $(DETAB) >$@
+	$(DETAB) $? | $(HT2READ) >$@

 ../README_FILES/TUNING_README: TUNING_README.html
-	$(HT2READ) $? | $(DETAB) >$@
+	$(DETAB) $? | $(HT2READ) >$@

 ../README_FILES/UUCP_README: UUCP_README.html
-	$(HT2READ) $? | $(DETAB) >$@
+	$(DETAB) $? | $(HT2READ) >$@

 ../README_FILES/ULTRIX_README: ULTRIX_README.html
-	$(HT2READ) $? | $(DETAB) >$@
+	$(DETAB) $? | $(HT2READ) >$@

 ../README_FILES/VERP_README: VERP_README.html
-	$(HT2READ) $? | $(DETAB) >$@
+	$(DETAB) $? | $(HT2READ) >$@

 ../README_FILES/VIRTUAL_README: VIRTUAL_README.html
-	$(HT2READ) $? | $(DETAB) >$@
+	$(DETAB) $? | $(HT2READ) >$@

 ../README_FILES/XCLIENT_README: XCLIENT_README.html
-	$(HT2READ) $? | $(DETAB) >$@
+	$(DETAB) $? | $(HT2READ) >$@

 ../README_FILES/XFORWARD_README: XFORWARD_README.html
-	$(HT2READ) $? | $(DETAB) >$@
+	$(DETAB) $? | $(HT2READ) >$@

 ../README_FILES/TLS_README: TLS_README.html
-	$(HT2READ) $? | $(DETAB) >$@
+	$(DETAB) $? | $(HT2READ) >$@

 ../README_FILES/TLS_LEGACY_README: TLS_LEGACY_README.html
-	$(HT2READ) $? | $(DETAB) >$@
+	$(DETAB) $? | $(HT2READ) >$@

 ../README_FILES/AAAREADME: ../html/index.html $(MAKEAAA)
 	$(MAKEAAA) ../html/index.html | $(HT2READ) | $(DETAB) >$@
@ -468,8 +468,8 @@ clobber:
 ../man/man5/postconf.5: postconf.man.prolog postconf.proto postconf.man.epilog \
 	../mantools/xpostconf ../mantools/postconf2html ../mantools/postconf2man
 	(cat postconf.man.prolog; ../mantools/xpostconf postconf.proto | \
-	    ../mantools/postconf2html | ../mantools/postconf2man | \
-		sed 's/\\e&/\\\&/'; cat postconf.man.epilog ) | $(DETAB) > $@
+	    $(DETAB) | ../mantools/postconf2html | ../mantools/postconf2man | \
+		sed 's/\\e&/\\\&/'; cat postconf.man.epilog ) > $@

 ../html/postconf.5.html: postconf.html.prolog postconf.proto \
 	postconf.html.epilog ../mantools/xpostconf ../mantools/postconf2html \
--- a/postfix/src/global/mail_version.h
+++ b/postfix/src/global/mail_version.h
@ -20,7 +20,7 @@
  * Patches change both the patchlevel and the release date. Snapshots have no
  * patchlevel; they change the release date only.
  */
-#define MAIL_RELEASE_DATE	"20131103"
+#define MAIL_RELEASE_DATE	"20131104"
 #define MAIL_VERSION_NUMBER	"2.11"

 #ifdef SNAPSHOT
--- a/postfix/src/postalias/postalias.c
+++ b/postfix/src/postalias/postalias.c
@ -290,6 +290,7 @@ static void postalias(char *map_type, char *path_name, int postalias_flags,
 	if ((source_fp = vstream_fopen(path_name, O_RDONLY, 0)) == 0)
 	    msg_fatal("open %s: %m", path_name);
    }
+    dict_flags |= DICT_FLAG_WORLD_READ;
    if (fstat(vstream_fileno(source_fp), &st) < 0)
 	msg_fatal("fstat %s: %m", path_name);

--- a/postfix/src/postmap/postmap.c
+++ b/postfix/src/postmap/postmap.c
@ -353,6 +353,7 @@ static void postmap(char *map_type, char *path_name, int postmap_flags,
 	if ((source_fp = vstream_fopen(path_name, O_RDONLY, 0)) == 0)
 	    msg_fatal("open %s: %m", path_name);
    }
+    dict_flags |= DICT_FLAG_WORLD_READ;
    if (fstat(vstream_fileno(source_fp), &st) < 0)
 	msg_fatal("fstat %s: %m", path_name);

--- a/postfix/src/util/dict.c
+++ b/postfix/src/util/dict.c
@ -590,6 +590,7 @@ static const NAME_MASK dict_mask[] = {
    "fold_mul", DICT_FLAG_FOLD_MUL,	/* case-fold with multi-case key map */
    "open_lock", DICT_FLAG_OPEN_LOCK,	/* permanent lock upon open */
    "bulk_update", DICT_FLAG_BULK_UPDATE,	/* bulk update if supported */
+    "world_read", DICT_FLAG_WORLD_READ,	/* assume writer != reader */
    0,
 };

--- a/postfix/src/util/dict.h
+++ b/postfix/src/util/dict.h
@ -96,6 +96,7 @@ extern DICT *dict_debug(DICT *);
 #define DICT_FLAG_FOLD_ANY	(DICT_FLAG_FOLD_FIX | DICT_FLAG_FOLD_MUL)
 #define DICT_FLAG_OPEN_LOCK	(1<<16)	/* perm lock if not multi-writer safe */
 #define DICT_FLAG_BULK_UPDATE	(1<<17)	/* optimize for bulk updates */
+#define DICT_FLAG_WORLD_READ	(1<<18)	/* assume writer != reader */

 /* IMPORTANT: Update the dict_mask[] table when the above changes */

--- a/postfix/src/util/dict_lmdb.c
+++ b/postfix/src/util/dict_lmdb.c
@ -551,35 +551,45 @@ DICT   *dict_lmdb_open(const char *path, int open_flags, int dict_flags)
    mdb_path = concatenate(path, "." DICT_TYPE_LMDB, (char *) 0);

    /*
-     * Security violation.
-     * 
-     * By default, LMDB 0.9.9 writes uninitialized heap memory to a
-     * world-readable database file. This is a basic memory disclosure
-     * vulnerability: memory content that a program does not intend to share
-     * ends up in a world-readable file. The content of uninitialized heap
-     * memory depends on program execution history. That history includes
-     * code execution in other libraries that are linked into the program.
-     * 
-     * As a workaround we turn on MDB_WRITEMAP which disables the use of
-     * malloc() in LMDB. However, that does not address several disclosures
-     * of stack memory.
+     * Impedance adapters.
     */
    mdb_flags = MDB_NOSUBDIR | MDB_NOLOCK;
    if (open_flags == O_RDONLY)
 	mdb_flags |= MDB_RDONLY;

-    /*
-     * Replace with MDB_VERSION_FULL < MDB_VERINT(X, Y, Z) after this is
-     * fixed up-stream.
-     */
-#if 1
-    mdb_flags |= MDB_WRITEMAP;
-#endif
-
    slmdb_flags = 0;
    if (dict_flags & DICT_FLAG_BULK_UPDATE)
 	slmdb_flags |= SLMDB_FLAG_BULK;

+    /*
+     * Security violation.
+     * 
+     * By default, LMDB 0.9.9 writes uninitialized heap memory to a
+     * world-readable database file, as chunks of up to 4096 bytes. This is a
+     * gross memory disclosure vulnerability: memory content that a program
+     * does not intend to share ends up in a world-readable file. The content
+     * of uninitialized heap memory depends on program execution history.
+     * That history includes code execution in other libraries that are
+     * linked into the program.
+     * 
+     * This is a problem whenever the user who writes the database file differs
+     * from the user who reads the database file. For example, a privileged
+     * writer and an unprivileged reader. In the case of Postfix, the
+     * postmap(1) and postalias(1) commands would leak uninitialized heap
+     * memory, as chunks of up to 4096 bytes, from a root-privileged process
+     * that writes to a database file, to unprivileged processes that read
+     * from that database file.
+     * 
+     * As a workaround the postmap(1) and postalias(1) commands turn on
+     * MDB_WRITEMAP which disables the use of malloc() in LMDB. However, that
+     * does not address several disclosures of stack memory. Other Postfix
+     * databases do not need this workaround: those databases are maintained
+     * by Postfix daemon processes, and are accessible only by the postfix
+     * user.
+     */
+    if (dict_flags & DICT_FLAG_WORLD_READ)
+	mdb_flags |= MDB_WRITEMAP;
+
    /*
     * Gracefully handle most database open errors.
     */
--- a/postfix/src/util/dict_open.c
+++ b/postfix/src/util/dict_open.c
@ -126,6 +126,9 @@
 /*	Enable preliminary code for bulk-mode database updates.
 /*	The caller must create an exception handler with dict_jmp_alloc()
 /*	and must trap exceptions from the database client with dict_setjmp().
+/* .IP DICT_FLAG_WORLD_READ
+/*	Assume that the database file will be read by users other
+/*	than the writer.
 /* .IP DICT_FLAG_DEBUG
 /*	Enable additional logging.
 /* .PP
--- a/postfix/src/util/slmdb.c
+++ b/postfix/src/util/slmdb.c
@ -295,9 +295,11 @@ static int slmdb_recover(SLMDB *slmdb, int status)
    MDB_envinfo info;

    /*
-     * Limit the number of recovery attempts per slmdb(3) API request.
+     * Recover bulk transactions only if they can be restarted. Limit
+     * the number of recovery attempts per slmdb(3) API request.
     */
-    if ((slmdb->api_retry_count += 1) >= slmdb->api_retry_limit)
+    if ((slmdb->txn != 0 && slmdb->longjmp_fn == 0)
+	|| ((slmdb->api_retry_count += 1) >= slmdb->api_retry_limit))
 	return (status);

    /*