postfix-2.4.8

postfix/HISTORY

@@ -13599,3 +13599,51 @@ Apologies for any names omitted.
 	prevent dovecot-auth memory wastage. Timo Sirainen.  File:
 	xsasl/xsasl_dovecot_server.c.
 
+20080228
+
+	Bugfix: bounce(8) segfault on one-line template text.
+	Problem found by Sacha Chlytor. File: bounce/bounce_template.c.
+
+20080411
+
+	Bugfix (introduced Postfix 2.0): after "warn_if_reject
+	reject_unlisted_recipient/sender", the SMTP server mistakenly
+	remembered that recipient/sender validation was already
+	done. File: smtpd/smtpd_check.c.
+
+20080428
+
+	Cleanup: the proxy_read_maps (Postfix 2.0) default setting
+	was not updated when adding sender/recipient_bcc_maps
+	(Postfix 2.1) and smtp/lmtp_generic_maps (Postfix 2.3).
+	File: global/mail_params.h.
+
+20080509
+
+	Bugfix: null-terminate CN comment string after sanitization.
+	File: smtpd/smtpd.c.
+
+20080603
+
+	Workaround: avoid "bad address pattern" errors with non-address
+	patterns in namadr_list_match() calls. File: util/match_ops.c.
+
+20080804
+
+	Bugfix: dangling pointer in vstring_sprintf_prepend().
+	File: util/vstring.c.
+
+20080814
+
+	Security: some systems have changed their link() semantics,
+	and will hardlink a symlink, contrary to POSIX and XPG4.
+	Sebastian Krahmer, SuSE. File: util/safe_open.c.
+
+	The solution introduces the following incompatible change:
+	when the target of mail delivery is a symlink, the parent
+	directory of that symlink must now be writable by root only
+	(in addition to the already existing requirement that the
+	symlink itself is owned by root).  This change will break
+	legitimate configurations that deliver mail to a symbolic
+	link in a directory with less restrictive permissions.
+

postfix/src/bounce/bounce_template.c

@@ -343,7 +343,7 @@ static void bounce_template_parse_buffer(BOUNCE_TEMPLATE *tp)
      * Is this 7bit or 8bit text? If the character set is US-ASCII, then
      * don't allow 8bit text. Don't assume 8bit when charset was changed.
      */
-#define NON_ASCII(p) (*(p) && !allascii((p)))
+#define NON_ASCII(p) ((p) && *(p) && !allascii((p)))
 
     if (NON_ASCII(cp) || NON_ASCII(tval)) {
 	if (strcasecmp(tp->mime_charset, "us-ascii") == 0) {

postfix/src/global/mail_params.h

@@ -2001,7 +2001,11 @@ extern int var_local_rcpt_code;
 				" $" VAR_RCPT_CANON_MAPS \
 				" $" VAR_RELOCATED_MAPS \
 				" $" VAR_TRANSPORT_MAPS \
-				" $" VAR_MYNETWORKS
+				" $" VAR_MYNETWORKS \
+				" $" VAR_SEND_BCC_MAPS \
+				" $" VAR_RCPT_BCC_MAPS \
+				" $" VAR_SMTP_GENERIC_MAPS \
+				" $" VAR_LMTP_GENERIC_MAPS
 extern char *var_proxy_read_maps;
 
  /*

postfix/src/global/mail_version.h

@@ -20,8 +20,8 @@
   * Patches change both the patchlevel and the release date. Snapshots have no
   * patchlevel; they change the release date only.
   */
-#define MAIL_RELEASE_DATE	"20080131"
-#define MAIL_VERSION_NUMBER	"2.4.7"
+#define MAIL_RELEASE_DATE	"20080814"
+#define MAIL_VERSION_NUMBER	"2.4.8"
 
 #ifdef SNAPSHOT
 # define MAIL_VERSION_DATE	"-" MAIL_RELEASE_DATE

postfix/src/smtpd/smtpd.c

@@ -2426,6 +2426,7 @@ static void comment_sanitize(VSTRING *comment_string)
     }
     while (pc-- > 0)
 	VSTRING_ADDCH(comment_string, ')');
+    VSTRING_TERMINATE(comment_string);
 }
 
 /* data_cmd - process DATA command */

postfix/src/smtpd/smtpd_check.c

@@ -4277,7 +4277,9 @@ static int check_recipient_rcpt_maps(SMTPD_STATE *state, const char *recipient)
 	return (0);
     if (state->recipient_rcptmap_checked == 1)
 	return (0);
-    state->recipient_rcptmap_checked = 1;
+    if (state->warn_if_reject == 0)
+	/* We really validate the recipient address. */
+	state->recipient_rcptmap_checked = 1;
     return (check_rcpt_maps(state, recipient, SMTPD_NAME_RECIPIENT));
 }
 

postfix/src/util/match_ops.c

@@ -234,12 +234,20 @@ int     match_hostaddr(int unused_flags, const char *addr, const char *pattern)
      * Postfix; if not, then Postfix has no business dealing with IPv4
      * addresses anyway.
      * 
-     * - Don't bother if the pattern is a bare IPv4 address. That form would
-     * have been matched with the strcasecmp() call above.
+     * - Don't bother unless the pattern is either an IPv6 address or net/mask.
      * 
-     * - Don't bother if the pattern isn't an address or address/mask.
+     * We can safely skip IPv4 address patterns because their form is
+     * unambiguous and they did not match in the strcasecmp() calls above.
+     * 
+     * XXX We MUST skip (parent) domain names, which may appear in NAMADR_LIST
+     * input, to avoid triggering false cidr_match_parse() errors.
+     * 
+     * The last two conditions below are for backwards compatibility with
+     * earlier Postfix versions: don't abort with fatal errors on junk that
+     * was silently ignored (principle of least astonishment).
      */
     if (!strchr(addr, ':') != !strchr(pattern, ':')
+	|| pattern[strcspn(pattern, ":/")] == 0
 	|| pattern[strspn(pattern, V4_ADDR_STRING_CHARS)] == 0
 	|| pattern[strspn(pattern, V6_ADDR_STRING_CHARS "[]/")] != 0)
 	return (0);

postfix/src/util/safe_open.c

@@ -83,6 +83,7 @@
 #include <msg.h>
 #include <vstream.h>
 #include <vstring.h>
+#include <stringops.h>
 #include <safe_open.h>
 
 /* safe_open_exist - open existing file */
@@ -138,13 +139,29 @@ static VSTREAM *safe_open_exist(const char *path, int flags,
      * for symlinks owned by root. NEVER, NEVER, make exceptions for symlinks
      * owned by a non-root user. This would open a security hole when
      * delivering mail to a world-writable mailbox directory.
+     * 
+     * Sebastian Krahmer of SuSE brought to my attention that some systems have
+     * changed their semantics of link(symlink, newpath), such that the
+     * result is a hardlink to the symlink. For this reason, we now also
+     * require that the symlink's parent directory is writable only by root.
      */
     else if (lstat(path, &lstat_st) < 0) {
 	vstring_sprintf(why, "file status changed unexpectedly: %m");
 	errno = EPERM;
     } else if (S_ISLNK(lstat_st.st_mode)) {
-	if (lstat_st.st_uid == 0)
-	    return (fp);
+	if (lstat_st.st_uid == 0) {
+	    VSTRING *parent_buf = vstring_alloc(100);
+	    const char *parent_path = sane_dirname(parent_buf, path);
+	    struct stat parent_st;
+	    int     parent_ok;
+
+	    parent_ok = (stat(parent_path, &parent_st) == 0	/* not lstat */
+			 && parent_st.st_uid == 0
+			 && (parent_st.st_mode & (S_IWGRP | S_IWOTH)) == 0);
+	    vstring_free(parent_buf);
+	    if (parent_ok)
+		return (fp);
+	}
 	vstring_sprintf(why, "file is a symbolic link");
 	errno = EPERM;
     } else if (fstat_st->st_dev != lstat_st.st_dev

postfix/src/util/vstring.c

@@ -624,6 +624,7 @@ VSTRING *vstring_sprintf_prepend(VSTRING *vp, const char *format,...)
     result_len = VSTRING_LEN(vp);
 
     /* Construct: old|new|old|free */
+    VSTRING_SPACE(vp, old_len);
     vstring_memcat(vp, vstring_str(vp), old_len);
 
     /* Construct: new|old|free */