diff --git a/postfix/HISTORY b/postfix/HISTORY index 73db63f58..38add05f6 100644 --- a/postfix/HISTORY +++ b/postfix/HISTORY @@ -13599,3 +13599,51 @@ Apologies for any names omitted. prevent dovecot-auth memory wastage. Timo Sirainen. File: xsasl/xsasl_dovecot_server.c. +20080228 + + Bugfix: bounce(8) segfault on one-line template text. + Problem found by Sacha Chlytor. File: bounce/bounce_template.c. + +20080411 + + Bugfix (introduced Postfix 2.0): after "warn_if_reject + reject_unlisted_recipient/sender", the SMTP server mistakenly + remembered that recipient/sender validation was already + done. File: smtpd/smtpd_check.c. + +20080428 + + Cleanup: the proxy_read_maps (Postfix 2.0) default setting + was not updated when adding sender/recipient_bcc_maps + (Postfix 2.1) and smtp/lmtp_generic_maps (Postfix 2.3). + File: global/mail_params.h. + +20080509 + + Bugfix: null-terminate CN comment string after sanitization. + File: smtpd/smtpd.c. + +20080603 + + Workaround: avoid "bad address pattern" errors with non-address + patterns in namadr_list_match() calls. File: util/match_ops.c. + +20080804 + + Bugfix: dangling pointer in vstring_sprintf_prepend(). + File: util/vstring.c. + +20080814 + + Security: some systems have changed their link() semantics, + and will hardlink a symlink, contrary to POSIX and XPG4. + Sebastian Krahmer, SuSE. File: util/safe_open.c. + + The solution introduces the following incompatible change: + when the target of mail delivery is a symlink, the parent + directory of that symlink must now be writable by root only + (in addition to the already existing requirement that the + symlink itself is owned by root). This change will break + legitimate configurations that deliver mail to a symbolic + link in a directory with less restrictive permissions. + diff --git a/postfix/src/bounce/bounce_template.c b/postfix/src/bounce/bounce_template.c index 23f16b0a3..36384a6f1 100644 --- a/postfix/src/bounce/bounce_template.c +++ b/postfix/src/bounce/bounce_template.c @@ -343,7 +343,7 @@ static void bounce_template_parse_buffer(BOUNCE_TEMPLATE *tp) * Is this 7bit or 8bit text? If the character set is US-ASCII, then * don't allow 8bit text. Don't assume 8bit when charset was changed. */ -#define NON_ASCII(p) (*(p) && !allascii((p))) +#define NON_ASCII(p) ((p) && *(p) && !allascii((p))) if (NON_ASCII(cp) || NON_ASCII(tval)) { if (strcasecmp(tp->mime_charset, "us-ascii") == 0) { diff --git a/postfix/src/global/mail_params.h b/postfix/src/global/mail_params.h index 2785921c1..c6369e839 100644 --- a/postfix/src/global/mail_params.h +++ b/postfix/src/global/mail_params.h @@ -2001,7 +2001,11 @@ extern int var_local_rcpt_code; " $" VAR_RCPT_CANON_MAPS \ " $" VAR_RELOCATED_MAPS \ " $" VAR_TRANSPORT_MAPS \ - " $" VAR_MYNETWORKS + " $" VAR_MYNETWORKS \ + " $" VAR_SEND_BCC_MAPS \ + " $" VAR_RCPT_BCC_MAPS \ + " $" VAR_SMTP_GENERIC_MAPS \ + " $" VAR_LMTP_GENERIC_MAPS extern char *var_proxy_read_maps; /* diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h index ae94ab9ee..4306d622e 100644 --- a/postfix/src/global/mail_version.h +++ b/postfix/src/global/mail_version.h @@ -20,8 +20,8 @@ * Patches change both the patchlevel and the release date. Snapshots have no * patchlevel; they change the release date only. */ -#define MAIL_RELEASE_DATE "20080131" -#define MAIL_VERSION_NUMBER "2.4.7" +#define MAIL_RELEASE_DATE "20080814" +#define MAIL_VERSION_NUMBER "2.4.8" #ifdef SNAPSHOT # define MAIL_VERSION_DATE "-" MAIL_RELEASE_DATE diff --git a/postfix/src/smtpd/smtpd.c b/postfix/src/smtpd/smtpd.c index 6a4aa1bec..8bb0a5952 100644 --- a/postfix/src/smtpd/smtpd.c +++ b/postfix/src/smtpd/smtpd.c @@ -2426,6 +2426,7 @@ static void comment_sanitize(VSTRING *comment_string) } while (pc-- > 0) VSTRING_ADDCH(comment_string, ')'); + VSTRING_TERMINATE(comment_string); } /* data_cmd - process DATA command */ diff --git a/postfix/src/smtpd/smtpd_check.c b/postfix/src/smtpd/smtpd_check.c index 92191437e..be7f6a346 100644 --- a/postfix/src/smtpd/smtpd_check.c +++ b/postfix/src/smtpd/smtpd_check.c @@ -4277,7 +4277,9 @@ static int check_recipient_rcpt_maps(SMTPD_STATE *state, const char *recipient) return (0); if (state->recipient_rcptmap_checked == 1) return (0); - state->recipient_rcptmap_checked = 1; + if (state->warn_if_reject == 0) + /* We really validate the recipient address. */ + state->recipient_rcptmap_checked = 1; return (check_rcpt_maps(state, recipient, SMTPD_NAME_RECIPIENT)); } diff --git a/postfix/src/util/match_ops.c b/postfix/src/util/match_ops.c index 41c069394..5832266b1 100644 --- a/postfix/src/util/match_ops.c +++ b/postfix/src/util/match_ops.c @@ -234,12 +234,20 @@ int match_hostaddr(int unused_flags, const char *addr, const char *pattern) * Postfix; if not, then Postfix has no business dealing with IPv4 * addresses anyway. * - * - Don't bother if the pattern is a bare IPv4 address. That form would - * have been matched with the strcasecmp() call above. + * - Don't bother unless the pattern is either an IPv6 address or net/mask. * - * - Don't bother if the pattern isn't an address or address/mask. + * We can safely skip IPv4 address patterns because their form is + * unambiguous and they did not match in the strcasecmp() calls above. + * + * XXX We MUST skip (parent) domain names, which may appear in NAMADR_LIST + * input, to avoid triggering false cidr_match_parse() errors. + * + * The last two conditions below are for backwards compatibility with + * earlier Postfix versions: don't abort with fatal errors on junk that + * was silently ignored (principle of least astonishment). */ if (!strchr(addr, ':') != !strchr(pattern, ':') + || pattern[strcspn(pattern, ":/")] == 0 || pattern[strspn(pattern, V4_ADDR_STRING_CHARS)] == 0 || pattern[strspn(pattern, V6_ADDR_STRING_CHARS "[]/")] != 0) return (0); diff --git a/postfix/src/util/safe_open.c b/postfix/src/util/safe_open.c index c825493ca..9cf5d0263 100644 --- a/postfix/src/util/safe_open.c +++ b/postfix/src/util/safe_open.c @@ -83,6 +83,7 @@ #include #include #include +#include #include /* safe_open_exist - open existing file */ @@ -138,13 +139,29 @@ static VSTREAM *safe_open_exist(const char *path, int flags, * for symlinks owned by root. NEVER, NEVER, make exceptions for symlinks * owned by a non-root user. This would open a security hole when * delivering mail to a world-writable mailbox directory. + * + * Sebastian Krahmer of SuSE brought to my attention that some systems have + * changed their semantics of link(symlink, newpath), such that the + * result is a hardlink to the symlink. For this reason, we now also + * require that the symlink's parent directory is writable only by root. */ else if (lstat(path, &lstat_st) < 0) { vstring_sprintf(why, "file status changed unexpectedly: %m"); errno = EPERM; } else if (S_ISLNK(lstat_st.st_mode)) { - if (lstat_st.st_uid == 0) - return (fp); + if (lstat_st.st_uid == 0) { + VSTRING *parent_buf = vstring_alloc(100); + const char *parent_path = sane_dirname(parent_buf, path); + struct stat parent_st; + int parent_ok; + + parent_ok = (stat(parent_path, &parent_st) == 0 /* not lstat */ + && parent_st.st_uid == 0 + && (parent_st.st_mode & (S_IWGRP | S_IWOTH)) == 0); + vstring_free(parent_buf); + if (parent_ok) + return (fp); + } vstring_sprintf(why, "file is a symbolic link"); errno = EPERM; } else if (fstat_st->st_dev != lstat_st.st_dev diff --git a/postfix/src/util/vstring.c b/postfix/src/util/vstring.c index df65a69bc..2a3234397 100644 --- a/postfix/src/util/vstring.c +++ b/postfix/src/util/vstring.c @@ -624,6 +624,7 @@ VSTRING *vstring_sprintf_prepend(VSTRING *vp, const char *format,...) result_len = VSTRING_LEN(vp); /* Construct: old|new|old|free */ + VSTRING_SPACE(vp, old_len); vstring_memcat(vp, vstring_str(vp), old_len); /* Construct: new|old|free */