Merge branch 'debian'

New upstream security release

diff --git a/debian/changelog b/debian/changelog
index 6283985..1e88816 100644 (file)
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,8 +1,15 @@
-exim4 (4.89-2+deb9u4~hcoop9+1) unstable; urgency=medium
+exim4 (4.89-2+deb9u4~hcoop10) unstable; urgency=medium
 
-  * Rebuild on exim 4.89
+  * Rebuild on 4.89-2+deb9u4
 
- -- Clinton Ebadi <clinton@unknownlamer.org>  Sun, 22 Apr 2018 01:14:38 -0400
+ -- Clinton Ebadi <clinton@unknownlamer.org>  Thu, 06 Jun 2019 19:35:28 -0400
+
+exim4 (4.89-2+deb9u4) stretch-security; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * Fix remote command execution vulnerability (CVE-2019-10149)
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Tue, 28 May 2019 22:13:55 +0200
 
 exim4 (4.89-2+deb9u3) stretch-security; urgency=high
 

diff --git a/debian/patches/83_qsa-2019-exim4.patch b/debian/patches/83_qsa-2019-exim4.patch
new file mode 100644 (file)
index 0000000..c840d5e
--- /dev/null
+++ b/debian/patches/83_qsa-2019-exim4.patch
@@ -0,0 +1,45 @@
+From d740d2111f189760593a303124ff6b9b1f83453d Mon Sep 17 00:00:00 2001
+From: Jeremy Harris <jgh146exb@wizmail.org>
+Date: Mon, 27 May 2019 21:57:31 +0100
+Subject: [PATCH] Fix CVE-2019-10149
+
+---
+diff --git a/src/deliver.c b/src/deliver.c
+index 59256ac2c..45cc0723f 100644
+--- a/src/deliver.c
++++ b/src/deliver.c
+@@ -6227,17 +6227,23 @@ if (process_recipients != RECIP_IGNORE)
+       {
+       uschar * save_local =  deliver_localpart;
+       const uschar * save_domain = deliver_domain;
++      uschar * addr = new->address, * errmsg = NULL;
++      int start, end, dom;
+ 
+-      deliver_localpart = expand_string(
+-                    string_sprintf("${local_part:%s}", new->address));
+-      deliver_domain =    expand_string(
+-                    string_sprintf("${domain:%s}", new->address));
++      if (!parse_extract_address(addr, &errmsg, &start, &end, &dom, TRUE))
++        log_write(0, LOG_MAIN|LOG_PANIC,
++                "failed to parse address '%.100s': %s\n", addr, errmsg);
++      else
++        {
++        deliver_localpart =
++          string_copyn(addr+start, dom ? (dom-1) - start : end - start);
++        deliver_domain = dom ? CUS string_copyn(addr+dom, end - dom) : CUS"";
+ 
+-      (void) event_raise(event_action,
+-                    US"msg:fail:internal", new->message);
++        event_raise(event_action, US"msg:fail:internal", new->message);
+ 
+-      deliver_localpart = save_local;
+-      deliver_domain =    save_domain;
++        deliver_localpart = save_local;
++        deliver_domain = save_domain;
++        }
+       }
+ #endif
+       }
+-- 
+2.20.1
+

diff --git a/debian/patches/series b/debian/patches/series
index 3e0491e..8a20906 100644 (file)
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -14,3 +14,4 @@
 80_Avoid-release-of-store-if-there-have-been-later-allo.patch
 81_Chunking-do-not-treat-the-first-lonely-dot-special.-.patch
 82_Fix-base64d-buffer-size-CVE-2018-6789.patch
+83_qsa-2019-exim4.patch