[hcoop/debian/exim4.git] / debian / patches / 84_11-CVE-2020-28015-28021-New-line-injection-into-spool-h.patch

From ac8f49ef90e768a63ed3dca50e2b2c6e8d333bfd Mon Sep 17 00:00:00 2001
From: Qualys Security Advisory <qsa@qualys.com>
Date: Sun, 21 Feb 2021 21:26:53 -0800
Subject: [PATCH 11/29] CVE-2020-28015+28021: New-line injection into spool
 header file

---
 src/spool_out.c | 21 +++++++++++++++++----
 1 file changed, 17 insertions(+), 4 deletions(-)

diff --git a/src/spool_out.c b/src/spool_out.c
index d55895202..9394393d5 100644
--- a/src/spool_out.c
+++ b/src/spool_out.c
@@ -108,6 +108,18 @@ return fd;
 *          Write the header spool file           *
 *************************************************/
 
+static const uschar *
+zap_newlines(const uschar *s)
+{
+uschar *z, *p;
+
+if (Ustrchr(s, '\n') == NULL) return s;
+
+p = z = string_copy(s);
+while ((p = Ustrchr(p, '\n')) != NULL) *p++ = ' ';
+return z;
+}
+
 /* Returns the size of the file for success; zero for failure. The file is
 written under a temporary name, and then renamed. It's done this way so that it
 works with re-writing the file on message deferral as well as for the initial
@@ -210,7 +222,7 @@ if (body_zerocount > 0) fprintf(fp, "-body_zerocount %d\n", body_zerocount);
 if (authenticated_id)
   fprintf(fp, "-auth_id %s\n", authenticated_id);
 if (authenticated_sender)
-  fprintf(fp, "-auth_sender %s\n", authenticated_sender);
+  fprintf(fp, "-auth_sender %s\n", zap_newlines(authenticated_sender));
 
 if (f.allow_unqualified_recipient) fprintf(fp, "-allow_unqualified_recipient\n");
 if (f.allow_unqualified_sender) fprintf(fp, "-allow_unqualified_sender\n");
@@ -283,19 +295,20 @@ fprintf(fp, "%d\n", recipients_count);
 for (i = 0; i < recipients_count; i++)
   {
   recipient_item *r = recipients_list + i;
+  const uschar *address = zap_newlines(r->address);
 
   DEBUG(D_deliver) debug_printf("DSN: Flags :%d\n", r->dsn_flags);
 
   if (r->pno < 0 && r->errors_to == NULL && r->dsn_flags == 0)
-    fprintf(fp, "%s\n", r->address);
+    fprintf(fp, "%s\n", address);
   else
     {
-    uschar * errors_to = r->errors_to ? r->errors_to : US"";
+    const uschar * errors_to = r->errors_to ? zap_newlines(r->errors_to) : US"";
     /* for DSN SUPPORT extend exim 4 spool in a compatible way by
     adding new values upfront and add flag 0x02 */
     uschar * orcpt = r->orcpt ? r->orcpt : US"";
 
-    fprintf(fp, "%s %s %d,%d %s %d,%d#3\n", r->address, orcpt, Ustrlen(orcpt),
+    fprintf(fp, "%s %s %d,%d %s %d,%d#3\n", address, orcpt, Ustrlen(orcpt),
       r->dsn_flags, errors_to, Ustrlen(errors_to), r->pno);
     }
 
-- 
2.30.2
Commit	Line	Data
0c0c20aa AM	1	From ac8f49ef90e768a63ed3dca50e2b2c6e8d333bfd Mon Sep 17 00:00:00 2001
	2	From: Qualys Security Advisory <qsa@qualys.com>
	3	Date: Sun, 21 Feb 2021 21:26:53 -0800
	4	Subject: [PATCH 11/29] CVE-2020-28015+28021: New-line injection into spool
	5	header file
	6
	7	---
	8	src/spool_out.c \| 21 +++++++++++++++++----
	9	1 file changed, 17 insertions(+), 4 deletions(-)
	10
	11	diff --git a/src/spool_out.c b/src/spool_out.c
	12	index d55895202..9394393d5 100644
	13	--- a/src/spool_out.c
	14	+++ b/src/spool_out.c
	15	@@ -108,6 +108,18 @@ return fd;
	16	* Write the header spool file *
	17	*************************************************/
	18
	19	+static const uschar *
	20	+zap_newlines(const uschar *s)
	21	+{
	22	+uschar z, p;
	23	+
	24	+if (Ustrchr(s, '\n') == NULL) return s;
	25	+
	26	+p = z = string_copy(s);
	27	+while ((p = Ustrchr(p, '\n')) != NULL) *p++ = ' ';
	28	+return z;
	29	+}
	30	+
	31	/* Returns the size of the file for success; zero for failure. The file is
	32	written under a temporary name, and then renamed. It's done this way so that it
	33	works with re-writing the file on message deferral as well as for the initial
	34	@@ -210,7 +222,7 @@ if (body_zerocount > 0) fprintf(fp, "-body_zerocount %d\n", body_zerocount);
	35	if (authenticated_id)
	36	fprintf(fp, "-auth_id %s\n", authenticated_id);
	37	if (authenticated_sender)
	38	- fprintf(fp, "-auth_sender %s\n", authenticated_sender);
	39	+ fprintf(fp, "-auth_sender %s\n", zap_newlines(authenticated_sender));
	40
	41	if (f.allow_unqualified_recipient) fprintf(fp, "-allow_unqualified_recipient\n");
	42	if (f.allow_unqualified_sender) fprintf(fp, "-allow_unqualified_sender\n");
	43	@@ -283,19 +295,20 @@ fprintf(fp, "%d\n", recipients_count);
	44	for (i = 0; i < recipients_count; i++)
	45	{
	46	recipient_item *r = recipients_list + i;
	47	+ const uschar *address = zap_newlines(r->address);
	48
	49	DEBUG(D_deliver) debug_printf("DSN: Flags :%d\n", r->dsn_flags);
	50
	51	if (r->pno < 0 && r->errors_to == NULL && r->dsn_flags == 0)
	52	- fprintf(fp, "%s\n", r->address);
	53	+ fprintf(fp, "%s\n", address);
	54	else
	55	{
	56	- uschar * errors_to = r->errors_to ? r->errors_to : US"";
	57	+ const uschar * errors_to = r->errors_to ? zap_newlines(r->errors_to) : US"";
	58	/* for DSN SUPPORT extend exim 4 spool in a compatible way by
	59	adding new values upfront and add flag 0x02 */
	60	uschar * orcpt = r->orcpt ? r->orcpt : US"";
	61
	62	- fprintf(fp, "%s %s %d,%d %s %d,%d#3\n", r->address, orcpt, Ustrlen(orcpt),
	63	+ fprintf(fp, "%s %s %d,%d %s %d,%d#3\n", address, orcpt, Ustrlen(orcpt),
	64	r->dsn_flags, errors_to, Ustrlen(errors_to), r->pno);
65	}
66
67	--
68	2.30.2
69