debian/patches/75_07-Fix-crash-from-SRV-lookup-hitting-a-CNAME.patch

   1 From 09720dd9506176294154dad7152f5f40554046a4 Mon Sep 17 00:00:00 2001
   2 From: Jeremy Harris <jgh146exb@wizmail.org>
   3 Date: Thu, 14 Mar 2019 12:26:34 +0000
   4 Subject: [PATCH 3/5] Fix crash from SRV lookup hitting a CNAME
   5
   6 (cherry picked from commit 14bc9cf085aff7bd5147881e5b7068769a29b026)
   7 ---
   8  doc/ChangeLog |  4 ++++
   9  src/dns.c         | 10 +++++++---
  10  2 files changed, 11 insertions(+), 3 deletions(-)
  11
  12 diff --git a/doc/ChangeLog b/doc/ChangeLog
  13 index 419c1061..0f8d05b2 100644
  14 --- a/doc/ChangeLog
  15 +++ b/doc/ChangeLog
  16 @@ -19,10 +19,14 @@ JH/07 GnuTLS: Our use of late (post-handshake) certificate verification, under
  17        suitably configured).
  18
  19  JB/01 Bug 2375: fix expansions of 822 addresses having comments in local-part
  20        and/or domain.  Found and fixed by Jason Betts.
  21
  22 +JH/08 Add hardening against SRV & TLSA lookups the hit CNAMEs (a nonvalid
  23 +      configuration).  If a CNAME target was not a wellformed name pattern, a
  24 +      crash could result.
  25 +
  26
  27  Exim version 4.92
  28  -----------------
  29
  30  JH/01 Remove code calling the customisable local_scan function, unless a new
  31 diff --git a/src/dns.c b/src/dns.c
  32 index 0f0b435d..b7978c52 100644
  33 --- a/src/dns.c
  34 +++ b/src/dns.c
  35 @@ -714,11 +714,15 @@ regex has substrings that are used - the default uses a conditional.
  36  This test is omitted for PTR records. These occur only in calls from the dnsdb
  37  lookup, which constructs the names itself, so they should be OK. Besides,
  38  bitstring labels don't conform to normal name syntax. (But the aren't used any
  39  more.)
  40
  41 -For SRV records, we omit the initial _smtp._tcp. components at the start. */
  42 +For SRV records, we omit the initial _smtp._tcp. components at the start.
  43 +The check has been seen to bite on the destination of a SRV lookup that
  44 +initiall hit a CNAME, for which the next name had only two components.
  45 +RFC2782 makes no mention of the possibiility of CNAMES, but the Wikipedia
  46 +article on SRV says they are not a valid configuration. */
  47
  48  #ifndef STAND_ALONE   /* Omit this for stand-alone tests */
  49
  50  if (check_dns_names_pattern[0] != 0 && type != T_PTR && type != T_TXT)
  51    {
  52 @@ -730,12 +734,12 @@ if (check_dns_names_pattern[0] != 0 && type != T_PTR && type != T_TXT)
  53    /* For an SRV lookup, skip over the first two components (the service and
  54    protocol names, which both start with an underscore). */
  55
  56    if (type == T_SRV || type == T_TLSA)
  57      {
  58 -    while (*checkname++ != '.');
  59 -    while (*checkname++ != '.');
  60 +    while (*checkname && *checkname++ != '.') ;
  61 +    while (*checkname && *checkname++ != '.') ;
  62      }
  63
  64    if (pcre_exec(regex_check_dns_names, NULL, CCS checkname, Ustrlen(checkname),
  65        0, PCRE_EOPT, ovector, nelem(ovector)) < 0)
  66      {
  67 --
  68 2.20.1
  69