diff options
author | V3n3RiX <venerix@koprulu.sector> | 2024-08-21 12:26:06 +0100 |
---|---|---|
committer | V3n3RiX <venerix@koprulu.sector> | 2024-08-21 12:26:06 +0100 |
commit | bad9bf87b08d293eb79ebe14d1882e77da2b0ced (patch) | |
tree | 2e95088a05ca299b8369979d4b47f0f846657be7 /mail-mta/exim | |
parent | c431a44e3cfa102e5ef2c9d6bbac48e28c9b15cb (diff) |
gentoo auto-resync : 21:08:2024 - 12:26:06
Diffstat (limited to 'mail-mta/exim')
-rw-r--r-- | mail-mta/exim/Manifest | 3 | ||||
-rw-r--r-- | mail-mta/exim/exim-4.97.1-r6.ebuild | 637 | ||||
-rw-r--r-- | mail-mta/exim/files/exim-4.97.1-CVE-2024-39929-part1.patch | 111 | ||||
-rw-r--r-- | mail-mta/exim/files/exim-4.97.1-CVE-2024-39929-part2.patch | 247 |
4 files changed, 998 insertions, 0 deletions
diff --git a/mail-mta/exim/Manifest b/mail-mta/exim/Manifest index 4e61a86453e8..e754c0253ff1 100644 --- a/mail-mta/exim/Manifest +++ b/mail-mta/exim/Manifest @@ -8,6 +8,8 @@ AUX exim-4.94-maildir.patch 316 BLAKE2B fe0b27712e77eba83244434c33372cec47fa3170 AUX exim-4.97-as-needed-ldflags.patch 6032 BLAKE2B ba3e78e49435581eba3fa238c4e660acf9e4bc91c47110f6932675eb0c33568c03ee00a91cef6de93f5acb4611ad6ac1bf465a90f4bc055ac2528d77b588822c SHA512 b7f1e84e3c788d1a9c56339c5dc7eb14eff39b8efaf90d32fd66ddd589f60d4bfab5f36cae51cb84646c1f0b0f7523e56d6a898116b72dc108e89f33d8919333 AUX exim-4.97-localscan_dlopen.patch 6429 BLAKE2B 166c44c93730ef4a0cecd9c8cc556ce2c53dcc21d85b2cb7663fc01d445eab3ecba20f3525b1206238e2b6508a58fe79c72ad86c1722b7c4e1164a6bf9534d6d SHA512 f1d29829f4d7159227476bed377a01a4db6d9aad021bda476d9c1ad1dc4fe7a621260a9e1e4ff9b2686c46575a553a96af7f75f625cb99a5941aa4562f01646a AUX exim-4.97-no-exim_id_update.patch 402 BLAKE2B 0c2f7ec1fe995f8ee58c6907e149367082c5ce837d1508b9e61f10681825fdcc78a52316184629aa6a80021fbfa21aa0ee90eee6b8fae5a1b05efb77337dd2c5 SHA512 07c062f042176b108444b9a163a309b3186fc19f2953dbb7ad066874189417684b0934fe1300933d04231cc59eeeacfb22ad42b0f328212585908c2e9eae5a8b +AUX exim-4.97.1-CVE-2024-39929-part1.patch 3624 BLAKE2B c58d8d2ed56acf36d851ff8cc17569aa01da3d71582f6813f43d397a7333381b7cd6acfa6923111e403ff71413a3c8d11ea1df48f8a846fcea9b0479103008cc SHA512 0d1a4080d657895153e32111fea33daee1efb2a79d1699310135fd0a25935695b016ed55e7889583170b058c072e251833057d4bbdb59a032dbb8491b8c24b8c +AUX exim-4.97.1-CVE-2024-39929-part2.patch 7476 BLAKE2B 14a7b0e5711307cab2e19b1325162503b8e9167cc527f520d4fe395d6582a0bb8f80c058c3502487bde0414d14ae0e7fbebab5d3e471e4764679de12ad0c9600 SHA512 123bf547ee2f09f0c97f01c64c6452103eb972daf2c364b475b5d841b9d972551f03550f7dfedd8340ffd4cc3f4b6e077f04a9ea87c89d1cc3cca330249ded33 AUX exim-4.97.1-memory-usage-bug-3047.patch 8680 BLAKE2B 6c027bebf5d2499d92cf442d3d1beaade645f59b3b6ed4e0f20db763a8697d4f77cbe2d727136df18486a9374f2c46754fa8f89da6361cb1b42812034ac0de7c SHA512 0397318fdc9de3bc9707fad84b6c5c3fec23e5c3d211d090412a907855b74013d6dde1193d590b2162e72167156c8816e9649e18081feba3061431555d6f69c6 AUX exim-submission.socket 161 BLAKE2B 409a5a687897af369a6a2ff0c30564096cc6b308dbc5d0afb6742df44d2aa972e45bad9681d2cb72be9731b260d23fdadb80bae644e7b875af5e34e9c8b8b40f SHA512 4a233761793e3510e9efa5aad3a6098c41b757f13133a7ea825680f2b393aba8d7935f16bf1dd065dde884fe7ba45639a8d398333a7d9bf0a6b72f88c8f2a09d AUX exim-submission_at.service 360 BLAKE2B 9ebcac1ab0f01a8264141843a4e711d77f634bdd910406bd466a0c197fdad8a9ff4bc31b9b28ef73c810aaff3e549eb60c0a2546507910dfc800da154eb1da00 SHA512 dc28698f15e8eaa4614ae81fc8cb76d92fed1110ce02f7a6ee8feace418dbb194711eb2d4dd444cf818628c11721e21d80b7b974879ab6ddd78cc717cce17c2f @@ -21,5 +23,6 @@ DIST exim-4.97.1.tar.xz 1919308 BLAKE2B ea41bf851185c7330e648c7757f2bf0b0aea3133 DIST exim-pdf-4.97.1.tar.xz 2139688 BLAKE2B baadbb6ca7b88b11ea88f6b5ce0c96d9d713a1f5b358e4dfb52647ccc2bb1a9a6f74e75341839a8ee7df327f2f5645dbf223e4e5923631b02aa53a777701b436 SHA512 6aa733b1d48b6237f458939ff53e484e702f47a0c10ba781ba101db404d39667bd2ddc876af4f597deda1991e534d5b8b874c549e6a86b5325ebd624a6713183 DIST system_filter.exim.gz 3075 BLAKE2B d05e872b5cef377d29126cda03fc0a74c8777b2119b76ff43da6e8de808035eb9bfcb034a85d81824f135d484e864bfc0629fc1af2c228a7277d5ee7cf9cde79 SHA512 cb358d3ce2499a0bb5920d962a06f2af8486e55ec90c8c928bd8e3aefb279aa57f5f960d5adfcef68bd94110b405eaa144e9629cfe6014a529c79c544600bbf3 EBUILD exim-4.97.1-r5.ebuild 15407 BLAKE2B b20ad346a0d6bfebe2bef714e9f014f37249450bf956d0b567dd17d87335d4b041e56015506c87750b9e0a50d126b6e869738ea153c6bdc098dbaa0118426f69 SHA512 539b05912913422a629e70b6f301eeedd922dd8dc89af8836b327455693a0160658914292ab694157f8f9ead17ed97e68b507cb0e9064b47ed0af0de5a6f1878 +EBUILD exim-4.97.1-r6.ebuild 15543 BLAKE2B 0b7de20037c65afd4c14b31cbe3e62e2837985907f178ab92d82af3897cb576f1b61a537e15c129058fd1669c9c905b799216f57e4ae001a881429f5a19af9de SHA512 467b5af1bd0562d73dda8563dd60e2f03c09dd7e08b6822668d6bab6cd01f9d7a272a1738cb4b1a294396c4c830931a5934ae3e066de5332e7b9a14629eb1cea EBUILD exim-4.97.1.ebuild 15332 BLAKE2B b3a3e571a09f421f15b6d4b4e7b0cb1158392b6108e9c6c04b9736f4e8cf71d469a8e750a45673334bbc2f55bc8049f3374d043df55b6a09c7f0a4ef34d131e5 SHA512 180f59ccac10d630fcb36d58183236ad6959d185f1eb3044ab8110679aa10a25266285a02ce69f43b9a79820c30a4815c7f181b1d56a28ce319917d4af2740e5 MISC metadata.xml 2488 BLAKE2B 2b6eee3c45210da4bb79ed1a01801cabbdf2be353652602b60cb7c512426197eb14defb2382dd71bcbf0101685a8e5d2f58d52fbee402894f2d86e51329d2165 SHA512 1b3f9fe9cbff738595101b32179f5c8230b5afefcce5266e06db97a3a07a73ad842f0a8be44f421a71e120cdff11e262ba1893f1c7117a0a4c42cf5f37a44d7b diff --git a/mail-mta/exim/exim-4.97.1-r6.ebuild b/mail-mta/exim/exim-4.97.1-r6.ebuild new file mode 100644 index 000000000000..fbc02d2e7b6f --- /dev/null +++ b/mail-mta/exim/exim-4.97.1-r6.ebuild @@ -0,0 +1,637 @@ +# Copyright 1999-2024 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI="7" + +inherit db-use flag-o-matic toolchain-funcs pam systemd + +IUSE="arc berkdb +dane dcc +dkim dlfunc dmarc +dnsdb doc dovecot-sasl +dsn gdbm gnutls idn ipv6 ldap lmtp maildir mbx +mysql nis pam perl pkcs11 postgres +prdr proxy radius redis sasl selinux +socks5 spf sqlite srs +ssl syslog tdb tcpd +tpda X" +REQUIRED_USE=" + arc? ( dkim spf ) + dane? ( ssl !gnutls ) + !dane? ( ssl? ( gnutls ) ) + dmarc? ( dkim spf ) + dkim? ( ssl !gnutls ) + gnutls? ( ssl ) + pkcs11? ( ssl ) + || ( berkdb gdbm tdb ) +" +# NOTE on USE="gnutls dane", gnutls[dane] is masked in base, unmasked +# for x86 and amd64 only (probably due to unbound dep) +# Exim supports it but we cannot express the dep USE=dane when +# USE=gnutls is in effect only in package.use.mask, the only option we +# have left is to a) ignore the dependency (but that results in bug +# #661164) or b) mask the usage of USE=dane with USE=gnutls. Both are +# incorrect, but b) is the only "correct" view from dep-pointofview. +# Bug #925108 showed that DANE is basically non-optional with OpenSSL, +# so we make -dane mandatory to use gnutls. Bleh. +# We cannot express a required use for berkdb/gdbm/tdb correctly because +# berkdb and gdbm are both enabled in base profile + +SDIR=$([[ ${PV} == *_rc* ]] && echo /test + [[ ${PV} == *.*.*.* ]] && echo /fixes) +COMM_URI="https://downloads.exim.org/exim4${SDIR}" + +GPV="r0" +DESCRIPTION="A highly configurable, drop-in replacement for sendmail" +SRC_URI="${COMM_URI}/${P//_rc/-RC}.tar.xz + mirror://gentoo/system_filter.exim.gz + doc? ( ${COMM_URI}/${PN}-pdf-${PV//_rc/-RC}.tar.xz )" +HOMEPAGE="https://www.exim.org/" + +SLOT="0" +LICENSE="GPL-2" +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~ppc ~ppc64 ~sparc ~x86" + +COMMON_DEPEND=">=sys-apps/sed-4.0.5 + dev-libs/libpcre2:= + tdb? ( sys-libs/tdb:= ) + !tdb? ( berkdb? ( >=sys-libs/db-3.2:= <sys-libs/db-6:= ) ) + !tdb? ( !berkdb? ( sys-libs/gdbm:= ) ) + idn? ( net-dns/libidn:= net-dns/libidn2:= ) + perl? ( dev-lang/perl:= ) + pam? ( sys-libs/pam ) + tcpd? ( sys-apps/tcp-wrappers ) + ssl? ( + gnutls? ( + net-libs/gnutls:0=[pkcs11?] + dev-libs/libtasn1 + ) + !gnutls? ( + dev-libs/openssl:0= + ) + ) + ldap? ( >=net-nds/openldap-2.0.7:= ) + elibc_glibc? ( + net-libs/libnsl:= + nis? ( + net-libs/libtirpc:= + >=net-libs/libnsl-1:= + ) + ) + mysql? ( dev-db/mysql-connector-c:= ) + postgres? ( dev-db/postgresql:= ) + sasl? ( >=dev-libs/cyrus-sasl-2.1.26-r2 ) + redis? ( dev-libs/hiredis:= ) + spf? ( >=mail-filter/libspf2-1.2.5-r1 ) + dmarc? ( mail-filter/opendmarc:= ) + X? ( + x11-libs/libX11 + x11-libs/libXmu + x11-libs/libXt + x11-libs/libXaw + ) + sqlite? ( dev-db/sqlite ) + radius? ( net-dialup/freeradius-client ) + virtual/libcrypt:= + virtual/libiconv + " + # added X check for #57206 +BDEPEND="virtual/pkgconfig" +DEPEND="${COMMON_DEPEND}" +RDEPEND="${COMMON_DEPEND} + !mail-mta/courier + !mail-mta/esmtp + !mail-mta/msmtp[mta] + !mail-mta/netqmail + !mail-mta/nullmailer + !mail-mta/postfix + !mail-mta/sendmail + !mail-mta/opensmtpd + !mail-mta/ssmtp[mta] + >=net-mail/mailbase-0.00-r5 + virtual/logger + dcc? ( mail-filter/dcc ) + selinux? ( sec-policy/selinux-exim ) + " + +S=${WORKDIR}/${P//_rc/-RC} + +src_prepare() { + # Legacy patches which need a respin for -p1 + eapply -p0 "${FILESDIR}"/exim-4.14-tail.patch + eapply -p0 "${FILESDIR}"/exim-4.74-radius-db-ENV-clash.patch # 287426 + eapply "${FILESDIR}"/exim-4.97-as-needed-ldflags.patch # 352265, 391279 + eapply -p0 "${FILESDIR}"/exim-4.76-crosscompile.patch # 266591 + eapply "${FILESDIR}"/exim-4.69-r1.27021.patch + eapply "${FILESDIR}"/exim-4.97-localscan_dlopen.patch + eapply "${FILESDIR}"/exim-4.97-no-exim_id_update.patch + eapply "${FILESDIR}"/exim-4.97.1-memory-usage-bug-3047.patch # 922780 + + eapply -p2 "${FILESDIR}"/exim-4.97.1-CVE-2024-39929-part1.patch + eapply -p2 "${FILESDIR}"/exim-4.97.1-CVE-2024-39929-part2.patch + + # oddity, they disable berkdb as hack, and then throw an error when + # berkdb isn't enabled + sed -i \ + -e 's/_DB_/_DONTMESS_/' \ + -e 's/define DB void/define DONTMESS void/' \ + src/auths/call_radius.c || die + + if use maildir ; then + eapply "${FILESDIR}"/exim-4.94-maildir.patch + else + eapply -p0 "${FILESDIR}"/exim-4.80-spool-mail-group.patch # 438606 + fi + + eapply_user + + # user Exim believes it should be + MAILUSER=mail + MAILGROUP=mail + if use prefix && [[ ${EUID} != 0 ]] ; then + MAILUSER=$(id -un) + MAILGROUP=$(id -gn) + fi +} + +src_configure() { + # general config and paths + + local aliases="${EPREFIX}/etc/mail/aliases" + sed -i \ + -e "/SYSTEM_ALIASES_FILE/s'SYSTEM_ALIASES_FILE'${aliases}'" \ + src/configure.default || die + + sed -i -e 's/^buildname=.*/buildname=exim-gentoo/' Makefile || die + + if use elibc_musl; then + sed -i -e 's/^LIBS = -lnsl/LIBS =/g' OS/Makefile-Linux || die + append-cflags -DNO_EXECINFO + fi + + local conffile="${EPREFIX}/etc/exim/exim.conf" + sed -e "48i\CFLAGS=${CFLAGS}" \ + -e "s:BIN_DIRECTORY=/usr/exim/bin:BIN_DIRECTORY=${EPREFIX}/usr/sbin:" \ + -e "s;EXIM_USER=;EXIM_USER=ref:${MAILUSER};" \ + -e "s:CONFIGURE_FILE=.*$:CONFIGURE_FILE=${conffile}:" \ + -e "s:ZCAT_COMMAND=.*$:ZCAT_COMMAND=${EPREFIX}/bin/zcat:" \ + -e "s:COMPRESS_COMMAND=.*$:COMPRESS_COMMAND=${EPREFIX}/bin/gzip:" \ + src/EDITME > Local/Makefile || die + + # work on Local/Makefile from now on + cd Local + + cat >> Makefile <<- EOC + INFO_DIRECTORY=${EPREFIX}/usr/share/info + PID_FILE_PATH=${EPREFIX}/run/exim.pid + SPOOL_DIRECTORY=${EPREFIX}/var/spool/exim + HAVE_ICONV=yes + WITH_CONTENT_SCAN=yes + EOC + + # configure db implementation, Exim always needs one for its hints + # database, we prefer tdb and gdbm, since bdb is kind of getting + # less and less support + if use tdb ; then + cat >> Makefile <<- EOC + USE_TDB=yes + DBMLIB = -ltdb + EOC + sed -i -e 's:^USE_DB=yes:# USE_DB=yes:' Makefile || die + sed -i -e 's:^USE_GDBM=yes:# USE_GDBM=yes:' Makefile || die + elif use gdbm ; then + cat >> Makefile <<- EOC + USE_GDBM=yes + DBMLIB = -lgdbm + EOC + sed -i -e 's:^USE_DB=yes:# USE_DB=yes:' Makefile || die + sed -i -e 's:^USE_TDB=yes:# USE_TDB=yes:' Makefile || die + else # must be berkdb via required_use + # use the "native" interfaces to the DBM and CDB libraries, support + # passwd and directory lookups by default + local DB_VERS="5.3 5.1 4.8 4.7 4.6 4.5 4.4 4.3 4.2 3.2" + cat >> Makefile <<- EOC + USE_DB=yes + # keep include in CFLAGS because exim.h -> dbstuff.h -> db.h + CFLAGS += -I$(db_includedir ${DB_VERS}) + DBMLIB = -l$(db_libname ${DB_VERS}) + EOC + sed -i -e 's:^USE_GDBM=yes:# USE_GDBM=yes:' Makefile || die + sed -i -e 's:^USE_TDB=yes:# USE_TDB=yes:' Makefile || die + fi + + # if we use libiconv, now is the time to tell so + if use !elibc_glibc && use !elibc_musl ; then + cat >> Makefile <<- EOC + EXTRALIBS_EXIM=-liconv + EOC + fi + + # support for IPv6 + if use ipv6; then + cat >> Makefile <<- EOC + HAVE_IPV6=YES + EOC + fi + + # support i18n/IDNA + if use idn; then + cat >> Makefile <<- EOC + SUPPORT_I18N=yes + SUPPORT_I18N_2008=yes + EXTRALIBS_EXIM += -lidn -lidn2 + EOC + fi + + # + # mail storage formats + # + + # mailstore is Exim's traditional storage format + cat >> Makefile <<- EOC + SUPPORT_MAILSTORE=yes + EOC + + # mbox + if use mbx; then + cat >> Makefile <<- EOC + SUPPORT_MBX=yes + EOC + fi + + # maildir + if use maildir; then + cat >> Makefile <<- EOC + SUPPORT_MAILDIR=yes + EOC + fi + + # + # lookup methods + # + + # support passwd and directory lookups by default + cat >> Makefile <<- EOC + LOOKUP_CDB=yes + LOOKUP_PASSWD=yes + LOOKUP_DSEARCH=yes + EOC + + if ! use dnsdb; then + # DNSDB lookup is enabled by default + sed -i -e 's:^LOOKUP_DNSDB=yes:# LOOKUP_DNSDB=yes:' Makefile || die + fi + + if use ldap; then + cat >> Makefile <<- EOC + LOOKUP_LDAP=yes + LDAP_LIB_TYPE=OPENLDAP2 + LOOKUP_INCLUDE += -I"${EPREFIX}"/usr/include/ldap + LOOKUP_LIBS += -lldap -llber + EOC + fi + + if use mysql; then + cat >> Makefile <<- EOC + LOOKUP_MYSQL=yes + LOOKUP_INCLUDE += $(mysql_config --include) + LOOKUP_LIBS += $(mysql_config --libs) + EOC + fi + + if use nis; then + cat >> Makefile <<- EOC + LOOKUP_NIS=yes + LOOKUP_NISPLUS=yes + EOC + if use elibc_glibc ; then + cat >> Makefile <<- EOC + LOOKUP_INCLUDE += -I"${EPREFIX}"/usr/include/tirpc + LOOKUP_LIBS += -lnsl + EOC + fi + fi + + if use postgres; then + cat >> Makefile <<- EOC + LOOKUP_PGSQL=yes + LOOKUP_INCLUDE += -I$(pg_config --includedir) + LOOKUP_LIBS += -L$(pg_config --libdir) -lpq + EOC + fi + + if use sqlite; then + cat >> Makefile <<- EOC + LOOKUP_SQLITE=yes + LOOKUP_SQLITE_PC=sqlite3 + EOC + fi + + if use redis; then + cat >> Makefile <<- EOC + LOOKUP_REDIS=yes + LOOKUP_LIBS += -lhiredis + EOC + fi + + # Exim monitor, enabled by default, controlled via X USE-flag, + # disable if not requested, bug #46778 + if use X; then + cp ../exim_monitor/EDITME eximon.conf || die + cat >> Makefile <<- EOC + EXIM_MONITOR=eximon.bin + EOC + fi + + # + # features + # + + # DomainKeys Identified Mail, RFC4871 + if ! use dkim; then + # DKIM is enabled by default + cat >> Makefile <<- EOC + DISABLE_DKIM=yes + EOC + fi + + # Per-Recipient-Data-Response + if ! use prdr; then + # PRDR is enabled by default + cat >> Makefile <<- EOC + DISABLE_PRDR=yes + EOC + fi + + # Transport post-delivery actions + if use !tpda && use !dane; then + # EVENT is enabled by default + cat >> Makefile <<- EOC + DISABLE_EVENT=yes + EOC + fi + + # log to syslog + if use syslog; then + local eximlog="${EPREFIX}/var/log/exim/exim_%s.log" + sed -i \ + -e "s:LOG_FILE_PATH=${eximlog}:LOG_FILE_PATH=syslog:" \ + Makefile || die + cat >> Makefile <<- EOC + LOG_FILE_PATH=syslog + EOC + else + cat >> Makefile <<- EOC + LOG_FILE_PATH=${EPREFIX}/var/log/exim/exim_%s.log + EOC + fi + + # starttls support (ssl) + if use ssl; then + if use gnutls; then + echo "USE_GNUTLS=yes" >> Makefile + echo "USE_GNUTLS_PC=gnutls $(use dane && echo gnutls-dane)" \ + >> Makefile + use pkcs11 || echo "AVOID_GNUTLS_PKCS11=yes" >> Makefile + else + echo "USE_OPENSSL=yes" >> Makefile + echo "USE_OPENSSL_PC=openssl" >> Makefile + fi + else + echo "DISABLE_TLS=yes" >> Makefile + fi + + # TCP wrappers + if use tcpd; then + cat >> Makefile <<- EOC + USE_TCP_WRAPPERS=yes + EXTRALIBS_EXIM += -lwrap + EOC + fi + + # Light Mail Transport Protocol + if use lmtp; then + cat >> Makefile <<- EOC + TRANSPORT_LMTP=yes + EOC + fi + + # embedded Perl + if use perl; then + cat >> Makefile <<- EOC + EXIM_PERL=perl.o + EOC + fi + + # dlfunc + if use dlfunc; then + cat >> Makefile <<- EOC + EXPAND_DLFUNC=yes + HAVE_LOCAL_SCAN=yes + DLOPEN_LOCAL_SCAN=yes + EOC + fi + + # Proxy Protocol + if use proxy; then + cat >> Makefile <<- EOC + SUPPORT_PROXY=yes + EOC + fi + + # SOCKS5 (outbound) proxy support + if use socks5; then + cat >> Makefile <<- EOC + SUPPORT_SOCKS=yes + EOC + fi + + # DANE + if use !dane; then + # DANE is enabled by default + sed -i -e 's:^SUPPORT_DANE=yes:# SUPPORT_DANE=yes:' Makefile || die + fi + + # DMARC + if use dmarc; then + cat >> Makefile <<- EOC + SUPPORT_DMARC=yes + EXTRALIBS_EXIM += -lopendmarc + EOC + fi + + # Sender Policy Framework + if use spf; then + cat >> Makefile <<- EOC + SUPPORT_SPF=yes + EXTRALIBS_EXIM += -lspf2 + EOC + fi + + # + # experimental features + # + + # Authenticated Receive Chain + if use arc; then + echo "EXPERIMENTAL_ARC=yes">> Makefile + fi + + # Distributed Checksum Clearinghouse + if use dcc; then + echo "EXPERIMENTAL_DCC=yes">> Makefile + fi + + # Sender Rewriting Scheme + if use srs; then + # this one is the default/supported variant since 4.95, and the + # only variant available since 4.96 + cat >> Makefile <<- EOC + SUPPORT_SRS=yes + EOC + fi + + # Delivery Sender Notifications extra information in fail message + if use dsn; then + cat >> Makefile <<- EOC + EXPERIMENTAL_DSN_INFO=yes + EOC + fi + + # + # authentication (SMTP AUTH) + # + + # standard bits + cat >> Makefile <<- EOC + AUTH_SPA=yes + AUTH_CRAM_MD5=yes + AUTH_PLAINTEXT=yes + EOC + + # Cyrus SASL + if use sasl; then + cat >> Makefile <<- EOC + CYRUS_SASLAUTHD_SOCKET=${EPREFIX}/run/saslauthd/mux + AUTH_CYRUS_SASL=yes + AUTH_LIBS += -lsasl2 + EOC + fi + + # Dovecot + if use dovecot-sasl; then + cat >> Makefile <<- EOC + AUTH_DOVECOT=yes + EOC + fi + + # Pluggable Authentication Modules + if use pam; then + cat >> Makefile <<- EOC + SUPPORT_PAM=yes + AUTH_LIBS += -lpam + EOC + fi + + # Radius + if use radius; then + cat >> Makefile <<- EOC + RADIUS_CONFIG_FILE=${EPREFIX}/etc/radiusclient/radiusclient.conf + RADIUS_LIB_TYPE=RADIUSCLIENTNEW + AUTH_LIBS += -lfreeradius-client + EOC + fi +} + +src_compile() { + emake CC="$(tc-getCC)" HOSTCC="$(tc-getBUILD_CC)" \ + AR="$(tc-getAR) cq" RANLIB="$(tc-getRANLIB)" FULLECHO='' +} + +src_install() { + cd "${S}"/build-exim-gentoo || die + dosbin exim + if use X; then + dosbin eximon.bin + dosbin eximon + fi + fperms 4755 /usr/sbin/exim + + dosym exim /usr/sbin/sendmail + dosym exim /usr/sbin/rsmtp + dosym exim /usr/sbin/rmail + dosym ../sbin/exim /usr/bin/mailq + dosym ../sbin/exim /usr/bin/newaliases + dosym ../sbin/sendmail /usr/lib/sendmail + + for i in exicyclog exim_dbmbuild exim_dumpdb exim_fixdb exim_lock \ + exim_tidydb exinext exiwhat exigrep eximstats exiqsumm exiqgrep \ + convert4r3 convert4r4 exipick + do + dosbin $i + done + + dodoc -r "${S}"/doc/. + doman "${S}"/doc/exim.8 + use dsn && dodoc "${S}"/README.DSN + use doc && dodoc "${WORKDIR}"/${PN}-pdf-${PV//rc/RC}/doc/*.pdf + + # conf files + insinto /etc/exim + newins "${S}"/src/configure.default exim.conf.dist + doins "${WORKDIR}"/system_filter.exim + doins "${FILESDIR}"/auth_conf.sub + + if use pam; then + pamd_mimic system-auth exim auth account + fi + + # headers, #436406 + if use dlfunc ; then + # fixup includes so they actually can be found when including + sed -i \ + -e '/#include "\(config\|store\|mytypes\).h"/s:"\(.\+\)":<exim/\1>:' \ + local_scan.h || die + insinto /usr/include/exim + doins {config,local_scan}.h ../src/{mytypes,store}.h + fi + + insinto /etc/logrotate.d + newins "${FILESDIR}/exim.logrotate" exim + + newinitd "${FILESDIR}"/exim.rc10 exim + newconfd "${FILESDIR}"/exim.confd exim + + systemd_dounit \ + "${FILESDIR}"/{exim.service,exim.socket,exim-submission.socket} + systemd_newunit \ + "${FILESDIR}"/exim_at.service 'exim@.service' + systemd_newunit \ + "${FILESDIR}"/exim-submission_at.service 'exim-submission@.service' + + diropts -m 0750 -o ${MAILUSER} -g ${MAILGROUP} + keepdir /var/log/${PN} +} + +pkg_postinst() { + if [[ ! -f ${EROOT}/etc/exim/exim.conf ]] ; then + einfo "${EROOT}/etc/exim/system_filter.exim is a sample system_filter." + einfo "${EROOT}/etc/exim/auth_conf.sub contains the configuration sub" + einfo "for using smtp auth." + einfo "Please create ${EROOT}/etc/exim/exim.conf from" + einfo " ${EROOT}/etc/exim/exim.conf.dist." + fi + if use berkdb && ( use gdbm || use tdb ) ; then + ewarn "USE=berkdb is ignored because USE=gdbm or USE=tdb is enabled!" + fi + if use dmarc ; then + einfo "DMARC support requires ${EROOT}/etc/exim/opendmarc.tlds" + einfo "you can populate this file with the contents downloaded from" + einfo " https://publicsuffix.org/list/public_suffix_list.dat" + fi + if use dcc ; then + einfo "DCC support is experimental, you can find some limited" + einfo "documentation at the bottom of this prerelease message:" + einfo " http://article.gmane.org/gmane.mail.exim.devel/3579" + fi + use dsn && einfo "extra information in fail DSN message is experimental" + einfo + elog "Note that this release contains a tainted variable check that" + elog "is likely to break your configuration used with Exim 4.93 and before." + elog "Please check your transports for occurences of \$local_part, and" + elog "use a replacement like \$local_part_data where possible." +} diff --git a/mail-mta/exim/files/exim-4.97.1-CVE-2024-39929-part1.patch b/mail-mta/exim/files/exim-4.97.1-CVE-2024-39929-part1.patch new file mode 100644 index 000000000000..e83a44abc986 --- /dev/null +++ b/mail-mta/exim/files/exim-4.97.1-CVE-2024-39929-part1.patch @@ -0,0 +1,111 @@ +patch reduced to code only + +From: Jeremy Harris <jgh146exb@wizmail.org> +Date: Mon, 1 Jul 2024 18:35:12 +0000 (+0100) +Subject: Fix MIME parsing of filenames specified using multiple parameters. Bug 3099 +X-Git-Tag: exim-4.98-RC3~2 +X-Git-Url: https://git.exim.org/exim.git/commitdiff_plain/6ce5c70cff89 + +Fix MIME parsing of filenames specified using multiple parameters. Bug 3099 +--- + +diff --git a/src/src/mime.c b/src/src/mime.c +index 975ddca85..5f9e1ade7 100644 +--- a/src/src/mime.c ++++ b/src/src/mime.c +@@ -587,10 +587,10 @@ while(1) + + while (*p) + { +- DEBUG(D_acl) debug_printf_indent("MIME: considering paramlist '%s'\n", p); ++ DEBUG(D_acl) ++ debug_printf_indent("MIME: considering paramlist '%s'\n", p); + +- if ( !mime_filename +- && strncmpic(CUS"content-disposition:", header, 20) == 0 ++ if ( strncmpic(CUS"content-disposition:", header, 20) == 0 + && strncmpic(CUS"filename*", p, 9) == 0 + ) + { /* RFC 2231 filename */ +@@ -604,11 +604,12 @@ while(1) + + if (q && *q) + { +- uschar * temp_string, * err_msg; ++ uschar * temp_string, * err_msg, * fname = q; + int slen; + + /* build up an un-decoded filename over successive + filename*= parameters (for use when 2047 decode fails) */ ++/*XXX could grow a gstring here */ + + mime_fname_rfc2231 = string_sprintf("%#s%s", + mime_fname_rfc2231, q); +@@ -623,26 +624,32 @@ while(1) + /* look for a ' in the "filename" */ + while(*s != '\'' && *s) s++; /* s is 1st ' or NUL */ + +- if ((size = s-q) > 0) +- mime_filename_charset = string_copyn(q, size); ++ if (*s) /* there was a ' */ ++ { ++ if ((size = s-q) > 0) ++ mime_filename_charset = string_copyn(q, size); + +- if (*(p = s)) p++; +- while(*p == '\'') p++; /* p is after 2nd ' */ ++ if (*(fname = s)) fname++; ++ while(*fname == '\'') fname++; /* fname is after 2nd ' */ ++ } + } +- else +- p = q; + +- DEBUG(D_acl) debug_printf_indent("MIME: charset %s fname '%s'\n", +- mime_filename_charset ? mime_filename_charset : US"<NULL>", p); ++ DEBUG(D_acl) ++ debug_printf_indent("MIME: charset %s fname '%s'\n", ++ mime_filename_charset ? mime_filename_charset : US"<NULL>", ++ fname); + +- temp_string = rfc2231_to_2047(p, mime_filename_charset, &slen); +- DEBUG(D_acl) debug_printf_indent("MIME: 2047-name %s\n", temp_string); ++ temp_string = rfc2231_to_2047(fname, mime_filename_charset, ++ &slen); ++ DEBUG(D_acl) ++ debug_printf_indent("MIME: 2047-name %s\n", temp_string); + + temp_string = rfc2047_decode(temp_string, FALSE, NULL, ' ', +- NULL, &err_msg); +- DEBUG(D_acl) debug_printf_indent("MIME: plain-name %s\n", temp_string); ++ NULL, &err_msg); ++ DEBUG(D_acl) ++ debug_printf_indent("MIME: plain-name %s\n", temp_string); + +- if (!temp_string || (size = Ustrlen(temp_string)) == slen) ++ if (!temp_string || (size = Ustrlen(temp_string)) == slen) + decoding_failed = TRUE; + else + /* build up a decoded filename over successive +@@ -651,9 +658,9 @@ while(1) + mime_filename = mime_fname = mime_fname + ? string_sprintf("%s%s", mime_fname, temp_string) + : temp_string; +- } +- } +- } ++ } /*!decoding_failed*/ ++ } /*q*/ ++ } /*2231 filename*/ + + else + /* look for interesting parameters */ +@@ -682,7 +689,7 @@ while(1) + + + /* There is something, but not one of our interesting parameters. +- Advance past the next semicolon */ ++ Advance past the next semicolon */ + p = mime_next_semicolon(p); + if (*p) p++; + } /* param scan on line */ diff --git a/mail-mta/exim/files/exim-4.97.1-CVE-2024-39929-part2.patch b/mail-mta/exim/files/exim-4.97.1-CVE-2024-39929-part2.patch new file mode 100644 index 000000000000..f33e33598379 --- /dev/null +++ b/mail-mta/exim/files/exim-4.97.1-CVE-2024-39929-part2.patch @@ -0,0 +1,247 @@ +patch reduced to code only + +From: Jeremy Harris <jgh146exb@wizmail.org> +Date: Tue, 2 Jul 2024 13:41:19 +0000 (+0100) +Subject: MIME: support RFC 2331 for name=. Bug 3099 +X-Git-Tag: exim-4.98-RC3~1 +X-Git-Url: https://git.exim.org/exim.git/commitdiff_plain/1b3209b0577a + +MIME: support RFC 2331 for name=. Bug 3099 +--- + +diff --git a/src/src/mime.c b/src/src/mime.c +index 5f9e1ade7..8044bb3fd 100644 +--- a/src/src/mime.c ++++ b/src/src/mime.c +@@ -30,10 +30,10 @@ static int mime_header_list_size = nelem(mime_header_list); + + static mime_parameter mime_parameter_list[] = { + /* name namelen value */ +- { US"name=", 5, &mime_filename }, +- { US"filename=", 9, &mime_filename }, +- { US"charset=", 8, &mime_charset }, +- { US"boundary=", 9, &mime_boundary } ++ { US"name", 4, &mime_filename }, ++ { US"filename", 8, &mime_filename }, ++ { US"charset", 7, &mime_charset }, ++ { US"boundary", 8, &mime_boundary } + }; + + +@@ -577,8 +577,8 @@ while(1) + if (*(p = q)) p++; /* jump past the ; */ + + { +- uschar * mime_fname = NULL; +- uschar * mime_fname_rfc2231 = NULL; ++ gstring * mime_fname = NULL; ++ gstring * mime_fname_rfc2231 = NULL; + uschar * mime_filename_charset = NULL; + BOOL decoding_failed = FALSE; + +@@ -590,90 +590,92 @@ while(1) + DEBUG(D_acl) + debug_printf_indent("MIME: considering paramlist '%s'\n", p); + +- if ( strncmpic(CUS"content-disposition:", header, 20) == 0 +- && strncmpic(CUS"filename*", p, 9) == 0 +- ) +- { /* RFC 2231 filename */ +- uschar * q; +- +- /* find value of the filename */ +- p += 9; +- while(*p != '=' && *p) p++; +- if (*p) p++; /* p is filename or NUL */ +- q = mime_param_val(&p); /* p now trailing ; or NUL */ +- +- if (q && *q) ++ /* look for interesting parameters */ ++ for (mime_parameter * mp = mime_parameter_list; ++ mp < mime_parameter_list + nelem(mime_parameter_list); ++ mp++ ++ ) if (strncmpic(mp->name, p, mp->namelen) == 0) ++ { ++ p += mp->namelen; ++ if (*p == '*') /* RFC 2231 */ + { +- uschar * temp_string, * err_msg, * fname = q; +- int slen; +- +- /* build up an un-decoded filename over successive +- filename*= parameters (for use when 2047 decode fails) */ +-/*XXX could grow a gstring here */ +- +- mime_fname_rfc2231 = string_sprintf("%#s%s", +- mime_fname_rfc2231, q); +- +- if (!decoding_failed) ++ while (isdigit(*++p)) ; /* ignore cont-cnt values */ ++ if (*p == '*') p++; /* step over sep chset mark */ ++ if (*p == '=') + { +- int size; +- if (!mime_filename_charset) ++ uschar * q; ++ p++; /* step over = */ ++ q = mime_param_val(&p); /* p now trailing ; or NUL */ ++ ++ if (q && *q) /* q is the dequoted value */ + { +- uschar * s = q; ++ uschar * err_msg, * fname = q; ++ int slen; ++ ++ /* build up an un-decoded filename over successive ++ filename*= parameters (for use when 2047 decode fails) */ + +- /* look for a ' in the "filename" */ +- while(*s != '\'' && *s) s++; /* s is 1st ' or NUL */ ++ mime_fname_rfc2231 = string_cat(mime_fname_rfc2231, q); + +- if (*s) /* there was a ' */ ++ if (!decoding_failed) + { +- if ((size = s-q) > 0) +- mime_filename_charset = string_copyn(q, size); +- +- if (*(fname = s)) fname++; +- while(*fname == '\'') fname++; /* fname is after 2nd ' */ +- } +- } +- +- DEBUG(D_acl) +- debug_printf_indent("MIME: charset %s fname '%s'\n", +- mime_filename_charset ? mime_filename_charset : US"<NULL>", +- fname); +- +- temp_string = rfc2231_to_2047(fname, mime_filename_charset, +- &slen); +- DEBUG(D_acl) +- debug_printf_indent("MIME: 2047-name %s\n", temp_string); +- +- temp_string = rfc2047_decode(temp_string, FALSE, NULL, ' ', +- NULL, &err_msg); +- DEBUG(D_acl) +- debug_printf_indent("MIME: plain-name %s\n", temp_string); +- +- if (!temp_string || (size = Ustrlen(temp_string)) == slen) +- decoding_failed = TRUE; +- else +- /* build up a decoded filename over successive +- filename*= parameters */ +- +- mime_filename = mime_fname = mime_fname +- ? string_sprintf("%s%s", mime_fname, temp_string) +- : temp_string; +- } /*!decoding_failed*/ +- } /*q*/ +- } /*2231 filename*/ +- +- else +- /* look for interesting parameters */ +- for (mime_parameter * mp = mime_parameter_list; +- mp < mime_parameter_list + nelem(mime_parameter_list); +- mp++ +- ) if (strncmpic(mp->name, p, mp->namelen) == 0) +- { +- uschar * q; +- uschar * dummy_errstr; ++ if (!mime_filename_charset) ++ { /* try for RFC 2231 chset/lang */ ++ uschar * s = q; ++ ++ /* look for a ' in the raw paramval */ ++ while(*s != '\'' && *s) s++; /* s is 1st ' or NUL */ ++ ++ if (*s) /* there was a ' */ ++ { ++ int size; ++ if ((size = s-q) > 0) ++ mime_filename_charset = string_copyn(q, size); ++ ++ if (*(fname = s)) fname++; ++ while(*fname == '\'') fname++; /*fname is after 2nd '*/ ++ } ++ } ++ ++ DEBUG(D_acl) ++ debug_printf_indent("MIME: charset %s fname '%s'\n", ++ mime_filename_charset ? mime_filename_charset : US"<NULL>", ++ fname); ++ ++ fname = rfc2231_to_2047(fname, mime_filename_charset, ++ &slen); ++ DEBUG(D_acl) ++ debug_printf_indent("MIME: 2047-name %s\n", fname); ++ ++ fname = rfc2047_decode(fname, FALSE, NULL, ' ', ++ NULL, &err_msg); ++ DEBUG(D_acl) debug_printf_indent( ++ "MIME: plain-name %s\n", fname); ++ ++ if (!fname || Ustrlen(fname) == slen) ++ decoding_failed = TRUE; ++ else if (mp->value == &mime_filename) ++ { ++ /* build up a decoded filename over successive ++ filename*= parameters */ ++ ++ mime_fname = string_cat(mime_fname, fname); ++ mime_filename = string_from_gstring(mime_fname); ++ } ++ } /*!decoding_failed*/ ++ } /*q*/ ++ ++ if (*p) p++; /* p is past ; */ ++ goto param_done; /* done matching param names */ ++ } /*2231 param coding extension*/ ++ } ++ else if (*p == '=') ++ { /* non-2231 param */ ++ uschar * q, * dummy_errstr; + + /* grab the value and copy to its expansion variable */ +- p += mp->namelen; ++ ++ if (*p) p++; /* step over = */ + q = mime_param_val(&p); /* p now trailing ; or NUL */ + + *mp->value = q && *q +@@ -684,26 +686,31 @@ while(1) + "MIME: found %s parameter in %s header, value '%s'\n", + mp->name, mh->name, *mp->value); + +- break; /* done matching param names */ ++ if (*p) p++; /* p is past ; */ ++ goto param_done; /* done matching param names */ + } +- ++ } /* interesting parameters */ + + /* There is something, but not one of our interesting parameters. + Advance past the next semicolon */ ++ + p = mime_next_semicolon(p); + if (*p) p++; +- } /* param scan on line */ ++ param_done: ++ } /* param scan on line */ + + if (strncmpic(CUS"content-disposition:", header, 20) == 0) + { +- if (decoding_failed) mime_filename = mime_fname_rfc2231; ++ if (decoding_failed) ++ mime_filename = string_from_gstring(mime_fname_rfc2231); + + DEBUG(D_acl) debug_printf_indent( + "MIME: found %s parameter in %s header, value is '%s'\n", + "filename", mh->name, mime_filename); + } + } +- } ++ break; ++ } /* interesting headers */ + + /* set additional flag variables (easier access) */ + if ( mime_content_type |