Workaround: minor change to the Dovecot AUTH request to
prevent dovecot-auth memory wastage. Timo Sirainen. File:
xsasl/xsasl_dovecot_server.c.
+
+20080228
+
+ Bugfix: bounce(8) segfault on one-line template text.
+ Problem found by Sacha Chlytor. File: bounce/bounce_template.c.
+
+20080411
+
+ Bugfix (introduced Postfix 2.0): after "warn_if_reject
+ reject_unlisted_recipient/sender", the SMTP server mistakenly
+ remembered that recipient/sender validation was already
+ done. File: smtpd/smtpd_check.c.
+
+20080428
+
+ Cleanup: the proxy_read_maps (Postfix 2.0) default setting
+ was not updated when adding sender/recipient_bcc_maps
+ (Postfix 2.1) and smtp/lmtp_generic_maps (Postfix 2.3).
+ File: global/mail_params.h.
+
+20080509
+
+ Bugfix: null-terminate CN comment string after sanitization.
+ File: smtpd/smtpd.c.
+
+20080603
+
+ Workaround: avoid "bad address pattern" errors with non-address
+ patterns in namadr_list_match() calls. File: util/match_ops.c.
+
+20080804
+
+ Bugfix: dangling pointer in vstring_sprintf_prepend().
+ File: util/vstring.c.
+
+20080814
+
+ Security: some systems have changed their link() semantics,
+ and will hardlink a symlink, contrary to POSIX and XPG4.
+ Sebastian Krahmer, SuSE. File: util/safe_open.c.
+
+ The solution introduces the following incompatible change:
+ when the target of mail delivery is a symlink, the parent
+ directory of that symlink must now be writable by root only
+ (in addition to the already existing requirement that the
+ symlink itself is owned by root). This change will break
+ legitimate configurations that deliver mail to a symbolic
+ link in a directory with less restrictive permissions.
+
* Is this 7bit or 8bit text? If the character set is US-ASCII, then
* don't allow 8bit text. Don't assume 8bit when charset was changed.
*/
-#define NON_ASCII(p) (*(p) && !allascii((p)))
+#define NON_ASCII(p) ((p) && *(p) && !allascii((p)))
if (NON_ASCII(cp) || NON_ASCII(tval)) {
if (strcasecmp(tp->mime_charset, "us-ascii") == 0) {
" $" VAR_RCPT_CANON_MAPS \
" $" VAR_RELOCATED_MAPS \
" $" VAR_TRANSPORT_MAPS \
- " $" VAR_MYNETWORKS
+ " $" VAR_MYNETWORKS \
+ " $" VAR_SEND_BCC_MAPS \
+ " $" VAR_RCPT_BCC_MAPS \
+ " $" VAR_SMTP_GENERIC_MAPS \
+ " $" VAR_LMTP_GENERIC_MAPS
extern char *var_proxy_read_maps;
/*
* Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only.
*/
-#define MAIL_RELEASE_DATE "20080131"
-#define MAIL_VERSION_NUMBER "2.3.14"
+#define MAIL_RELEASE_DATE "20080814"
+#define MAIL_VERSION_NUMBER "2.3.15"
#ifdef SNAPSHOT
# define MAIL_VERSION_DATE "-" MAIL_RELEASE_DATE
}
while (pc-- > 0)
VSTRING_ADDCH(comment_string, ')');
+ VSTRING_TERMINATE(comment_string);
}
/* data_cmd - process DATA command */
return (0);
if (state->recipient_rcptmap_checked == 1)
return (0);
- state->recipient_rcptmap_checked = 1;
+ if (state->warn_if_reject == 0)
+ /* We really validate the recipient address. */
+ state->recipient_rcptmap_checked = 1;
return (check_rcpt_maps(state, recipient, SMTPD_NAME_RECIPIENT));
}
* Postfix; if not, then Postfix has no business dealing with IPv4
* addresses anyway.
*
- * - Don't bother if the pattern is a bare IPv4 address. That form would
- * have been matched with the strcasecmp() call above.
+ * - Don't bother unless the pattern is either an IPv6 address or net/mask.
*
- * - Don't bother if the pattern isn't an address or address/mask.
+ * We can safely skip IPv4 address patterns because their form is
+ * unambiguous and they did not match in the strcasecmp() calls above.
+ *
+ * XXX We MUST skip (parent) domain names, which may appear in NAMADR_LIST
+ * input, to avoid triggering false cidr_match_parse() errors.
+ *
+ * The last two conditions below are for backwards compatibility with
+ * earlier Postfix versions: don't abort with fatal errors on junk that
+ * was silently ignored (principle of least astonishment).
*/
if (!strchr(addr, ':') != !strchr(pattern, ':')
+ || pattern[strcspn(pattern, ":/")] == 0
|| pattern[strspn(pattern, V4_ADDR_STRING_CHARS)] == 0
|| pattern[strspn(pattern, V6_ADDR_STRING_CHARS "[]/")] != 0)
return (0);
#include <msg.h>
#include <vstream.h>
#include <vstring.h>
+#include <stringops.h>
#include <safe_open.h>
/* safe_open_exist - open existing file */
* for symlinks owned by root. NEVER, NEVER, make exceptions for symlinks
* owned by a non-root user. This would open a security hole when
* delivering mail to a world-writable mailbox directory.
+ *
+ * Sebastian Krahmer of SuSE brought to my attention that some systems have
+ * changed their semantics of link(symlink, newpath), such that the
+ * result is a hardlink to the symlink. For this reason, we now also
+ * require that the symlink's parent directory is writable only by root.
*/
else if (lstat(path, &lstat_st) < 0) {
vstring_sprintf(why, "file status changed unexpectedly: %m");
errno = EPERM;
} else if (S_ISLNK(lstat_st.st_mode)) {
- if (lstat_st.st_uid == 0)
- return (fp);
+ if (lstat_st.st_uid == 0) {
+ VSTRING *parent_buf = vstring_alloc(100);
+ const char *parent_path = sane_dirname(parent_buf, path);
+ struct stat parent_st;
+ int parent_ok;
+
+ parent_ok = (stat(parent_path, &parent_st) == 0 /* not lstat */
+ && parent_st.st_uid == 0
+ && (parent_st.st_mode & (S_IWGRP | S_IWOTH)) == 0);
+ vstring_free(parent_buf);
+ if (parent_ok)
+ return (fp);
+ }
vstring_sprintf(why, "file is a symbolic link");
errno = EPERM;
} else if (fstat_st->st_dev != lstat_st.st_dev
result_len = VSTRING_LEN(vp);
/* Construct: old|new|old|free */
+ VSTRING_SPACE(vp, old_len);
vstring_memcat(vp, vstring_str(vp), old_len);
/* Construct: new|old|free */
projects / thirdparty / postfix.git / commitdiff
