From: Wietse Venema Date: Mon, 4 Nov 2013 05:00:00 +0000 (-0500) Subject: postfix-2.11-20131104 X-Git-Tag: v2.11.0-RC1~16 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1fa35743a5e587837670f5816be62acc838752a4;p=thirdparty%2Fpostfix.git postfix-2.11-20131104 --- diff --git a/postfix/HISTORY b/postfix/HISTORY index c4ad5ede7..435f5c65a 100644 --- a/postfix/HISTORY +++ b/postfix/HISTORY @@ -19035,19 +19035,36 @@ Apologies for any names omitted. Documentation: added SASL_README example for check_sasl_access. File: proto/SASL_README.html. -20131102 - - Security violation: by default, LMDB 0.9.9 writes fragments - of uninitialized heap memory to a world-readable database - file. This is a basic memory disclosure vulnerability: - memory content that a program does not intend to share ends - up in a world-readable file. The content of uninitialized - heap memory depends on program execution history. That - history includes code execution in other libraries that are - linked into the program. To work around this problem we - disable the use of malloc() in LMDB. However, that does not - address several disclosures of stack memory. File: - util/dict_lmdb.c. - - Cleanup: expand TAB characters when generating HTML and - README files. Files: proto/Makefile.in. +20131102-3 + + Security violation: by default, LMDB 0.9.9 writes uninitialized + heap memory to a world-readable database file, as chunks + of up to 4096 bytes. This is a gross memory disclosure + vulnerability: memory content that a program does not intend + to share ends up in a world-readable file. The content of + uninitialized heap memory depends on program execution + history. That history includes code execution in other + libraries that are linked into the program. + + This is a problem whenever the user who writes the database + file differs from the user who reads the database file. For + example, a privileged writer and an unprivileged reader. + In the case of Postfix, the postmap(1) and postalias(1) + commands would leak uninitialized heap memory, as chunks + of up to 4096 bytes, from a root-privileged process that + writes to a database file, to unprivileged processes that + read from that database file. + + To work around this problem the postmap(1) and postalias(1) + commands disable the use of malloc() in LMDB. However, that + does not address several disclosures of stack memory. Other + Postfix databases do not need this workaround: those databases + are maintained by Postfix daemon processes, and are accessible + only by the postfix user. File: util/dict_lmdb.c. + +20131102-3 + + Cleanup: expand TAB characters when generating documentation. + This was primarily an issue with non-HTML output, but it does + not hurt to do this also for HTML. Files: proto/Makefile.in, + proto/MULTI_INSTANCE_README.html. diff --git a/postfix/README_FILES/ADDRESS_REWRITING_README b/postfix/README_FILES/ADDRESS_REWRITING_README index abd4d6a44..e1fcdee46 100644 --- a/postfix/README_FILES/ADDRESS_REWRITING_README +++ b/postfix/README_FILES/ADDRESS_REWRITING_README @@ -655,9 +655,9 @@ Example: smtp_generic_maps = hash:/etc/postfix/generic /etc/postfix/generic: - his@localdomain.local hisaccount@hisisp.example - her@localdomain.local heraccount@herisp.example - @localdomain.local hisaccount+local@hisisp.example + his@localdomain.local hisaccount@hisisp.example + her@localdomain.local heraccount@herisp.example + @localdomain.local hisaccount+local@hisisp.example When mail is sent to a remote host via SMTP, this replaces his@localdomain.local by his ISP mail address, replaces her@localdomain.local diff --git a/postfix/README_FILES/BACKSCATTER_README b/postfix/README_FILES/BACKSCATTER_README index 12f50a234..2870d11f8 100644 --- a/postfix/README_FILES/BACKSCATTER_README +++ b/postfix/README_FILES/BACKSCATTER_README @@ -119,7 +119,7 @@ this: endif /^Message-ID:.* ]*Message-ID:.* ]*Message-ID:.*@(porcupine\.org)/ - reject forged domain name in Message-ID: header: $1 + reject forged domain name in Message-ID: header: $1 Notes: diff --git a/postfix/README_FILES/DATABASE_README b/postfix/README_FILES/DATABASE_README index 0ba1778f1..629135c63 100644 --- a/postfix/README_FILES/DATABASE_README +++ b/postfix/README_FILES/DATABASE_README @@ -151,16 +151,16 @@ font. # Note 1: commands are specified after a TAB character. # Note 2: use postalias(1) for local aliases, postmap(1) for the rest. aliases.db: aliases.in - postalias aliases.in - mv aliases.in.db aliases.db + postalias aliases.in + mv aliases.in.db aliases.db access.db: access.in - postmap access.in - mv access.in.db access.db + postmap access.in + mv access.in.db access.db virtual.db: virtual.in - postmap virtual.in - mv virtual.in.db virtual.db + postmap virtual.in + mv virtual.in.db virtual.db ...etcetera... # vvii aacccceessss..iinn diff --git a/postfix/README_FILES/MULTI_INSTANCE_README b/postfix/README_FILES/MULTI_INSTANCE_README index 9d2c82e77..6e2fb48c5 100644 --- a/postfix/README_FILES/MULTI_INSTANCE_README +++ b/postfix/README_FILES/MULTI_INSTANCE_README @@ -157,13 +157,13 @@ submission null client: # a template file. The build process expands the template into # "mtaadmin+root=mta1" # - root mtaadmin+root=mta1 + root mtaadmin+root=mta1 /etc/postfix/virtual: # Caretaker aliases: # - root mtaadmin - postmaster root + root mtaadmin + postmaster root You would typically also add a Makefile, to automatically run postmap(1) commands when source files change. This Makefile also creates a "generic" @@ -175,13 +175,13 @@ database when none exists. all: virtual.cdb generic.cdb generic: Makefile - @echo Creating $@ - @rm -f $@.tmp - @printf '%s\t%s+root=%s\n' root $MTAADMIN `uname -n` > $@.tmp - @mv $@.tmp generic + @echo Creating $@ + @rm -f $@.tmp + @printf '%s\t%s+root=%s\n' root $MTAADMIN `uname -n` > $@.tmp + @mv $@.tmp generic %.cdb: % - postmap cdb:$< + postmap cdb:$< Construct the "virtual" and "generic" databases (the latter is created by running "make"), then start and test the null-client: @@ -875,9 +875,9 @@ If you want to override the conventional values of the instance installation parameters, specify their values on the command-line: # postmulti [-I postfix-myinst] [-G mygroup] -e create \ - "config_directory = /path/to/config_directory" \ - "queue_directory = /path/to/queue_directory" \ - "data_directory = /path/to/data_directory" + "config_directory = /path/to/config_directory" \ + "queue_directory = /path/to/queue_directory" \ + "data_directory = /path/to/data_directory" A note on the --II and --GG options above. These are always used to assign a name or group name to an instance, while the --ii and --gg options always select @@ -924,7 +924,7 @@ match this name if necessary): Otherwise, you must specify the location of its configuration directory: # postmulti [-I postfix-myinst] [-G mygroup] -e import \ - "config_directory = /path/of/config_directory" + "config_directory = /path/of/config_directory" When the instance is imported, you can assign a name or a group. As with "create", you can control the placement of the new instance in the start order diff --git a/postfix/README_FILES/RESTRICTION_CLASS_README b/postfix/README_FILES/RESTRICTION_CLASS_README index f4fbe8fa7..9c78684f0 100644 --- a/postfix/README_FILES/RESTRICTION_CLASS_README +++ b/postfix/README_FILES/RESTRICTION_CLASS_README @@ -30,9 +30,9 @@ Example: smtpd_recipient_restrictions = permit_mynetworks - # reject_unauth_destination is not needed here if the mail - # relay policy is specified with smtpd_relay_restrictions - # (available with Postfix 2.10 and later). + # reject_unauth_destination is not needed here if the mail + # relay policy is specified with smtpd_relay_restrictions + # (available with Postfix 2.10 and later). reject_unauth_destination check_recipient_access hash:/etc/postfix/recipient_access ... diff --git a/postfix/README_FILES/SASL_README b/postfix/README_FILES/SASL_README index 59489414c..66b9b415d 100644 --- a/postfix/README_FILES/SASL_README +++ b/postfix/README_FILES/SASL_README @@ -846,19 +846,19 @@ authenticated SMTP clients to send mail to remote destinations. Examples: # preferably specified under smtpd_relay_restrictions. /etc/postfix/main.cf: smtpd_relay_restrictions = - permit_mynetworks - ppeerrmmiitt__ssaassll__aauutthheennttiiccaatteedd - reject_unauth_destination + permit_mynetworks + ppeerrmmiitt__ssaassll__aauutthheennttiiccaatteedd + reject_unauth_destination # Older configurations combine relay control and spam control under # smtpd_recipient_restrictions. To use this example with Postfix >= # 2.10 specify "smtpd_relay_restrictions=". /etc/postfix/main.cf: smtpd_recipient_restrictions = - permit_mynetworks - ppeerrmmiitt__ssaassll__aauutthheennttiiccaatteedd - reject_unauth_destination - ...other rules... + permit_mynetworks + ppeerrmmiitt__ssaassll__aauutthheennttiiccaatteedd + reject_unauth_destination + ...other rules... EEnnvveellooppee sseennddeerr aaddddrreessss aauutthhoorriizzaattiioonn @@ -878,7 +878,7 @@ authenticated client is allowed to use a particular envelope sender address: smtpd_recipient_restrictions = ... rreejjeecctt__sseennddeerr__llooggiinn__mmiissmmaattcchh - permit_sasl_authenticated + permit_sasl_authenticated ... The controlled_envelope_senders table specifies the binding between a sender @@ -915,14 +915,14 @@ credentials have been compromised. /etc/postfix/main.cf: smtpd_recipient_restrictions = - permit_mynetworks - check_sasl_access hash:/etc/postfix/sasl_access - permit_sasl_authenticated - ... + permit_mynetworks + check_sasl_access hash:/etc/postfix/sasl_access + permit_sasl_authenticated + ... /etc/postfix/sasl_access: # Use this when smtpd_sasl_local_domain is empty. - username HOLD + username HOLD # Use this when smtpd_sasl_local_domain=example.com. username@example.com HOLD diff --git a/postfix/README_FILES/SCHEDULER_README b/postfix/README_FILES/SCHEDULER_README index 3223d2ada..a6f7702ff 100644 --- a/postfix/README_FILES/SCHEDULER_README +++ b/postfix/README_FILES/SCHEDULER_README @@ -594,10 +594,10 @@ The first approximation of the new scheduling algorithm is like this: if transport process limit reached continue foreach transport's job (in the order of the transport's job list) do - foreach job's peer (round-robin-by-destination) - if peer->queue->concurrency < peer->queue->window - return next peer entry. - done + foreach job's peer (round-robin-by-destination) + if peer->queue->concurrency < peer->queue->window + return next peer entry. + done done done diff --git a/postfix/README_FILES/TLS_README b/postfix/README_FILES/TLS_README index 93ea07b42..4728a624d 100644 --- a/postfix/README_FILES/TLS_README +++ b/postfix/README_FILES/TLS_README @@ -1140,7 +1140,7 @@ the example above, we show two matching fingerprints: smtp_tls_fingerprint_digest = md5 /etc/postfix/tls_policy: - example.com fingerprint + example.com fingerprint match=3D:95:34:51:24:66:33:B9:D2:40:99:C0:C1:17:0B:D1 match=EC:3B:2D:B0:5B:B1:FB:6D:20:A3:9D:72:F6:8D:12:35 @@ -1753,8 +1753,8 @@ Example: [mail.example.org]:587 secure match=nexthop # Postfix 2.5 and later [thumb.example.org] fingerprint - match=EC:3B:2D:B0:5B:B1:FB:6D:20:A3:9D:72:F6:8D:12:35 - match=3D:95:34:51:24:66:33:B9:D2:40:99:C0:C1:17:0B:D1 + match=EC:3B:2D:B0:5B:B1:FB:6D:20:A3:9D:72:F6:8D:12:35 + match=3D:95:34:51:24:66:33:B9:D2:40:99:C0:C1:17:0B:D1 # Postfix 2.6 and later example.info may protocols=!SSLv2 ciphers=medium exclude=3DES diff --git a/postfix/html/MULTI_INSTANCE_README.html b/postfix/html/MULTI_INSTANCE_README.html index 2444e1dd9..6aca5f53d 100644 --- a/postfix/html/MULTI_INSTANCE_README.html +++ b/postfix/html/MULTI_INSTANCE_README.html @@ -554,7 +554,7 @@ pre-filter input instance include:

# Avoid splitting the envelope and scanning messages multiple times. # Match the re-injection server's recipient limit. # - smtp_destination_recipient_limit = 1000 + smtp_destination_recipient_limit = 1000 # Tolerate occasional high latency in the content filter. # diff --git a/postfix/proto/MULTI_INSTANCE_README.html b/postfix/proto/MULTI_INSTANCE_README.html index 2b72d1b45..59bb4fbd9 100644 --- a/postfix/proto/MULTI_INSTANCE_README.html +++ b/postfix/proto/MULTI_INSTANCE_README.html @@ -554,7 +554,7 @@ pre-filter input instance include:

# Avoid splitting the envelope and scanning messages multiple times. # Match the re-injection server's recipient limit. # - smtp_destination_recipient_limit = 1000 + smtp_destination_recipient_limit = 1000 # Tolerate occasional high latency in the content filter. # diff --git a/postfix/proto/Makefile.in b/postfix/proto/Makefile.in index adfcf2591..3c039ab5d 100644 --- a/postfix/proto/Makefile.in +++ b/postfix/proto/Makefile.in @@ -139,328 +139,328 @@ clobber: $(SRCTOMAN) - $? | $(AWK) | nroff -man | col -bx | uniq | sed 's/^/# /' >$@ ../html/ADDRESS_CLASS_README.html: ADDRESS_CLASS_README.html - $(POSTLINK) $? | $(DETAB) >$@ + $(DETAB) $? | $(POSTLINK) >$@ ../html/ADDRESS_REWRITING_README.html: ADDRESS_REWRITING_README.html - $(POSTLINK) $? | $(DETAB) >$@ + $(DETAB) $? | $(POSTLINK) >$@ ../html/ADDRESS_VERIFICATION_README.html: ADDRESS_VERIFICATION_README.html - $(POSTLINK) $? | $(DETAB) >$@ + $(DETAB) $? | $(POSTLINK) >$@ ../html/BACKSCATTER_README.html: BACKSCATTER_README.html - $(POSTLINK) $? | $(DETAB) >$@ + $(DETAB) $? | $(POSTLINK) >$@ ../html/CDB_README.html: CDB_README.html - $(POSTLINK) $? | $(DETAB) >$@ + $(DETAB) $? | $(POSTLINK) >$@ ../html/CONNECTION_CACHE_README.html: CONNECTION_CACHE_README.html - $(POSTLINK) $? | $(DETAB) >$@ + $(DETAB) $? | $(POSTLINK) >$@ ../html/CONTENT_INSPECTION_README.html: CONTENT_INSPECTION_README.html - $(POSTLINK) $? | $(DETAB) >$@ + $(DETAB) $? | $(POSTLINK) >$@ ../html/CYRUS_README.html: CYRUS_README.html - $(POSTLINK) $? | $(DETAB) >$@ + $(DETAB) $? | $(POSTLINK) >$@ ../html/BASIC_CONFIGURATION_README.html: BASIC_CONFIGURATION_README.html - $(POSTLINK) $? | $(DETAB) >$@ + $(DETAB) $? | $(POSTLINK) >$@ ../html/BUILTIN_FILTER_README.html: BUILTIN_FILTER_README.html - $(POSTLINK) $? | $(DETAB) >$@ + $(DETAB) $? | $(POSTLINK) >$@ ../html/DATABASE_README.html: DATABASE_README.html - $(POSTLINK) $? | $(DETAB) >$@ + $(DETAB) $? | $(POSTLINK) >$@ ../html/DB_README.html: DB_README.html - $(POSTLINK) $? | $(DETAB) >$@ + $(DETAB) $? | $(POSTLINK) >$@ ../html/DEBUG_README.html: DEBUG_README.html - $(POSTLINK) $? | $(DETAB) >$@ + $(DETAB) $? | $(POSTLINK) >$@ ../html/DSN_README.html: DSN_README.html - $(POSTLINK) $? | $(DETAB) >$@ + $(DETAB) $? | $(POSTLINK) >$@ ../html/ETRN_README.html: ETRN_README.html - $(POSTLINK) $? | $(DETAB) >$@ + $(DETAB) $? | $(POSTLINK) >$@ ../html/FILTER_README.html: FILTER_README.html - $(POSTLINK) $? | $(DETAB) >$@ + $(DETAB) $? | $(POSTLINK) >$@ ../html/INSTALL.html: INSTALL.html - $(POSTLINK) $? | $(DETAB) >$@ + $(DETAB) $? | $(POSTLINK) >$@ ../html/IPV6_README.html: IPV6_README.html - $(POSTLINK) $? | $(DETAB) >$@ + $(DETAB) $? | $(POSTLINK) >$@ ../html/LDAP_README.html: LDAP_README.html - $(POSTLINK) $? | $(DETAB) >$@ + $(DETAB) $? | $(POSTLINK) >$@ ../html/LINUX_README.html: LINUX_README.html - $(POSTLINK) $? | $(DETAB) >$@ + $(DETAB) $? | $(POSTLINK) >$@ ../html/LOCAL_RECIPIENT_README.html: LOCAL_RECIPIENT_README.html - $(POSTLINK) $? | $(DETAB) >$@ + $(DETAB) $? | $(POSTLINK) >$@ ../html/MAILDROP_README.html: MAILDROP_README.html - $(POSTLINK) $? | $(DETAB) >$@ + $(DETAB) $? | $(POSTLINK) >$@ ../html/LMDB_README.html: LMDB_README.html - $(POSTLINK) $? | $(DETAB) >$@ + $(DETAB) $? | $(POSTLINK) >$@ ../html/MEMCACHE_README.html: MEMCACHE_README.html - $(POSTLINK) $? | $(DETAB) >$@ + $(DETAB) $? | $(POSTLINK) >$@ ../html/MILTER_README.html: MILTER_README.html - $(POSTLINK) $? | $(DETAB) >$@ + $(DETAB) $? | $(POSTLINK) >$@ ../html/MULTI_INSTANCE_README.html: MULTI_INSTANCE_README.html - $(POSTLINK) $? | $(DETAB) >$@ + $(DETAB) $? | $(POSTLINK) >$@ ../html/MYSQL_README.html: MYSQL_README.html - $(POSTLINK) $? | $(DETAB) >$@ + $(DETAB) $? | $(POSTLINK) >$@ ../html/NFS_README.html: NFS_README.html - $(POSTLINK) $? | $(DETAB) >$@ + $(DETAB) $? | $(POSTLINK) >$@ ../html/OVERVIEW.html: OVERVIEW.html - $(POSTLINK) $? | $(DETAB) >$@ + $(DETAB) $? | $(POSTLINK) >$@ ../html/PACKAGE_README.html: PACKAGE_README.html - $(POSTLINK) $? | $(DETAB) >$@ + $(DETAB) $? | $(POSTLINK) >$@ ../html/PCRE_README.html: PCRE_README.html - $(POSTLINK) $? | $(DETAB) >$@ + $(DETAB) $? | $(POSTLINK) >$@ ../html/PGSQL_README.html: PGSQL_README.html - $(POSTLINK) $? | $(DETAB) >$@ + $(DETAB) $? | $(POSTLINK) >$@ ../html/POSTSCREEN_README.html: POSTSCREEN_README.html - $(POSTLINK) $? | $(DETAB) >$@ + $(DETAB) $? | $(POSTLINK) >$@ ../html/QMQP_README.html: QMQP_README.html - $(POSTLINK) $? | $(DETAB) >$@ + $(DETAB) $? | $(POSTLINK) >$@ ../html/QSHAPE_README.html: QSHAPE_README.html - $(POSTLINK) $? | $(DETAB) >$@ + $(DETAB) $? | $(POSTLINK) >$@ ../html/RESTRICTION_CLASS_README.html: RESTRICTION_CLASS_README.html - $(POSTLINK) $? | $(DETAB) >$@ + $(DETAB) $? | $(POSTLINK) >$@ ../html/SASL_README.html: SASL_README.html - $(POSTLINK) $? | $(DETAB) >$@ + $(DETAB) $? | $(POSTLINK) >$@ ../html/SCHEDULER_README.html: SCHEDULER_README.html - $(POSTLINK) $? | $(DETAB) >$@ + $(DETAB) $? | $(POSTLINK) >$@ ../html/SMTPD_ACCESS_README.html: SMTPD_ACCESS_README.html - $(POSTLINK) $? | $(DETAB) >$@ + $(DETAB) $? | $(POSTLINK) >$@ ../html/SMTPD_POLICY_README.html: SMTPD_POLICY_README.html - $(POSTLINK) $? | $(DETAB) >$@ + $(DETAB) $? | $(POSTLINK) >$@ ../html/SMTPD_PROXY_README.html: SMTPD_PROXY_README.html - $(POSTLINK) $? | $(DETAB) >$@ + $(DETAB) $? | $(POSTLINK) >$@ ../html/SOHO_README.html: $(MAKESOHO) $(DEPSOHO) $(MAKESOHO) | $(POSTLINK) | $(DETAB) >$@ ../html/SQLITE_README.html: SQLITE_README.html - $(POSTLINK) $? | $(DETAB) >$@ + $(DETAB) $? | $(POSTLINK) >$@ ../html/STANDARD_CONFIGURATION_README.html: STANDARD_CONFIGURATION_README.html - $(POSTLINK) $? | $(DETAB) >$@ + $(DETAB) $? | $(POSTLINK) >$@ ../html/STRESS_README.html: STRESS_README.html - $(POSTLINK) $? | $(DETAB) >$@ + $(DETAB) $? | $(POSTLINK) >$@ ../html/TUNING_README.html: TUNING_README.html - $(POSTLINK) $? | $(DETAB) >$@ + $(DETAB) $? | $(POSTLINK) >$@ ../html/UUCP_README.html: UUCP_README.html - $(POSTLINK) $? | $(DETAB) >$@ + $(DETAB) $? | $(POSTLINK) >$@ ../html/ULTRIX_README.html: ULTRIX_README.html - $(POSTLINK) $? | $(DETAB) >$@ + $(DETAB) $? | $(POSTLINK) >$@ ../html/VERP_README.html: VERP_README.html - $(POSTLINK) $? | $(DETAB) >$@ + $(DETAB) $? | $(POSTLINK) >$@ ../html/VIRTUAL_README.html: VIRTUAL_README.html - $(POSTLINK) $? | $(DETAB) >$@ + $(DETAB) $? | $(POSTLINK) >$@ ../html/XCLIENT_README.html: XCLIENT_README.html - $(POSTLINK) $? | $(DETAB) >$@ + $(DETAB) $? | $(POSTLINK) >$@ ../html/XFORWARD_README.html: XFORWARD_README.html - $(POSTLINK) $? | $(DETAB) >$@ + $(DETAB) $? | $(POSTLINK) >$@ ../html/TLS_README.html: TLS_README.html - $(POSTLINK) $? | $(DETAB) >$@ + $(DETAB) $? | $(POSTLINK) >$@ ../html/TLS_LEGACY_README.html: TLS_LEGACY_README.html - $(POSTLINK) $? | $(DETAB) >$@ + $(DETAB) $? | $(POSTLINK) >$@ ../README_FILES/ADDRESS_CLASS_README: ADDRESS_CLASS_README.html - $(HT2READ) $? | $(DETAB) >$@ + $(DETAB) $? | $(HT2READ) >$@ ../README_FILES/ADDRESS_REWRITING_README: ADDRESS_REWRITING_README.html - $(HT2READ) $? | $(DETAB) >$@ + $(DETAB) $? | $(HT2READ) >$@ ../README_FILES/ADDRESS_VERIFICATION_README: ADDRESS_VERIFICATION_README.html - $(HT2READ) $? | $(DETAB) >$@ + $(DETAB) $? | $(HT2READ) >$@ ../README_FILES/BACKSCATTER_README: BACKSCATTER_README.html - $(HT2READ) $? | $(DETAB) >$@ + $(DETAB) $? | $(HT2READ) >$@ ../README_FILES/BASIC_CONFIGURATION_README: BASIC_CONFIGURATION_README.html - $(HT2READ) $? | $(DETAB) >$@ + $(DETAB) $? | $(HT2READ) >$@ ../README_FILES/BUILTIN_FILTER_README: BUILTIN_FILTER_README.html - $(HT2READ) $? | $(DETAB) >$@ + $(DETAB) $? | $(HT2READ) >$@ ../README_FILES/CDB_README: CDB_README.html - $(HT2READ) $? | $(DETAB) >$@ + $(DETAB) $? | $(HT2READ) >$@ ../README_FILES/CONNECTION_CACHE_README: CONNECTION_CACHE_README.html - $(HT2READ) $? | $(DETAB) >$@ + $(DETAB) $? | $(HT2READ) >$@ ../README_FILES/CONTENT_INSPECTION_README: CONTENT_INSPECTION_README.html - $(HT2READ) $? | $(DETAB) >$@ + $(DETAB) $? | $(HT2READ) >$@ ../README_FILES/CYRUS_README: CYRUS_README.html - $(HT2READ) $? | $(DETAB) >$@ + $(DETAB) $? | $(HT2READ) >$@ ../README_FILES/DATABASE_README: DATABASE_README.html - $(HT2READ) $? | $(DETAB) >$@ + $(DETAB) $? | $(HT2READ) >$@ ../README_FILES/DB_README: DB_README.html - $(HT2READ) $? | $(DETAB) >$@ + $(DETAB) $? | $(HT2READ) >$@ ../README_FILES/DEBUG_README: DEBUG_README.html - $(HT2READ) $? | $(DETAB) >$@ + $(DETAB) $? | $(HT2READ) >$@ ../README_FILES/DSN_README: DSN_README.html - $(HT2READ) $? | $(DETAB) >$@ + $(DETAB) $? | $(HT2READ) >$@ ../README_FILES/ETRN_README: ETRN_README.html - $(HT2READ) $? | $(DETAB) >$@ + $(DETAB) $? | $(HT2READ) >$@ ../README_FILES/FILTER_README: FILTER_README.html - $(HT2READ) $? | $(DETAB) >$@ + $(DETAB) $? | $(HT2READ) >$@ ../README_FILES/INSTALL: INSTALL.html - $(HT2READ) $? | $(DETAB) >$@ + $(DETAB) $? | $(HT2READ) >$@ ../README_FILES/IPV6_README: IPV6_README.html - $(HT2READ) $? | $(DETAB) >$@ + $(DETAB) $? | $(HT2READ) >$@ ../README_FILES/LDAP_README: LDAP_README.html - $(HT2READ) $? | $(DETAB) >$@ + $(DETAB) $? | $(HT2READ) >$@ ../README_FILES/LINUX_README: LINUX_README.html - $(HT2READ) $? | $(DETAB) >$@ + $(DETAB) $? | $(HT2READ) >$@ ../README_FILES/LOCAL_RECIPIENT_README: LOCAL_RECIPIENT_README.html - $(HT2READ) $? | $(DETAB) >$@ + $(DETAB) $? | $(HT2READ) >$@ ../README_FILES/MAILDROP_README: MAILDROP_README.html - $(HT2READ) $? | $(DETAB) >$@ + $(DETAB) $? | $(HT2READ) >$@ ../README_FILES/LMDB_README: LMDB_README.html - $(HT2READ) $? | $(DETAB) >$@ + $(DETAB) $? | $(HT2READ) >$@ ../README_FILES/MEMCACHE_README: MEMCACHE_README.html - $(HT2READ) $? | $(DETAB) >$@ + $(DETAB) $? | $(HT2READ) >$@ ../README_FILES/MILTER_README: MILTER_README.html - $(HT2READ) $? | $(DETAB) >$@ + $(DETAB) $? | $(HT2READ) >$@ ../README_FILES/MULTI_INSTANCE_README: MULTI_INSTANCE_README.html - $(HT2READ) $? | $(DETAB) >$@ + $(DETAB) $? | $(HT2READ) >$@ ../README_FILES/MYSQL_README: MYSQL_README.html - $(HT2READ) $? | $(DETAB) >$@ + $(DETAB) $? | $(HT2READ) >$@ ../README_FILES/NFS_README: NFS_README.html - $(HT2READ) $? | $(DETAB) >$@ + $(DETAB) $? | $(HT2READ) >$@ ../README_FILES/OVERVIEW: OVERVIEW.html - $(HT2READ) $? | $(DETAB) >$@ + $(DETAB) $? | $(HT2READ) >$@ ../README_FILES/PACKAGE_README: PACKAGE_README.html - $(HT2READ) $? | $(DETAB) >$@ + $(DETAB) $? | $(HT2READ) >$@ ../README_FILES/PCRE_README: PCRE_README.html - $(HT2READ) $? | $(DETAB) >$@ + $(DETAB) $? | $(HT2READ) >$@ ../README_FILES/PGSQL_README: PGSQL_README.html - $(HT2READ) $? | $(DETAB) >$@ + $(DETAB) $? | $(HT2READ) >$@ ../README_FILES/POSTSCREEN_README: POSTSCREEN_README.html - $(HT2READ) $? | $(DETAB) >$@ + $(DETAB) $? | $(HT2READ) >$@ ../README_FILES/QMQP_README: QMQP_README.html - $(HT2READ) $? | $(DETAB) >$@ + $(DETAB) $? | $(HT2READ) >$@ ../README_FILES/QSHAPE_README: QSHAPE_README.html - $(HT2READ) $? | $(DETAB) >$@ + $(DETAB) $? | $(HT2READ) >$@ ../README_FILES/RESTRICTION_CLASS_README: RESTRICTION_CLASS_README.html - $(HT2READ) $? | $(DETAB) >$@ + $(DETAB) $? | $(HT2READ) >$@ ../README_FILES/SASL_README: SASL_README.html - $(HT2READ) $? | $(DETAB) >$@ + $(DETAB) $? | $(HT2READ) >$@ ../README_FILES/SCHEDULER_README: SCHEDULER_README.html - $(HT2READ) $? | $(DETAB) >$@ + $(DETAB) $? | $(HT2READ) >$@ ../README_FILES/SMTPD_ACCESS_README: SMTPD_ACCESS_README.html - $(HT2READ) $? | $(DETAB) >$@ + $(DETAB) $? | $(HT2READ) >$@ ../README_FILES/SMTPD_POLICY_README: SMTPD_POLICY_README.html - $(HT2READ) $? | $(DETAB) >$@ + $(DETAB) $? | $(HT2READ) >$@ ../README_FILES/SMTPD_PROXY_README: SMTPD_PROXY_README.html - $(HT2READ) $? | $(DETAB) >$@ + $(DETAB) $? | $(HT2READ) >$@ ../README_FILES/SOHO_README: $(MAKESOHO) $(DEPSOHO) $(MAKESOHO) | $(HT2READ) | $(DETAB) >$@ ../README_FILES/SQLITE_README: SQLITE_README.html - $(HT2READ) $? | $(DETAB) >$@ + $(DETAB) $? | $(HT2READ) >$@ ../README_FILES/STANDARD_CONFIGURATION_README: STANDARD_CONFIGURATION_README.html - $(HT2READ) $? | $(DETAB) >$@ + $(DETAB) $? | $(HT2READ) >$@ ../README_FILES/STRESS_README: STRESS_README.html - $(HT2READ) $? | $(DETAB) >$@ + $(DETAB) $? | $(HT2READ) >$@ ../README_FILES/TUNING_README: TUNING_README.html - $(HT2READ) $? | $(DETAB) >$@ + $(DETAB) $? | $(HT2READ) >$@ ../README_FILES/UUCP_README: UUCP_README.html - $(HT2READ) $? | $(DETAB) >$@ + $(DETAB) $? | $(HT2READ) >$@ ../README_FILES/ULTRIX_README: ULTRIX_README.html - $(HT2READ) $? | $(DETAB) >$@ + $(DETAB) $? | $(HT2READ) >$@ ../README_FILES/VERP_README: VERP_README.html - $(HT2READ) $? | $(DETAB) >$@ + $(DETAB) $? | $(HT2READ) >$@ ../README_FILES/VIRTUAL_README: VIRTUAL_README.html - $(HT2READ) $? | $(DETAB) >$@ + $(DETAB) $? | $(HT2READ) >$@ ../README_FILES/XCLIENT_README: XCLIENT_README.html - $(HT2READ) $? | $(DETAB) >$@ + $(DETAB) $? | $(HT2READ) >$@ ../README_FILES/XFORWARD_README: XFORWARD_README.html - $(HT2READ) $? | $(DETAB) >$@ + $(DETAB) $? | $(HT2READ) >$@ ../README_FILES/TLS_README: TLS_README.html - $(HT2READ) $? | $(DETAB) >$@ + $(DETAB) $? | $(HT2READ) >$@ ../README_FILES/TLS_LEGACY_README: TLS_LEGACY_README.html - $(HT2READ) $? | $(DETAB) >$@ + $(DETAB) $? | $(HT2READ) >$@ ../README_FILES/AAAREADME: ../html/index.html $(MAKEAAA) $(MAKEAAA) ../html/index.html | $(HT2READ) | $(DETAB) >$@ @@ -468,8 +468,8 @@ clobber: ../man/man5/postconf.5: postconf.man.prolog postconf.proto postconf.man.epilog \ ../mantools/xpostconf ../mantools/postconf2html ../mantools/postconf2man (cat postconf.man.prolog; ../mantools/xpostconf postconf.proto | \ - ../mantools/postconf2html | ../mantools/postconf2man | \ - sed 's/\\e&/\\\&/'; cat postconf.man.epilog ) | $(DETAB) > $@ + $(DETAB) | ../mantools/postconf2html | ../mantools/postconf2man | \ + sed 's/\\e&/\\\&/'; cat postconf.man.epilog ) > $@ ../html/postconf.5.html: postconf.html.prolog postconf.proto \ postconf.html.epilog ../mantools/xpostconf ../mantools/postconf2html \ diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h index 04ddb62aa..d4dbebdc1 100644 --- a/postfix/src/global/mail_version.h +++ b/postfix/src/global/mail_version.h @@ -20,7 +20,7 @@ * Patches change both the patchlevel and the release date. Snapshots have no * patchlevel; they change the release date only. */ -#define MAIL_RELEASE_DATE "20131103" +#define MAIL_RELEASE_DATE "20131104" #define MAIL_VERSION_NUMBER "2.11" #ifdef SNAPSHOT diff --git a/postfix/src/postalias/postalias.c b/postfix/src/postalias/postalias.c index 430c15641..fd5351534 100644 --- a/postfix/src/postalias/postalias.c +++ b/postfix/src/postalias/postalias.c @@ -290,6 +290,7 @@ static void postalias(char *map_type, char *path_name, int postalias_flags, if ((source_fp = vstream_fopen(path_name, O_RDONLY, 0)) == 0) msg_fatal("open %s: %m", path_name); } + dict_flags |= DICT_FLAG_WORLD_READ; if (fstat(vstream_fileno(source_fp), &st) < 0) msg_fatal("fstat %s: %m", path_name); diff --git a/postfix/src/postmap/postmap.c b/postfix/src/postmap/postmap.c index e10ac1669..26348041e 100644 --- a/postfix/src/postmap/postmap.c +++ b/postfix/src/postmap/postmap.c @@ -353,6 +353,7 @@ static void postmap(char *map_type, char *path_name, int postmap_flags, if ((source_fp = vstream_fopen(path_name, O_RDONLY, 0)) == 0) msg_fatal("open %s: %m", path_name); } + dict_flags |= DICT_FLAG_WORLD_READ; if (fstat(vstream_fileno(source_fp), &st) < 0) msg_fatal("fstat %s: %m", path_name); diff --git a/postfix/src/util/dict.c b/postfix/src/util/dict.c index 3c4a9b1b8..e1e11cf4d 100644 --- a/postfix/src/util/dict.c +++ b/postfix/src/util/dict.c @@ -590,6 +590,7 @@ static const NAME_MASK dict_mask[] = { "fold_mul", DICT_FLAG_FOLD_MUL, /* case-fold with multi-case key map */ "open_lock", DICT_FLAG_OPEN_LOCK, /* permanent lock upon open */ "bulk_update", DICT_FLAG_BULK_UPDATE, /* bulk update if supported */ + "world_read", DICT_FLAG_WORLD_READ, /* assume writer != reader */ 0, }; diff --git a/postfix/src/util/dict.h b/postfix/src/util/dict.h index d255aac3b..c8564f6bd 100644 --- a/postfix/src/util/dict.h +++ b/postfix/src/util/dict.h @@ -96,6 +96,7 @@ extern DICT *dict_debug(DICT *); #define DICT_FLAG_FOLD_ANY (DICT_FLAG_FOLD_FIX | DICT_FLAG_FOLD_MUL) #define DICT_FLAG_OPEN_LOCK (1<<16) /* perm lock if not multi-writer safe */ #define DICT_FLAG_BULK_UPDATE (1<<17) /* optimize for bulk updates */ +#define DICT_FLAG_WORLD_READ (1<<18) /* assume writer != reader */ /* IMPORTANT: Update the dict_mask[] table when the above changes */ diff --git a/postfix/src/util/dict_lmdb.c b/postfix/src/util/dict_lmdb.c index aa6836042..2bc032107 100644 --- a/postfix/src/util/dict_lmdb.c +++ b/postfix/src/util/dict_lmdb.c @@ -551,35 +551,45 @@ DICT *dict_lmdb_open(const char *path, int open_flags, int dict_flags) mdb_path = concatenate(path, "." DICT_TYPE_LMDB, (char *) 0); /* - * Security violation. - * - * By default, LMDB 0.9.9 writes uninitialized heap memory to a - * world-readable database file. This is a basic memory disclosure - * vulnerability: memory content that a program does not intend to share - * ends up in a world-readable file. The content of uninitialized heap - * memory depends on program execution history. That history includes - * code execution in other libraries that are linked into the program. - * - * As a workaround we turn on MDB_WRITEMAP which disables the use of - * malloc() in LMDB. However, that does not address several disclosures - * of stack memory. + * Impedance adapters. */ mdb_flags = MDB_NOSUBDIR | MDB_NOLOCK; if (open_flags == O_RDONLY) mdb_flags |= MDB_RDONLY; - /* - * Replace with MDB_VERSION_FULL < MDB_VERINT(X, Y, Z) after this is - * fixed up-stream. - */ -#if 1 - mdb_flags |= MDB_WRITEMAP; -#endif - slmdb_flags = 0; if (dict_flags & DICT_FLAG_BULK_UPDATE) slmdb_flags |= SLMDB_FLAG_BULK; + /* + * Security violation. + * + * By default, LMDB 0.9.9 writes uninitialized heap memory to a + * world-readable database file, as chunks of up to 4096 bytes. This is a + * gross memory disclosure vulnerability: memory content that a program + * does not intend to share ends up in a world-readable file. The content + * of uninitialized heap memory depends on program execution history. + * That history includes code execution in other libraries that are + * linked into the program. + * + * This is a problem whenever the user who writes the database file differs + * from the user who reads the database file. For example, a privileged + * writer and an unprivileged reader. In the case of Postfix, the + * postmap(1) and postalias(1) commands would leak uninitialized heap + * memory, as chunks of up to 4096 bytes, from a root-privileged process + * that writes to a database file, to unprivileged processes that read + * from that database file. + * + * As a workaround the postmap(1) and postalias(1) commands turn on + * MDB_WRITEMAP which disables the use of malloc() in LMDB. However, that + * does not address several disclosures of stack memory. Other Postfix + * databases do not need this workaround: those databases are maintained + * by Postfix daemon processes, and are accessible only by the postfix + * user. + */ + if (dict_flags & DICT_FLAG_WORLD_READ) + mdb_flags |= MDB_WRITEMAP; + /* * Gracefully handle most database open errors. */ diff --git a/postfix/src/util/dict_open.c b/postfix/src/util/dict_open.c index aee1f8ddd..a8b5a0a72 100644 --- a/postfix/src/util/dict_open.c +++ b/postfix/src/util/dict_open.c @@ -126,6 +126,9 @@ /* Enable preliminary code for bulk-mode database updates. /* The caller must create an exception handler with dict_jmp_alloc() /* and must trap exceptions from the database client with dict_setjmp(). +/* .IP DICT_FLAG_WORLD_READ +/* Assume that the database file will be read by users other +/* than the writer. /* .IP DICT_FLAG_DEBUG /* Enable additional logging. /* .PP diff --git a/postfix/src/util/slmdb.c b/postfix/src/util/slmdb.c index a471c5c0b..5a038620e 100644 --- a/postfix/src/util/slmdb.c +++ b/postfix/src/util/slmdb.c @@ -295,9 +295,11 @@ static int slmdb_recover(SLMDB *slmdb, int status) MDB_envinfo info; /* - * Limit the number of recovery attempts per slmdb(3) API request. + * Recover bulk transactions only if they can be restarted. Limit + * the number of recovery attempts per slmdb(3) API request. */ - if ((slmdb->api_retry_count += 1) >= slmdb->api_retry_limit) + if ((slmdb->txn != 0 && slmdb->longjmp_fn == 0) + || ((slmdb->api_retry_count += 1) >= slmdb->api_retry_limit)) return (status); /*