head 1.6; access; symbols pkgsrc-2014Q3:1.5.0.30 pkgsrc-2014Q3-base:1.5 pkgsrc-2014Q2:1.5.0.28 pkgsrc-2014Q2-base:1.5 pkgsrc-2014Q1:1.5.0.26 pkgsrc-2014Q1-base:1.5 pkgsrc-2013Q4:1.5.0.24 pkgsrc-2013Q4-base:1.5 pkgsrc-2013Q3:1.5.0.22 pkgsrc-2013Q3-base:1.5 pkgsrc-2013Q2:1.5.0.20 pkgsrc-2013Q2-base:1.5 pkgsrc-2013Q1:1.5.0.18 pkgsrc-2013Q1-base:1.5 pkgsrc-2012Q4:1.5.0.16 pkgsrc-2012Q4-base:1.5 pkgsrc-2012Q3:1.5.0.14 pkgsrc-2012Q3-base:1.5 pkgsrc-2012Q2:1.5.0.12 pkgsrc-2012Q2-base:1.5 pkgsrc-2012Q1:1.5.0.10 pkgsrc-2012Q1-base:1.5 pkgsrc-2011Q4:1.5.0.8 pkgsrc-2011Q4-base:1.5 pkgsrc-2011Q3:1.5.0.6 pkgsrc-2011Q3-base:1.5 pkgsrc-2011Q2:1.5.0.4 pkgsrc-2011Q2-base:1.5 pkgsrc-2011Q1:1.5.0.2 pkgsrc-2011Q1-base:1.5 pkgsrc-2010Q4:1.4.0.4 pkgsrc-2010Q4-base:1.4 pkgsrc-2010Q3:1.4.0.2 pkgsrc-2010Q3-base:1.4 pkgsrc-2010Q2:1.3.0.2 pkgsrc-2010Q2-base:1.3 pkgsrc-2010Q1:1.2.0.32 pkgsrc-2010Q1-base:1.2 pkgsrc-2009Q4:1.2.0.30 pkgsrc-2009Q4-base:1.2 pkgsrc-2009Q3:1.2.0.28 pkgsrc-2009Q3-base:1.2 pkgsrc-2009Q2:1.2.0.26 pkgsrc-2009Q2-base:1.2 pkgsrc-2009Q1:1.2.0.24 pkgsrc-2009Q1-base:1.2 pkgsrc-2008Q4:1.2.0.22 pkgsrc-2008Q4-base:1.2 pkgsrc-2008Q3:1.2.0.20 pkgsrc-2008Q3-base:1.2 cube-native-xorg:1.2.0.18 cube-native-xorg-base:1.2 pkgsrc-2008Q2:1.2.0.16 pkgsrc-2008Q2-base:1.2 cwrapper:1.2.0.14 pkgsrc-2008Q1:1.2.0.12 pkgsrc-2008Q1-base:1.2 pkgsrc-2007Q4:1.2.0.10 pkgsrc-2007Q4-base:1.2 pkgsrc-2007Q3:1.2.0.8 pkgsrc-2007Q3-base:1.2 pkgsrc-2007Q2:1.2.0.6 pkgsrc-2007Q2-base:1.2 pkgsrc-2007Q1:1.2.0.4 pkgsrc-2007Q1-base:1.2 pkgsrc-2006Q4:1.2.0.2 pkgsrc-2006Q4-base:1.2 pkgsrc-2006Q3:1.1.0.12 pkgsrc-2006Q3-base:1.1 pkgsrc-2006Q2:1.1.0.10 pkgsrc-2006Q2-base:1.1 pkgsrc-2006Q1:1.1.0.8 pkgsrc-2006Q1-base:1.1 pkgsrc-2005Q4:1.1.0.6 pkgsrc-2005Q4-base:1.1 pkgsrc-2005Q3:1.1.0.4 pkgsrc-2005Q3-base:1.1 pkgsrc-2005Q2:1.1.0.2 pkgsrc-2005Q2-base:1.1; locks; strict; comment @# @; 1.6 date 2014.12.18.22.23.01; author gdt; state dead; branches; next 1.5; commitid C9rWZxjXO1Jkzz2y; 1.5 date 2011.03.18.15.26.30; author gdt; state Exp; branches; next 1.4; 1.4 date 2010.09.10.23.33.42; author gdt; state Exp; branches; next 1.3; 1.3 date 2010.04.17.21.11.18; author tez; state Exp; branches; next 1.2; 1.2 date 2006.10.12.12.19.09; author obache; state Exp; branches 1.2.32.1; next 1.1; 1.1 date 2005.04.07.11.27.48; author wiz; state Exp; branches; next ; 1.2.32.1 date 2010.04.19.09.15.47; author tron; state Exp; branches; next ; desc @@ 1.6 log @Update to 0.4.0. Several patches are dropped because they were integrated upsteam. (Approval during freeze by wiz@@.) Upstream changes since 0.3.1 from https://savannah.nongnu.org/forum/forum.php?forum_id=8094 Item posted by Todd Kover on Thu 11 Sep 2014 01:05:20 AM GMT. I am pleased to announce the release of spamass-milt version 0.4.0. This is the first of what I hope are a number of maintenance releases with the goal to eliminate the outstanding bug/patch/feature requests: The following changes are included in this release - -C option to change the default reject code - -S option to specify a path to sendmail (for the -x option) - -R option to specify the rejection message - -a option to skip messages that were authenticated - IPv6 address support - zombie process fix for the - option introduced in 0.3.2 This also includes the fix for CVE-2010-1132 that was in the unannounced but generated 0.3.2 release. @ text @$NetBSD: patch-aa,v 1.5 2011/03/18 15:26:30 gdt Exp $ This patch has hunks for multiple reasons: 1) Ancient fix to avoid going beyond s2. 2) Added CVE-2010-1132 patch from: https://bugzilla.redhat.com/attachment.cgi?id=401011 3) (Most of, some in .h) patch to add option to not scan mail from authenticated users, from: http://lists.freebsd.org/pipermail/freebsd-ports-bugs/2006-November/106024.html 4) Avoid memory allocation in after fork and before exec. From PR pkg/44704. --- spamass-milter.cpp.orig 2011-03-18 15:15:56.000000000 +0000 +++ spamass-milter.cpp @@@@ -170,10 +170,7 @@@@ char *spambucket; bool flag_full_email = false; /* pass full email address to spamc */ bool flag_expand = false; /* alias/virtusertable expansion */ bool warnedmacro = false; /* have we logged that we couldn't fetch a macro? */ - -#if defined(__FreeBSD__) /* popen bug - see PR bin/50770 */ -static pthread_mutex_t popen_mutex = PTHREAD_MUTEX_INITIALIZER; -#endif +bool auth = false; /* don't scan authenticated users */ // {{{ main() @@@@ -181,7 +178,7 @@@@ int main(int argc, char* argv[]) { int c, err = 0; - const char *args = "fd:mMp:P:r:u:D:i:b:B:e:x"; + const char *args = "fd:mMp:P:r:u:D:i:b:B:e:xa"; char *sock = NULL; bool dofork = false; char *pidfilename = NULL; @@@@ -196,6 +193,9 @@@@ main(int argc, char* argv[]) /* Process command line options */ while ((c = getopt(argc, argv, args)) != -1) { switch (c) { + case 'a': + auth = true; + break; case 'f': dofork = true; break; @@@@ -281,7 +281,7 @@@@ main(int argc, char* argv[]) cout << "SpamAssassin Sendmail Milter Plugin" << endl; cout << "Usage: spamass-milter -p socket [-b|-B bucket] [-d xx[,yy...]] [-D host]" << endl; cout << " [-e defaultdomain] [-f] [-i networks] [-m] [-M]" << endl; - cout << " [-P pidfile] [-r nn] [-u defaultuser] [-x]" << endl; + cout << " [-P pidfile] [-r nn] [-u defaultuser] [-x] [-a]" << endl; cout << " [-- spamc args ]" << endl; cout << " -p socket: path to create socket" << endl; cout << " -b bucket: redirect spam to this mail address. The orignal" << endl; @@@@ -302,6 +302,7 @@@@ main(int argc, char* argv[]) cout << " -u defaultuser: pass the recipient's username to spamc.\n" " Uses 'defaultuser' if there are multiple recipients." << endl; cout << " -x: pass email address through alias and virtusertable expansion." << endl; + cout << " -a: don't scan messages over an authenticated connection." << endl; cout << " -- spamc args: pass the remaining flags to spamc." << endl; exit(EX_USAGE); @@@@ -461,59 +462,24 @@@@ assassinate(SMFICTX* ctx, SpamAssassin* send another copy. The milter API will not let you send the message AND return a failure code to the sender, so this is the only way to do it. */ -#if defined(__FreeBSD__) - int rv; -#endif - -#if defined(HAVE_ASPRINTF) - char *buf; -#else - char buf[1024]; -#endif - char *fmt="%s \"%s\""; + char *popen_argv[3]; FILE *p; -#if defined(HAVE_ASPRINTF) - asprintf(&buf, fmt, SENDMAIL, spambucket); -#else -#if defined(HAVE_SNPRINTF) - snprintf(buf, sizeof(buf)-1, fmt, SENDMAIL, spambucket); -#else - /* XXX possible buffer overflow here */ - sprintf(buf, fmt, SENDMAIL, spambucket); -#endif -#endif - - debug(D_COPY, "calling %s", buf); -#if defined(__FreeBSD__) /* popen bug - see PR bin/50770 */ - rv = pthread_mutex_lock(&popen_mutex); - if (rv) - { - debug(D_ALWAYS, "Could not lock popen mutex: %s", strerror(rv)); - abort(); - } -#endif - p = popen(buf, "w"); + popen_argv[0] = SENDMAIL; + popen_argv[1] = spambucket; + popen_argv[2] = NULL; + + debug(D_COPY, "calling %s %s", SENDMAIL, spambucket); + p = popenv(popen_argv, "w"); if (!p) { - debug(D_COPY, "popen failed(%s). Will not send a copy to spambucket", strerror(errno)); + debug(D_COPY, "popenv failed(%s). Will not send a copy to spambucket", strerror(errno)); } else { // Send message provided by SpamAssassin fwrite(assassin->d().c_str(), assassin->d().size(), 1, p); - pclose(p); p = NULL; + fclose(p); p = NULL; } -#if defined(__FreeBSD__) - rv = pthread_mutex_unlock(&popen_mutex); - if (rv) - { - debug(D_ALWAYS, "Could not unlock popen mutex: %s", strerror(rv)); - abort(); - } -#endif -#if defined(HAVE_ASPRINTF) - free(buf); -#endif } return SMFIS_REJECT; } @@@@ -783,6 +749,15 @@@@ mlfi_envfrom(SMFICTX* ctx, char** envfro } /* debug(D_ALWAYS, "ZZZ got private context %p", sctx); */ + if (auth) { + const char *auth_type = smfi_getsymval(ctx, "{auth_type}"); + + if (auth_type) { + debug(D_MISC, "auth_type=%s", auth_type); + return SMFIS_ACCEPT; + } + } + debug(D_FUNC, "mlfi_envfrom: enter"); try { // launch new SpamAssassin @@@@ -842,30 +817,19 @@@@ mlfi_envrcpt(SMFICTX* ctx, char** envrcp /* open a pipe to sendmail so we can do address expansion */ char buf[1024]; - char *fmt="%s -bv \"%s\" 2>&1"; - -#if defined(HAVE_SNPRINTF) - snprintf(buf, sizeof(buf)-1, fmt, SENDMAIL, envrcpt[0]); -#else - /* XXX possible buffer overflow here */ - sprintf(buf, fmt, SENDMAIL, envrcpt[0]); -#endif + char *popen_argv[4]; + + popen_argv[0] = SENDMAIL; + popen_argv[1] = "-bv"; + popen_argv[2] = envrcpt[0]; + popen_argv[3] = NULL; - debug(D_RCPT, "calling %s", buf); + debug(D_RCPT, "calling %s -bv %s", SENDMAIL, envrcpt[0]); -#if defined(__FreeBSD__) /* popen bug - see PR bin/50770 */ - rv = pthread_mutex_lock(&popen_mutex); - if (rv) - { - debug(D_ALWAYS, "Could not lock popen mutex: %s", strerror(rv)); - abort(); - } -#endif - - p = popen(buf, "r"); + p = popenv(popen_argv, "r"); if (!p) { - debug(D_RCPT, "popen failed(%s). Will not expand aliases", strerror(errno)); + debug(D_RCPT, "popenv failed(%s). Will not expand aliases", strerror(errno)); assassin->expandedrcpt.push_back(envrcpt[0]); } else { @@@@ -890,16 +854,8 @@@@ mlfi_envrcpt(SMFICTX* ctx, char** envrcp assassin->expandedrcpt.push_back(p+7); } } - pclose(p); p = NULL; + fclose(p); p = NULL; } -#if defined(__FreeBSD__) - rv = pthread_mutex_unlock(&popen_mutex); - if (rv) - { - debug(D_ALWAYS, "Could not unlock popen mutex: %s", strerror(rv)); - abort(); - } -#endif } else { assassin->expandedrcpt.push_back(envrcpt[0]); @@@@ -1343,6 +1299,22 @@@@ SpamAssassin::~SpamAssassin() void SpamAssassin::Connect() { + int argc; + char *argv[100]; + char spamc_user[64]; + + if (expandedrcpt.size() != 1) { + debug(D_RCPT, "%d recipients; spamc gets default username %s", (int)expandedrcpt.size(), defaultuser); + strlcpy(spamc_user, defaultuser, sizeof(spamc_user)); + } else { + if (flag_full_email) + strlcpy(spamc_user, full_user().c_str(), sizeof(spamc_user)); + else + strlcpy(spamc_user, local_user().c_str(), sizeof(spamc_user)); + strlwr(spamc_user); + debug(D_RCPT, "spamc gets %s", spamc_user); + } + // set up pipes for in- and output if (pipe(pipe_io[0])) throw string(string("pipe error: ")+string(strerror(errno))); @@@@ -1376,33 +1348,12 @@@@ void SpamAssassin::Connect() // absolute path (determined in autoconf) // should be a little more secure // XXX arbitrary 100-argument max - int argc = 0; - char** argv = (char**) malloc(100*sizeof(char*)); + argc = 0; argv[argc++] = SPAMC; if (flag_sniffuser) { argv[argc++] = "-u"; - if ( expandedrcpt.size() != 1 ) - { - // More (or less?) than one recipient, so we pass the default - // username to SPAMC. This way special rules can be defined for - // multi recipient messages. - debug(D_RCPT, "%d recipients; spamc gets default username %s", (int)expandedrcpt.size(), defaultuser); - argv[argc++] = defaultuser; - } else - { - // There is only 1 recipient so we pass the username - // (converted to lowercase) to SPAMC. Don't worry about - // freeing this memory as we're exec()ing anyhow. - if (flag_full_email) - argv[argc] = strlwr(strdup(full_user().c_str())); - else - argv[argc] = strlwr(strdup(local_user().c_str())); - - debug(D_RCPT, "spamc gets %s", argv[argc]); - - argc++; - } + argv[argc++] = spamc_user; } if (spamdhost) { @@@@ -2033,7 +1984,7 @@@@ cmp_nocase_partial(const string& s, cons string::const_iterator p=s.begin(); string::const_iterator p2=s2.begin(); - while ( p != s.end() && p2 <= s2.end() ) { + while ( p != s.end() ) { if (toupper(*p) != toupper(*p2)) { debug(D_STR, "c_nc_p: <%s><%s> : miss", s.c_str(), s2.c_str()); @@@@ -2157,5 +2108,71 @@@@ void warnmacro(char *macro, char *scope) warnedmacro = true; } +/* + untrusted-argument-safe popen function - only supports "r" and "w" modes + for simplicity, and always reads stdout and stderr in "r" mode. Call + fclose to close the FILE. +*/ +FILE *popenv(char *const argv[], const char *type) +{ + FILE *iop; + int pdes[2]; + int save_errno; + if ((*type != 'r' && *type != 'w') || type[1]) + { + errno = EINVAL; + return (NULL); + } + if (pipe(pdes) < 0) + return (NULL); + switch (fork()) { + + case -1: /* Error. */ + save_errno = errno; + (void)close(pdes[0]); + (void)close(pdes[1]); + errno = save_errno; + return (NULL); + /* NOTREACHED */ + case 0: /* Child. */ + if (*type == 'r') { + /* + * The dup2() to STDIN_FILENO is repeated to avoid + * writing to pdes[1], which might corrupt the + * parent's copy. This isn't good enough in + * general, since the exit() is no return, so + * the compiler is free to corrupt all the local + * variables. + */ + (void)close(pdes[0]); + (void)dup2(pdes[1], STDOUT_FILENO); + (void)dup2(pdes[1], STDERR_FILENO); + if (pdes[1] != STDOUT_FILENO && pdes[1] != STDERR_FILENO) { + (void)close(pdes[1]); + } + } else { + if (pdes[0] != STDIN_FILENO) { + (void)dup2(pdes[0], STDIN_FILENO); + (void)close(pdes[0]); + } + (void)close(pdes[1]); + } + execv(argv[0], argv); + exit(127); + /* NOTREACHED */ + } + + /* Parent; assume fdopen can't fail. */ + if (*type == 'r') { + iop = fdopen(pdes[0], type); + (void)close(pdes[1]); + } else { + iop = fdopen(pdes[1], type); + (void)close(pdes[0]); + } + + return (iop); +} + // }}} // vim6:ai:noexpandtab @ 1.5 log @Memory allocation hygiene fix from PR pkg/44704. spamass-milter forks, allocates memory and then execs, violating locking rules. This commit adds a patch from Juergen Hannken-Illjes that moves the allocation above the fork. TODO: upstream is recently alive again, after 5 years with no releases. Push these fixes upstream. @ text @d1 1 a1 1 $NetBSD: patch-aa,v 1.4 2010/09/10 23:33:42 gdt Exp $ @ 1.4 log @Add patch to not scan authenticated users. Originally from FreeBSD bug report, adapted for pkgsrc by Louis Guillaume. (spamass-milter really needs an active upstream.) @ text @d1 1 a1 1 $NetBSD: patch-aa,v 1.3 2010/04/17 21:11:18 tez Exp $ d3 1 a3 1 This patch has hunks for three separate reasons: d16 3 a18 1 --- spamass-milter.cpp.orig 2010-09-10 15:50:58.000000000 +0000 a164 2 - - debug(D_RCPT, "calling %s", buf); d172 3 d183 1 a183 2 + debug(D_RCPT, "calling %s -bv %s", SENDMAIL, envrcpt[0]); d211 60 a270 1 @@@@ -2033,7 +1989,7 @@@@ cmp_nocase_partial(const string& s, cons d279 1 a279 1 @@@@ -2157,5 +2113,71 @@@@ void warnmacro(char *macro, char *scope) @ 1.3 log @Added CVE-2010-1132 patch from: https://bugzilla.redhat.com/attachment.cgi?id=401011 @ text @d1 19 a19 7 $NetBSD: patch-aa,v 1.2 2006/10/12 12:19:09 obache Exp $ Added CVE-2010-1132 patch from: https://bugzilla.redhat.com/attachment.cgi?id=401011 --- spamass-milter.cpp.orig 2010-04-17 16:04:59.724786300 -0500 +++ spamass-milter.cpp 2010-04-17 16:05:04.755469800 -0500 @@@@ -171,10 +171,6 @@@@ d22 1 a22 1 d26 2 a27 1 - d30 37 a66 2 int @@@@ -461,59 +457,24 @@@@ d135 17 a151 1 @@@@ -842,30 +803,19 @@@@ d163 2 a171 3 - debug(D_RCPT, "calling %s", buf); + debug(D_RCPT, "calling %s -bv %s", SENDMAIL, envrcpt[0]); d180 2 a181 1 - d191 1 a191 1 @@@@ -890,16 +840,8 @@@@ d209 1 a209 1 @@@@ -2033,7 +1975,7 @@@@ d218 1 a218 1 @@@@ -2157,5 +2099,71 @@@@ @ 1.2 log @Update spamass-milter to 0.3.1, based on patch provided by Jaap Boender via PR 33206. 0.3.1: (2006-03-23) * Ensure wrapped headers always use LF (fix for spamassassin 3.1.1) * Mimic sendmail's Received header even better. Logs a warning to syslog if it can't fetch a sendmail macro that would help. @ text @d1 3 a3 1 $NetBSD: patch-aa,v 1.1 2005/04/07 11:27:48 wiz Exp $ d5 141 a145 3 --- spamass-milter.cpp.orig 2006-03-23 21:41:36.000000000 +0000 +++ spamass-milter.cpp @@@@ -2033,7 +2033,7 @@@@ cmp_nocase_partial(const string& s, cons d154 72 @ 1.2.32.1 log @Pullup ticket #3082 - requested by tez mail/spamass-milter: security patch Revisions pulled up: - mail/spamass-milter/Makefile 1.27 - mail/spamass-milter/distinfo 1.7 - mail/spamass-milter/patches/patch-aa 1.3 - mail/spamass-milter/patches/patch-ab 1.1 --- Module Name: pkgsrc Committed By: tez Date: Sat Apr 17 21:11:18 UTC 2010 Modified Files: pkgsrc/mail/spamass-milter: Makefile distinfo pkgsrc/mail/spamass-milter/patches: patch-aa Added Files: pkgsrc/mail/spamass-milter/patches: patch-ab Log Message: Added CVE-2010-1132 patch from: https://bugzilla.redhat.com/attachment.cgi?id=401011 @ text @d1 1 a1 3 $NetBSD$ Added CVE-2010-1132 patch from: https://bugzilla.redhat.com/attachment.cgi?id=401011 d3 3 a5 141 --- spamass-milter.cpp.orig 2010-04-17 16:04:59.724786300 -0500 +++ spamass-milter.cpp 2010-04-17 16:05:04.755469800 -0500 @@@@ -171,10 +171,6 @@@@ bool flag_expand = false; /* alias/virtusertable expansion */ bool warnedmacro = false; /* have we logged that we couldn't fetch a macro? */ -#if defined(__FreeBSD__) /* popen bug - see PR bin/50770 */ -static pthread_mutex_t popen_mutex = PTHREAD_MUTEX_INITIALIZER; -#endif - // {{{ main() int @@@@ -461,59 +457,24 @@@@ send another copy. The milter API will not let you send the message AND return a failure code to the sender, so this is the only way to do it. */ -#if defined(__FreeBSD__) - int rv; -#endif - -#if defined(HAVE_ASPRINTF) - char *buf; -#else - char buf[1024]; -#endif - char *fmt="%s \"%s\""; + char *popen_argv[3]; FILE *p; -#if defined(HAVE_ASPRINTF) - asprintf(&buf, fmt, SENDMAIL, spambucket); -#else -#if defined(HAVE_SNPRINTF) - snprintf(buf, sizeof(buf)-1, fmt, SENDMAIL, spambucket); -#else - /* XXX possible buffer overflow here */ - sprintf(buf, fmt, SENDMAIL, spambucket); -#endif -#endif - - debug(D_COPY, "calling %s", buf); -#if defined(__FreeBSD__) /* popen bug - see PR bin/50770 */ - rv = pthread_mutex_lock(&popen_mutex); - if (rv) - { - debug(D_ALWAYS, "Could not lock popen mutex: %s", strerror(rv)); - abort(); - } -#endif - p = popen(buf, "w"); + popen_argv[0] = SENDMAIL; + popen_argv[1] = spambucket; + popen_argv[2] = NULL; + + debug(D_COPY, "calling %s %s", SENDMAIL, spambucket); + p = popenv(popen_argv, "w"); if (!p) { - debug(D_COPY, "popen failed(%s). Will not send a copy to spambucket", strerror(errno)); + debug(D_COPY, "popenv failed(%s). Will not send a copy to spambucket", strerror(errno)); } else { // Send message provided by SpamAssassin fwrite(assassin->d().c_str(), assassin->d().size(), 1, p); - pclose(p); p = NULL; + fclose(p); p = NULL; } -#if defined(__FreeBSD__) - rv = pthread_mutex_unlock(&popen_mutex); - if (rv) - { - debug(D_ALWAYS, "Could not unlock popen mutex: %s", strerror(rv)); - abort(); - } -#endif -#if defined(HAVE_ASPRINTF) - free(buf); -#endif } return SMFIS_REJECT; } @@@@ -842,30 +803,19 @@@@ /* open a pipe to sendmail so we can do address expansion */ char buf[1024]; - char *fmt="%s -bv \"%s\" 2>&1"; - -#if defined(HAVE_SNPRINTF) - snprintf(buf, sizeof(buf)-1, fmt, SENDMAIL, envrcpt[0]); -#else - /* XXX possible buffer overflow here */ - sprintf(buf, fmt, SENDMAIL, envrcpt[0]); -#endif + char *popen_argv[4]; + + popen_argv[0] = SENDMAIL; + popen_argv[1] = "-bv"; + popen_argv[2] = envrcpt[0]; + popen_argv[3] = NULL; - debug(D_RCPT, "calling %s", buf); + debug(D_RCPT, "calling %s -bv %s", SENDMAIL, envrcpt[0]); -#if defined(__FreeBSD__) /* popen bug - see PR bin/50770 */ - rv = pthread_mutex_lock(&popen_mutex); - if (rv) - { - debug(D_ALWAYS, "Could not lock popen mutex: %s", strerror(rv)); - abort(); - } -#endif - - p = popen(buf, "r"); + p = popenv(popen_argv, "r"); if (!p) { - debug(D_RCPT, "popen failed(%s). Will not expand aliases", strerror(errno)); + debug(D_RCPT, "popenv failed(%s). Will not expand aliases", strerror(errno)); assassin->expandedrcpt.push_back(envrcpt[0]); } else { @@@@ -890,16 +840,8 @@@@ assassin->expandedrcpt.push_back(p+7); } } - pclose(p); p = NULL; + fclose(p); p = NULL; } -#if defined(__FreeBSD__) - rv = pthread_mutex_unlock(&popen_mutex); - if (rv) - { - debug(D_ALWAYS, "Could not unlock popen mutex: %s", strerror(rv)); - abort(); - } -#endif } else { assassin->expandedrcpt.push_back(envrcpt[0]); @@@@ -2033,7 +1975,7 @@@@ a13 72 @@@@ -2157,5 +2099,71 @@@@ warnedmacro = true; } +/* + untrusted-argument-safe popen function - only supports "r" and "w" modes + for simplicity, and always reads stdout and stderr in "r" mode. Call + fclose to close the FILE. +*/ +FILE *popenv(char *const argv[], const char *type) +{ + FILE *iop; + int pdes[2]; + int save_errno; + if ((*type != 'r' && *type != 'w') || type[1]) + { + errno = EINVAL; + return (NULL); + } + if (pipe(pdes) < 0) + return (NULL); + switch (fork()) { + + case -1: /* Error. */ + save_errno = errno; + (void)close(pdes[0]); + (void)close(pdes[1]); + errno = save_errno; + return (NULL); + /* NOTREACHED */ + case 0: /* Child. */ + if (*type == 'r') { + /* + * The dup2() to STDIN_FILENO is repeated to avoid + * writing to pdes[1], which might corrupt the + * parent's copy. This isn't good enough in + * general, since the exit() is no return, so + * the compiler is free to corrupt all the local + * variables. + */ + (void)close(pdes[0]); + (void)dup2(pdes[1], STDOUT_FILENO); + (void)dup2(pdes[1], STDERR_FILENO); + if (pdes[1] != STDOUT_FILENO && pdes[1] != STDERR_FILENO) { + (void)close(pdes[1]); + } + } else { + if (pdes[0] != STDIN_FILENO) { + (void)dup2(pdes[0], STDIN_FILENO); + (void)close(pdes[0]); + } + (void)close(pdes[1]); + } + execv(argv[0], argv); + exit(127); + /* NOTREACHED */ + } + + /* Parent; assume fdopen can't fail. */ + if (*type == 'r') { + iop = fdopen(pdes[0], type); + (void)close(pdes[1]); + } else { + iop = fdopen(pdes[1], type); + (void)close(pdes[0]); + } + + return (iop); +} + // }}} // vim6:ai:noexpandtab @ 1.1 log @Update to 0.3.0nb1: Add a patch from Yoshitaka Tokugawa provided in PR 26806, which has also been added to the spamass CVS repository: Always use macro_b, so SA can do future/past validation. It is not a bug, but it makes SA happier. SA 2.x requires "($v/$Z)$?r with $r" part of Received: header. I don't think SA 3.x need this, but keep it for SA 2.x users. There is a bug in cmp_nocase_partial() function. Without my hack, cmp_nocase_partial("X-Spam-", "X-Spam") returns 0 which is incorrect behavior for this function. @ text @d1 1 a1 1 $NetBSD$ d3 1 a3 1 --- spamass-milter.cpp.orig 2005-02-05 08:03:22.000000000 +0100 d5 1 a5 50 @@@@ -898,13 +898,21 @@@@ mlfi_envrcpt(SMFICTX* ctx, char** envrcp (envelope-from $g)$. */ - const char *macro_b, *macro_s, *macro_j, *macro__; + const char *macro_b, *macro_s, *macro_j, *macro__, *macro_r; + char date[32]; /* sizeof("Mon, 23 Aug 2004 18:28:43 +0900") */ + time_t tval; /* Failure to fetch {b} is not fatal. Without this date SA can't do future/past validation on the Date: header, but sendmail doesn't default to allow milters to see it. */ macro_b = smfi_getsymval(ctx, "b"); + if (!macro_b) + { + (void) time(&tval); + (void) strftime(date, sizeof(date), "%a, %d %b %Y %H:%M:%S %z", localtime(&tval)); + macro_b = date; + } /* Sendmail currently cannot pass us the {s} macro, but I do not know why. Leave this in for the day sendmail is @@@@ -916,6 +924,10 @@@@ mlfi_envrcpt(SMFICTX* ctx, char** envrcp macro_s = sctx->helo; if (!macro_s) macro_s = "nohelo"; + /* Get mailer info. */ + macro_r = smfi_getsymval(ctx, "r"); + if (!macro_r) + macro_r = "SMTP"; /* Assuming it as SMTP */ /* FQDN of this site */ macro_j = smfi_getsymval(ctx, "j"); @@@@ -930,10 +942,10 @@@@ mlfi_envrcpt(SMFICTX* ctx, char** envrcp assassin->output((string)"X-Envelope-From: "+assassin->from()+"\r\n"); assassin->output((string)"X-Envelope-To: "+envrcpt[0]+"\r\n"); - if (!macro_b) - assassin->output((string)"Received: from "+macro_s+" ("+macro__+") by "+macro_j+";\r\n"); - else - assassin->output((string)"Received: from "+macro_s+" ("+macro__+") by "+macro_j+"; "+macro_b+"\r\n"); + assassin->output((string)"Received: from "+macro_s + +" ("+macro__+")\n\tby "+macro_j + +" ("+PACKAGE_NAME+"/"+PACKAGE_VERSION /* dummy */ + +") with "+macro_r+";\n\t"+macro_b+"\r\n"); } else assassin->output((string)"X-Envelope-To: "+envrcpt[0]+"\r\n"); @@@@ -1965,7 +1977,7 @@@@ cmp_nocase_partial(const string& s, cons d9 1 a9 1 - while ( p != s.end() && p2 != s2.end() ) { @