Prereq: "2.4.7" diff -cr /var/tmp/postfix-2.4.7/src/global/mail_version.h ./src/global/mail_version.h *** /var/tmp/postfix-2.4.7/src/global/mail_version.h Thu Jan 31 19:58:50 2008 --- ./src/global/mail_version.h Fri Jul 25 20:44:31 2008 *************** *** 20,27 **** * Patches change both the patchlevel and the release date. Snapshots have no * patchlevel; they change the release date only. */ ! #define MAIL_RELEASE_DATE "20080131" ! #define MAIL_VERSION_NUMBER "2.4.7" #ifdef SNAPSHOT # define MAIL_VERSION_DATE "-" MAIL_RELEASE_DATE --- 20,27 ---- * Patches change both the patchlevel and the release date. Snapshots have no * patchlevel; they change the release date only. */ ! #define MAIL_RELEASE_DATE "20080814" ! #define MAIL_VERSION_NUMBER "2.4.8" #ifdef SNAPSHOT # define MAIL_VERSION_DATE "-" MAIL_RELEASE_DATE diff -cr /var/tmp/postfix-2.4.7/HISTORY ./HISTORY *** /var/tmp/postfix-2.4.7/HISTORY Thu Jan 10 20:24:36 2008 --- ./HISTORY Tue Aug 5 14:05:12 2008 *************** *** 13599,13601 **** --- 13599,13649 ---- prevent dovecot-auth memory wastage. Timo Sirainen. File: xsasl/xsasl_dovecot_server.c. + 20080228 + + Bugfix: bounce(8) segfault on one-line template text. + Problem found by Sacha Chlytor. File: bounce/bounce_template.c. + + 20080411 + + Bugfix (introduced Postfix 2.0): after "warn_if_reject + reject_unlisted_recipient/sender", the SMTP server mistakenly + remembered that recipient/sender validation was already + done. File: smtpd/smtpd_check.c. + + 20080428 + + Cleanup: the proxy_read_maps (Postfix 2.0) default setting + was not updated when adding sender/recipient_bcc_maps + (Postfix 2.1) and smtp/lmtp_generic_maps (Postfix 2.3). + File: global/mail_params.h. + + 20080509 + + Bugfix: null-terminate CN comment string after sanitization. + File: smtpd/smtpd.c. + + 20080603 + + Workaround: avoid "bad address pattern" errors with non-address + patterns in namadr_list_match() calls. File: util/match_ops.c. + + 20080804 + + Bugfix: dangling pointer in vstring_sprintf_prepend(). + File: util/vstring.c. + + 20080814 + + Security: some systems have changed their link() semantics, + and will hardlink a symlink, contrary to POSIX and XPG4. + Sebastian Krahmer, SuSE. File: util/safe_open.c. + + The solution introduces the following incompatible change: + when the target of mail delivery is a symlink, the parent + directory of that symlink must now be writable by root only + (in addition to the already existing requirement that the + symlink itself is owned by root). This change will break + legitimate configurations that deliver mail to a symbolic + link in a directory with less restrictive permissions. + diff -cr /var/tmp/postfix-2.4.7/src/bounce/bounce_template.c ./src/bounce/bounce_template.c *** /var/tmp/postfix-2.4.7/src/bounce/bounce_template.c Fri Mar 24 14:09:41 2006 --- ./src/bounce/bounce_template.c Mon Mar 17 11:17:52 2008 *************** *** 343,349 **** * Is this 7bit or 8bit text? If the character set is US-ASCII, then * don't allow 8bit text. Don't assume 8bit when charset was changed. */ ! #define NON_ASCII(p) (*(p) && !allascii((p))) if (NON_ASCII(cp) || NON_ASCII(tval)) { if (strcasecmp(tp->mime_charset, "us-ascii") == 0) { --- 343,349 ---- * Is this 7bit or 8bit text? If the character set is US-ASCII, then * don't allow 8bit text. Don't assume 8bit when charset was changed. */ ! #define NON_ASCII(p) ((p) && *(p) && !allascii((p))) if (NON_ASCII(cp) || NON_ASCII(tval)) { if (strcasecmp(tp->mime_charset, "us-ascii") == 0) { diff -cr /var/tmp/postfix-2.4.7/src/global/mail_params.h ./src/global/mail_params.h *** /var/tmp/postfix-2.4.7/src/global/mail_params.h Tue Jul 10 19:47:45 2007 --- ./src/global/mail_params.h Fri May 9 09:33:34 2008 *************** *** 2001,2007 **** " $" VAR_RCPT_CANON_MAPS \ " $" VAR_RELOCATED_MAPS \ " $" VAR_TRANSPORT_MAPS \ ! " $" VAR_MYNETWORKS extern char *var_proxy_read_maps; /* --- 2001,2011 ---- " $" VAR_RCPT_CANON_MAPS \ " $" VAR_RELOCATED_MAPS \ " $" VAR_TRANSPORT_MAPS \ ! " $" VAR_MYNETWORKS \ ! " $" VAR_SEND_BCC_MAPS \ ! " $" VAR_RCPT_BCC_MAPS \ ! " $" VAR_SMTP_GENERIC_MAPS \ ! " $" VAR_LMTP_GENERIC_MAPS extern char *var_proxy_read_maps; /* diff -cr /var/tmp/postfix-2.4.7/src/smtpd/smtpd.c ./src/smtpd/smtpd.c *** /var/tmp/postfix-2.4.7/src/smtpd/smtpd.c Tue Jul 31 11:35:26 2007 --- ./src/smtpd/smtpd.c Tue May 6 20:10:44 2008 *************** *** 2426,2431 **** --- 2426,2432 ---- } while (pc-- > 0) VSTRING_ADDCH(comment_string, ')'); + VSTRING_TERMINATE(comment_string); } /* data_cmd - process DATA command */ diff -cr /var/tmp/postfix-2.4.7/src/smtpd/smtpd_check.c ./src/smtpd/smtpd_check.c *** /var/tmp/postfix-2.4.7/src/smtpd/smtpd_check.c Tue Sep 11 10:17:20 2007 --- ./src/smtpd/smtpd_check.c Fri May 9 09:36:03 2008 *************** *** 4277,4283 **** return (0); if (state->recipient_rcptmap_checked == 1) return (0); ! state->recipient_rcptmap_checked = 1; return (check_rcpt_maps(state, recipient, SMTPD_NAME_RECIPIENT)); } --- 4277,4285 ---- return (0); if (state->recipient_rcptmap_checked == 1) return (0); ! if (state->warn_if_reject == 0) ! /* We really validate the recipient address. */ ! state->recipient_rcptmap_checked = 1; return (check_rcpt_maps(state, recipient, SMTPD_NAME_RECIPIENT)); } diff -cr /var/tmp/postfix-2.4.7/src/util/match_ops.c ./src/util/match_ops.c *** /var/tmp/postfix-2.4.7/src/util/match_ops.c Thu Jun 15 14:07:16 2006 --- ./src/util/match_ops.c Fri Jun 6 15:52:05 2008 *************** *** 234,245 **** * Postfix; if not, then Postfix has no business dealing with IPv4 * addresses anyway. * ! * - Don't bother if the pattern is a bare IPv4 address. That form would ! * have been matched with the strcasecmp() call above. * ! * - Don't bother if the pattern isn't an address or address/mask. */ if (!strchr(addr, ':') != !strchr(pattern, ':') || pattern[strspn(pattern, V4_ADDR_STRING_CHARS)] == 0 || pattern[strspn(pattern, V6_ADDR_STRING_CHARS "[]/")] != 0) return (0); --- 234,253 ---- * Postfix; if not, then Postfix has no business dealing with IPv4 * addresses anyway. * ! * - Don't bother unless the pattern is either an IPv6 address or net/mask. * ! * We can safely skip IPv4 address patterns because their form is ! * unambiguous and they did not match in the strcasecmp() calls above. ! * ! * XXX We MUST skip (parent) domain names, which may appear in NAMADR_LIST ! * input, to avoid triggering false cidr_match_parse() errors. ! * ! * The last two conditions below are for backwards compatibility with ! * earlier Postfix versions: don't abort with fatal errors on junk that ! * was silently ignored (principle of least astonishment). */ if (!strchr(addr, ':') != !strchr(pattern, ':') + || pattern[strcspn(pattern, ":/")] == 0 || pattern[strspn(pattern, V4_ADDR_STRING_CHARS)] == 0 || pattern[strspn(pattern, V6_ADDR_STRING_CHARS "[]/")] != 0) return (0); diff -cr /var/tmp/postfix-2.4.7/src/util/safe_open.c ./src/util/safe_open.c *** /var/tmp/postfix-2.4.7/src/util/safe_open.c Sun Jun 4 19:04:49 2006 --- ./src/util/safe_open.c Mon Aug 4 16:47:18 2008 *************** *** 83,88 **** --- 83,89 ---- #include #include #include + #include #include /* safe_open_exist - open existing file */ *************** *** 138,150 **** * for symlinks owned by root. NEVER, NEVER, make exceptions for symlinks * owned by a non-root user. This would open a security hole when * delivering mail to a world-writable mailbox directory. */ else if (lstat(path, &lstat_st) < 0) { vstring_sprintf(why, "file status changed unexpectedly: %m"); errno = EPERM; } else if (S_ISLNK(lstat_st.st_mode)) { ! if (lstat_st.st_uid == 0) ! return (fp); vstring_sprintf(why, "file is a symbolic link"); errno = EPERM; } else if (fstat_st->st_dev != lstat_st.st_dev --- 139,167 ---- * for symlinks owned by root. NEVER, NEVER, make exceptions for symlinks * owned by a non-root user. This would open a security hole when * delivering mail to a world-writable mailbox directory. + * + * Sebastian Krahmer of SuSE brought to my attention that some systems have + * changed their semantics of link(symlink, newpath), such that the + * result is a hardlink to the symlink. For this reason, we now also + * require that the symlink's parent directory is writable only by root. */ else if (lstat(path, &lstat_st) < 0) { vstring_sprintf(why, "file status changed unexpectedly: %m"); errno = EPERM; } else if (S_ISLNK(lstat_st.st_mode)) { ! if (lstat_st.st_uid == 0) { ! VSTRING *parent_buf = vstring_alloc(100); ! const char *parent_path = sane_dirname(parent_buf, path); ! struct stat parent_st; ! int parent_ok; ! ! parent_ok = (stat(parent_path, &parent_st) == 0 /* not lstat */ ! && parent_st.st_uid == 0 ! && (parent_st.st_mode & (S_IWGRP | S_IWOTH)) == 0); ! vstring_free(parent_buf); ! if (parent_ok) ! return (fp); ! } vstring_sprintf(why, "file is a symbolic link"); errno = EPERM; } else if (fstat_st->st_dev != lstat_st.st_dev diff -cr /var/tmp/postfix-2.4.7/src/util/vstring.c ./src/util/vstring.c *** /var/tmp/postfix-2.4.7/src/util/vstring.c Sat Jan 7 21:08:16 2006 --- ./src/util/vstring.c Mon Aug 4 16:23:33 2008 *************** *** 624,629 **** --- 624,630 ---- result_len = VSTRING_LEN(vp); /* Construct: old|new|old|free */ + VSTRING_SPACE(vp, old_len); vstring_memcat(vp, vstring_str(vp), old_len); /* Construct: new|old|free */