rpms/spamass-milter/F-11 spamass-milter-0.3.1-popen.patch, 1.2, 1.3 spamass-milter.spec, 1.23, 1.24
Paul Howarth
pghmcfc at fedoraproject.org
Mon Apr 19 12:33:06 UTC 2010
Author: pghmcfc
Update of /cvs/pkgs/rpms/spamass-milter/F-11
In directory cvs01.phx2.fedoraproject.org:/tmp/cvs-serv7904/F-11
Modified Files:
spamass-milter-0.3.1-popen.patch spamass-milter.spec
Log Message:
Fix patch for CVE-2010-1132 to not create a zombie process per email when the -x or -b options are used (#583523)
spamass-milter-0.3.1-popen.patch:
spamass-milter.cpp | 161 +++++++++++++++++++++++++++--------------------------
spamass-milter.h | 1
2 files changed, 85 insertions(+), 77 deletions(-)
Index: spamass-milter-0.3.1-popen.patch
===================================================================
RCS file: /cvs/pkgs/rpms/spamass-milter/F-11/spamass-milter-0.3.1-popen.patch,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -p -r1.2 -r1.3
--- spamass-milter-0.3.1-popen.patch 25 Mar 2010 10:58:34 -0000 1.2
+++ spamass-milter-0.3.1-popen.patch 19 Apr 2010 12:33:06 -0000 1.3
@@ -1,6 +1,6 @@
---- spamass-milter.cpp 2010-03-23 20:34:29.069957988 +0000
-+++ spamass-milter.cpp 2010-03-23 20:41:02.082834050 +0000
-@@ -175,10 +175,6 @@ bool flag_full_email = false; /* pass f
+--- spamass-milter.cpp 2010-04-19 11:47:57.369162724 +0100
++++ spamass-milter.cpp 2010-04-19 11:50:21.404162719 +0100
+@@ -173,10 +173,6 @@ bool flag_full_email = false; /* pass f
bool flag_expand = false; /* alias/virtusertable expansion */
bool warnedmacro = false; /* have we logged that we couldn't fetch a macro? */
@@ -11,7 +11,7 @@
// {{{ main()
int
-@@ -492,42 +488,15 @@ assassinate(SMFICTX* ctx, SpamAssassin*
+@@ -463,42 +459,16 @@ assassinate(SMFICTX* ctx, SpamAssassin*
send another copy. The milter API will not let you send the
message AND return a failure code to the sender, so this is
the only way to do it. */
@@ -28,6 +28,7 @@
+ char sendmail_prog[] = SENDMAIL;
+ char *const popen_argv[] = { sendmail_prog, spambucket, NULL };
FILE *p;
++ pid_t pid;
-#if defined(HAVE_ASPRINTF)
- asprintf(&buf, fmt, SENDMAIL, spambucket);
@@ -51,7 +52,7 @@
-#endif
- p = popen(buf, "w");
+ debug(D_COPY, "calling %s %s", SENDMAIL, spambucket);
-+ p = popenv(popen_argv, "w");
++ p = popenv(popen_argv, "w", &pid);
if (!p)
{
- debug(D_COPY, "popen failed(%s). Will not send a copy to spambucket", strerror(errno));
@@ -59,12 +60,13 @@
} else
{
// Send message provided by SpamAssassin
-@@ -535,19 +504,8 @@ assassinate(SMFICTX* ctx, SpamAssassin*
+@@ -506,19 +476,9 @@ assassinate(SMFICTX* ctx, SpamAssassin*
{
debug(D_COPY, "fwrite incomplete (%s) when copying to spambucket", strerror(errno));
}
- pclose(p); p = NULL;
+ fclose(p); p = NULL;
++ waitpid(pid, NULL, 0);
}
-#if defined(__FreeBSD__)
- rv = pthread_mutex_unlock(&popen_mutex);
@@ -80,7 +82,7 @@
}
return SMFIS_REJECT;
}
-@@ -927,30 +885,16 @@ mlfi_envrcpt(SMFICTX* ctx, char** envrcp
+@@ -847,30 +807,17 @@ mlfi_envrcpt(SMFICTX* ctx, char** envrcp
/* open a pipe to sendmail so we can do address expansion */
char buf[1024];
@@ -92,11 +94,13 @@
- /* XXX possible buffer overflow here */
- sprintf(buf, fmt, SENDMAIL, envrcpt[0]);
-#endif
--
-- debug(D_RCPT, "calling %s", buf);
+ char sendmail_prog[] = SENDMAIL;
+ char sendmail_mode[] = "-bv";
+ char * const popen_argv[] = { sendmail_prog, sendmail_mode, envrcpt[0], NULL };
++ pid_t pid;
+
+- debug(D_RCPT, "calling %s", buf);
++ debug(D_RCPT, "calling %s -bv %s", SENDMAIL, envrcpt[0]);
-#if defined(__FreeBSD__) /* popen bug - see PR bin/50770 */
- rv = pthread_mutex_lock(&popen_mutex);
@@ -106,10 +110,9 @@
- abort();
- }
-#endif
-+ debug(D_RCPT, "calling %s -bv %s", SENDMAIL, envrcpt[0]);
-
+-
- p = popen(buf, "r");
-+ p = popenv(popen_argv, "r");
++ p = popenv(popen_argv, "r", &pid);
if (!p)
{
- debug(D_RCPT, "popen failed(%s). Will not expand aliases", strerror(errno));
@@ -117,12 +120,13 @@
assassin->expandedrcpt.push_back(envrcpt[0]);
} else
{
-@@ -975,16 +919,8 @@ mlfi_envrcpt(SMFICTX* ctx, char** envrcp
+@@ -895,16 +842,9 @@ mlfi_envrcpt(SMFICTX* ctx, char** envrcp
assassin->expandedrcpt.push_back(p+7);
}
}
- pclose(p); p = NULL;
+ fclose(p); p = NULL;
++ waitpid(pid, NULL, 0);
}
-#if defined(__FreeBSD__)
- rv = pthread_mutex_unlock(&popen_mutex);
@@ -135,20 +139,21 @@
} else
{
assassin->expandedrcpt.push_back(envrcpt[0]);
-@@ -2254,5 +2190,71 @@ void warnmacro(const char *macro, const
+@@ -2162,5 +2102,72 @@ void warnmacro(const char *macro, const
warnedmacro = true;
}
+/*
+ untrusted-argument-safe popen function - only supports "r" and "w" modes
+ for simplicity, and always reads stdout and stderr in "r" mode. Call
-+ fclose to close the FILE.
++ fclose to close the FILE, and waitpid to reap the child process (pid).
+*/
-+FILE *popenv(char *const argv[], const char *type)
++FILE *popenv(char *const argv[], const char *type, pid_t *pid)
+{
+ FILE *iop;
+ int pdes[2];
+ int save_errno;
++
+ if ((*type != 'r' && *type != 'w') || type[1])
+ {
+ errno = EINVAL;
@@ -156,7 +161,7 @@
+ }
+ if (pipe(pdes) < 0)
+ return (NULL);
-+ switch (fork()) {
++ switch (*pid = fork()) {
+
+ case -1: /* Error. */
+ save_errno = errno;
@@ -207,12 +212,12 @@
+
// }}}
// vim6:ai:noexpandtab
---- spamass-milter.h 2010-03-23 20:34:29.070958127 +0000
-+++ spamass-milter.h 2010-03-23 20:34:29.073958016 +0000
-@@ -188,5 +188,6 @@ int ip_in_networklist(struct in_addr ip,
+--- spamass-milter.h 2010-04-19 11:47:57.403162755 +0100
++++ spamass-milter.h 2010-04-19 11:48:32.588162181 +0100
+@@ -186,5 +186,6 @@ int ip_in_networklist(struct in_addr ip,
void parse_debuglevel(char* string);
char *strlwr(char *str);
void warnmacro(const char *macro, const char *scope);
-+FILE *popenv(char *const argv[], const char *type);
++FILE *popenv(char *const argv[], const char *type, pid_t *pid);
#endif
Index: spamass-milter.spec
===================================================================
RCS file: /cvs/pkgs/rpms/spamass-milter/F-11/spamass-milter.spec,v
retrieving revision 1.23
retrieving revision 1.24
diff -u -p -r1.23 -r1.24
--- spamass-milter.spec 27 Mar 2010 11:22:16 -0000 1.23
+++ spamass-milter.spec 19 Apr 2010 12:33:06 -0000 1.24
@@ -1,7 +1,7 @@
Summary: Milter (mail filter) for spamassassin
Name: spamass-milter
Version: 0.3.1
-Release: 18%{?dist}
+Release: 19%{?dist}
License: GPLv2+
Group: System Environment/Daemons
URL: http://savannah.nongnu.org/projects/spamass-milt/
@@ -57,7 +57,7 @@ socket to communicate with the Postfix M
# Preliminary upstream patch for input validation bug letting
# remote users execute arbitrary code (#572117, #572119)
# http://savannah.nongnu.org/bugs/?29136
-# (patch modified to apply after patch0)
+# (patch modified to apply after patch0, and fix zombie processes - #583523)
%patch1 -p0 -b .popen
# Add -I option to ignore (don't check) mail from authenticated users
@@ -147,6 +147,10 @@ fi
%dir %attr(-,sa-milt,postfix) %{_localstatedir}/run/spamass-milter/postfix/
%changelog
+* Mon Apr 19 2010 Paul Howarth <paul at city-fan.org> 0.3.1-19
+- Fix patch for CVE-2010-1132 to not create a zombie process per email when
+ the -x or -b options are used (#583523)
+
* Tue Mar 23 2010 Paul Howarth <paul at city-fan.org> 0.3.1-18
- Add patch to get rid of compiler warnings
- Reorder and re-base patches to optimize chances of upstream accepting them
More information about the scm-commits
mailing list