rpms/spamass-milter/F-11 spamass-milter-0.3.1-popen.patch, 1.2, 1.3 spamass-milter.spec, 1.23, 1.24

Paul Howarth pghmcfc at fedoraproject.org
Mon Apr 19 12:33:06 UTC 2010 

Author: pghmcfc

Update of /cvs/pkgs/rpms/spamass-milter/F-11
In directory cvs01.phx2.fedoraproject.org:/tmp/cvs-serv7904/F-11

Modified Files:
	spamass-milter-0.3.1-popen.patch spamass-milter.spec 
Log Message:
Fix patch for CVE-2010-1132 to not create a zombie process per email when the -x or -b options are used (#583523)

spamass-milter-0.3.1-popen.patch:
 spamass-milter.cpp |  161 +++++++++++++++++++++++++++--------------------------
 spamass-milter.h   |    1 
 2 files changed, 85 insertions(+), 77 deletions(-)

Index: spamass-milter-0.3.1-popen.patch
===================================================================
RCS file: /cvs/pkgs/rpms/spamass-milter/F-11/spamass-milter-0.3.1-popen.patch,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -p -r1.2 -r1.3
--- spamass-milter-0.3.1-popen.patch	25 Mar 2010 10:58:34 -0000	1.2
+++ spamass-milter-0.3.1-popen.patch	19 Apr 2010 12:33:06 -0000	1.3
@@ -1,6 +1,6 @@
---- spamass-milter.cpp	2010-03-23 20:34:29.069957988 +0000
-+++ spamass-milter.cpp	2010-03-23 20:41:02.082834050 +0000
-@@ -175,10 +175,6 @@ bool flag_full_email = false;		/* pass f
+--- spamass-milter.cpp	2010-04-19 11:47:57.369162724 +0100
++++ spamass-milter.cpp	2010-04-19 11:50:21.404162719 +0100
+@@ -173,10 +173,6 @@ bool flag_full_email = false;		/* pass f
  bool flag_expand = false;	/* alias/virtusertable expansion */
  bool warnedmacro = false;	/* have we logged that we couldn't fetch a macro? */
  
@@ -11,7 +11,7 @@
  // {{{ main()
  
  int
-@@ -492,42 +488,15 @@ assassinate(SMFICTX* ctx, SpamAssassin* 
+@@ -463,42 +459,16 @@ assassinate(SMFICTX* ctx, SpamAssassin* 
  			   send another copy.  The milter API will not let you send the
  			   message AND return a failure code to the sender, so this is
  			   the only way to do it. */
@@ -28,6 +28,7 @@
 +			char sendmail_prog[] = SENDMAIL;
 +			char *const popen_argv[] = { sendmail_prog, spambucket, NULL };
  			FILE *p;
++			pid_t pid;
  
 -#if defined(HAVE_ASPRINTF)
 -			asprintf(&buf, fmt, SENDMAIL, spambucket);
@@ -51,7 +52,7 @@
 -#endif
 -			p = popen(buf, "w");
 +			debug(D_COPY, "calling %s %s", SENDMAIL, spambucket);
-+			p = popenv(popen_argv, "w");
++			p = popenv(popen_argv, "w", &pid);
  			if (!p)
  			{
 -				debug(D_COPY, "popen failed(%s).  Will not send a copy to spambucket", strerror(errno));
@@ -59,12 +60,13 @@
  			} else
  			{
  				// Send message provided by SpamAssassin
-@@ -535,19 +504,8 @@ assassinate(SMFICTX* ctx, SpamAssassin* 
+@@ -506,19 +476,9 @@ assassinate(SMFICTX* ctx, SpamAssassin* 
  				{
  					debug(D_COPY, "fwrite incomplete (%s) when copying to spambucket", strerror(errno));
  				}
 -				pclose(p); p = NULL;
 +				fclose(p); p = NULL;
++				waitpid(pid, NULL, 0);
  			}
 -#if defined(__FreeBSD__)
 -			rv = pthread_mutex_unlock(&popen_mutex);
@@ -80,7 +82,7 @@
  		}
  		return SMFIS_REJECT;
  	}
-@@ -927,30 +885,16 @@ mlfi_envrcpt(SMFICTX* ctx, char** envrcp
+@@ -847,30 +807,17 @@ mlfi_envrcpt(SMFICTX* ctx, char** envrcp
  		/* open a pipe to sendmail so we can do address expansion */
  
  		char buf[1024];
@@ -92,11 +94,13 @@
 -		/* XXX possible buffer overflow here */
 -		sprintf(buf, fmt, SENDMAIL, envrcpt[0]);
 -#endif
--
--		debug(D_RCPT, "calling %s", buf);
 +		char sendmail_prog[] = SENDMAIL;
 +		char sendmail_mode[] = "-bv";
 +		char * const popen_argv[] = { sendmail_prog, sendmail_mode, envrcpt[0], NULL };
++		pid_t pid;
+ 
+-		debug(D_RCPT, "calling %s", buf);
++		debug(D_RCPT, "calling %s -bv %s", SENDMAIL, envrcpt[0]);
  
 -#if defined(__FreeBSD__) /* popen bug - see PR bin/50770 */
 -		rv = pthread_mutex_lock(&popen_mutex);
@@ -106,10 +110,9 @@
 -			abort();
 -		}		
 -#endif
-+		debug(D_RCPT, "calling %s -bv %s", SENDMAIL, envrcpt[0]);
- 
+-
 -		p = popen(buf, "r");
-+		p = popenv(popen_argv, "r");
++		p = popenv(popen_argv, "r", &pid);
  		if (!p)
  		{
 -			debug(D_RCPT, "popen failed(%s).  Will not expand aliases", strerror(errno));
@@ -117,12 +120,13 @@
  			assassin->expandedrcpt.push_back(envrcpt[0]);
  		} else
  		{
-@@ -975,16 +919,8 @@ mlfi_envrcpt(SMFICTX* ctx, char** envrcp
+@@ -895,16 +842,9 @@ mlfi_envrcpt(SMFICTX* ctx, char** envrcp
  					assassin->expandedrcpt.push_back(p+7);
  				}
  			}
 -			pclose(p); p = NULL;
 +			fclose(p); p = NULL;
++			waitpid(pid, NULL, 0);
  		}
 -#if defined(__FreeBSD__)
 -		rv = pthread_mutex_unlock(&popen_mutex);
@@ -135,20 +139,21 @@
  	} else
  	{
  		assassin->expandedrcpt.push_back(envrcpt[0]);
-@@ -2254,5 +2190,71 @@ void warnmacro(const char *macro, const 
+@@ -2162,5 +2102,72 @@ void warnmacro(const char *macro, const 
  	warnedmacro = true;
  }
  
 +/*
 +   untrusted-argument-safe popen function - only supports "r" and "w" modes
 +   for simplicity, and always reads stdout and stderr in "r" mode.  Call
-+   fclose to close the FILE.
++   fclose to close the FILE, and waitpid to reap the child process (pid).
 +*/
-+FILE *popenv(char *const argv[], const char *type)
++FILE *popenv(char *const argv[], const char *type, pid_t *pid)
 +{
 +	FILE *iop;
 +	int pdes[2];
 +	int save_errno;
++
 +	if ((*type != 'r' && *type != 'w') || type[1])
 +	{
 +		errno = EINVAL;
@@ -156,7 +161,7 @@
 +	}
 +	if (pipe(pdes) < 0)
 +		return (NULL);
-+	switch (fork()) {
++	switch (*pid = fork()) {
 +	
 +	case -1:			/* Error. */
 +		save_errno = errno;
@@ -207,12 +212,12 @@
 +
  // }}}
  // vim6:ai:noexpandtab
---- spamass-milter.h	2010-03-23 20:34:29.070958127 +0000
-+++ spamass-milter.h	2010-03-23 20:34:29.073958016 +0000
-@@ -188,5 +188,6 @@ int ip_in_networklist(struct in_addr ip,
+--- spamass-milter.h	2010-04-19 11:47:57.403162755 +0100
++++ spamass-milter.h	2010-04-19 11:48:32.588162181 +0100
+@@ -186,5 +186,6 @@ int ip_in_networklist(struct in_addr ip,
  void parse_debuglevel(char* string);
  char *strlwr(char *str);
  void warnmacro(const char *macro, const char *scope);
-+FILE *popenv(char *const argv[], const char *type);
++FILE *popenv(char *const argv[], const char *type, pid_t *pid);
  
  #endif


Index: spamass-milter.spec
===================================================================
RCS file: /cvs/pkgs/rpms/spamass-milter/F-11/spamass-milter.spec,v
retrieving revision 1.23
retrieving revision 1.24
diff -u -p -r1.23 -r1.24
--- spamass-milter.spec	27 Mar 2010 11:22:16 -0000	1.23
+++ spamass-milter.spec	19 Apr 2010 12:33:06 -0000	1.24
@@ -1,7 +1,7 @@
 Summary:	Milter (mail filter) for spamassassin
 Name:		spamass-milter
 Version:	0.3.1
-Release:	18%{?dist}
+Release:	19%{?dist}
 License:	GPLv2+
 Group:		System Environment/Daemons
 URL:		http://savannah.nongnu.org/projects/spamass-milt/
@@ -57,7 +57,7 @@ socket to communicate with the Postfix M
 # Preliminary upstream patch for input validation bug letting
 # remote users execute arbitrary code (#572117, #572119)
 # http://savannah.nongnu.org/bugs/?29136
-# (patch modified to apply after patch0)
+# (patch modified to apply after patch0, and fix zombie processes - #583523)
 %patch1 -p0 -b .popen
 
 # Add -I option to ignore (don't check) mail from authenticated users
@@ -147,6 +147,10 @@ fi
 %dir %attr(-,sa-milt,postfix) %{_localstatedir}/run/spamass-milter/postfix/
 
 %changelog
+* Mon Apr 19 2010 Paul Howarth <paul at city-fan.org> 0.3.1-19
+- Fix patch for CVE-2010-1132 to not create a zombie process per email when
+  the -x or -b options are used (#583523)
+
 * Tue Mar 23 2010 Paul Howarth <paul at city-fan.org> 0.3.1-18
 - Add patch to get rid of compiler warnings
 - Reorder and re-base patches to optimize chances of upstream accepting them

More information about the scm-commits mailing list