 @@ -1,13 +1,225 @@
-$NetBSD: patch-aa,v 1.2 2006/10/12 12:19:09 obache Exp $
+$NetBSD: patch-aa,v 1.2.32.1 2010/04/19 09:15:47 tron Exp $
 Added CVE-2010-1132 patch from:
  https://bugzilla.redhat.com/attachment.cgi?id=401011
---- spamass-milter.cpp.orig	2006-03-23 21:41:36.000000000 +0000
+--- spamass-milter.cpp.orig	2010-04-17 16:04:59.724786300 -0500
-+++ spamass-milter.cpp
++++ spamass-milter.cpp	2010-04-17 16:05:04.755469800 -0500
-@@ -2033,7 +2033,7 @@ cmp_nocase_partial(const string& s, cons
+@@ -171,10 +171,6 @@
  bool flag_expand = false;	/* alias/virtusertable expansion */
  bool warnedmacro = false;	/* have we logged that we couldn't fetch a macro? */
 -#if defined(__FreeBSD__) /* popen bug - see PR bin/50770 */
 -static pthread_mutex_t popen_mutex = PTHREAD_MUTEX_INITIALIZER;
 -#endif
+-
  // {{{ main()
  int
@@ -461,59 +457,24 @@
  			   send another copy.  The milter API will not let you send the
  			   message AND return a failure code to the sender, so this is
  			   the only way to do it. */
 -#if defined(__FreeBSD__)
 -			int rv;
 -#endif
+-
 -#if defined(HAVE_ASPRINTF)
 -			char *buf;
 -#else
 -			char buf[1024];
 -#endif
 -			char *fmt="%s \"%s\"";
 +			char *popen_argv[3];
  			FILE *p;
 -#if defined(HAVE_ASPRINTF)
 -			asprintf(&buf, fmt, SENDMAIL, spambucket);
 -#else
 -#if defined(HAVE_SNPRINTF)
 -			snprintf(buf, sizeof(buf)-1, fmt, SENDMAIL, spambucket);
 -#else
 -			/* XXX possible buffer overflow here */
 -			sprintf(buf, fmt, SENDMAIL, spambucket);
 -#endif
 -#endif
+-
 -			debug(D_COPY, "calling %s", buf);
 -#if defined(__FreeBSD__) /* popen bug - see PR bin/50770 */
 -			rv = pthread_mutex_lock(&popen_mutex);
 -			if (rv)
 -			{
 -				debug(D_ALWAYS, "Could not lock popen mutex: %s", strerror(rv));
 -				abort();
 -			}
 -#endif
 -			p = popen(buf, "w");
 +			popen_argv[0] = SENDMAIL;
 +			popen_argv[1] = spambucket;
 +			popen_argv[2] = NULL;
++
 +			debug(D_COPY, "calling %s %s", SENDMAIL, spambucket);
 +			p = popenv(popen_argv, "w");
  			if (!p)
+ 			{
 -				debug(D_COPY, "popen failed(%s).  Will not send a copy to spambucket", strerror(errno));
 +				debug(D_COPY, "popenv failed(%s).  Will not send a copy to spambucket", strerror(errno));
  			} else
+ 			{
  				// Send message provided by SpamAssassin
  				fwrite(assassin->d().c_str(), assassin->d().size(), 1, p);
 -				pclose(p); p = NULL;
 +				fclose(p); p = NULL;
+ 			}
 -#if defined(__FreeBSD__)
 -			rv = pthread_mutex_unlock(&popen_mutex);
 -			if (rv)
 -			{
 -				debug(D_ALWAYS, "Could not unlock popen mutex: %s", strerror(rv));
 -				abort();
 -			}
 -#endif
 -#if defined(HAVE_ASPRINTF)
 -			free(buf);
 -#endif
+ 		}
  		return SMFIS_REJECT;
+ 	}
@@ -842,30 +803,19 @@
  		/* open a pipe to sendmail so we can do address expansion */
  		char buf[1024];
 -		char *fmt="%s -bv \"%s\" 2>&1";
+-
 -#if defined(HAVE_SNPRINTF)
 -		snprintf(buf, sizeof(buf)-1, fmt, SENDMAIL, envrcpt[0]);
 -#else
 -		/* XXX possible buffer overflow here */
 -		sprintf(buf, fmt, SENDMAIL, envrcpt[0]);
 -#endif
 +		char *popen_argv[4];
++
 +		popen_argv[0] = SENDMAIL;
 +		popen_argv[1] = "-bv";
 +		popen_argv[2] = envrcpt[0];
 +		popen_argv[3] = NULL;
 -		debug(D_RCPT, "calling %s", buf);
 +		debug(D_RCPT, "calling %s -bv %s", SENDMAIL, envrcpt[0]);
 -#if defined(__FreeBSD__) /* popen bug - see PR bin/50770 */
 -		rv = pthread_mutex_lock(&popen_mutex);
 -		if (rv)
 -		{
 -			debug(D_ALWAYS, "Could not lock popen mutex: %s", strerror(rv));
 -			abort();
 -		}
 -#endif
+-
 -		p = popen(buf, "r");
 +		p = popenv(popen_argv, "r");
  		if (!p)
+ 		{
 -			debug(D_RCPT, "popen failed(%s).  Will not expand aliases", strerror(errno));
 +			debug(D_RCPT, "popenv failed(%s).  Will not expand aliases", strerror(errno));
  			assassin->expandedrcpt.push_back(envrcpt[0]);
  		} else
+ 		{
@@ -890,16 +840,8 @@
  					assassin->expandedrcpt.push_back(p+7);
+ 				}
+ 			}
 -			pclose(p); p = NULL;
 +			fclose(p); p = NULL;
+ 		}
 -#if defined(__FreeBSD__)
 -		rv = pthread_mutex_unlock(&popen_mutex);
 -		if (rv)
 -		{
 -			debug(D_ALWAYS, "Could not unlock popen mutex: %s", strerror(rv));
 -			abort();
 -		}
 -#endif
  	} else
+ 	{
  		assassin->expandedrcpt.push_back(envrcpt[0]);
@@ -2033,7 +1975,7 @@
    string::const_iterator p=s.begin();
    string::const_iterator p2=s2.begin();
 -  while ( p != s.end() && p2 <= s2.end() ) {
 +  while ( p != s.end() ) {
      if (toupper(*p) != toupper(*p2))
+     {
        debug(D_STR, "c_nc_p: <%s><%s> : miss", s.c_str(), s2.c_str());
@@ -2157,5 +2099,71 @@
  	warnedmacro = true;
+ }
 +/*
 +   untrusted-argument-safe popen function - only supports "r" and "w" modes
 +   for simplicity, and always reads stdout and stderr in "r" mode.  Call
 +   fclose to close the FILE.
 +*/
 +FILE *popenv(char *const argv[], const char *type)
 +{
 +	FILE *iop;
 +	int pdes[2];
 +	int save_errno;
 +	if ((*type != 'r' && *type != 'w') || type[1])
 +	{
 +		errno = EINVAL;
 +		return (NULL);
 +	}
 +	if (pipe(pdes) < 0)
 +		return (NULL);
 +	switch (fork()) {
++
 +	case -1:			/* Error. */
 +		save_errno = errno;
 +		(void)close(pdes[0]);
 +		(void)close(pdes[1]);
 +		errno = save_errno;
 +		return (NULL);
 +		/* NOTREACHED */
 +	case 0:				/* Child. */
 +		if (*type == 'r') {
 +			/*
 +			 * The dup2() to STDIN_FILENO is repeated to avoid
 +			 * writing to pdes[1], which might corrupt the
 +			 * parent's copy.  This isn't good enough in
 +			 * general, since the exit() is no return, so
 +			 * the compiler is free to corrupt all the local
 +			 * variables.
 +			 */
 +			(void)close(pdes[0]);
 +			(void)dup2(pdes[1], STDOUT_FILENO);
 +			(void)dup2(pdes[1], STDERR_FILENO);
 +			if (pdes[1] != STDOUT_FILENO && pdes[1] != STDERR_FILENO) {
 +				(void)close(pdes[1]);
 +			}
 +		} else {
 +			if (pdes[0] != STDIN_FILENO) {
 +				(void)dup2(pdes[0], STDIN_FILENO);
 +				(void)close(pdes[0]);
 +			}
 +			(void)close(pdes[1]);
 +		}
 +		execv(argv[0], argv);
 +		exit(127);
 +		/* NOTREACHED */
 +	}
++
 +	/* Parent; assume fdopen can't fail. */
 +	if (*type == 'r') {
 +		iop = fdopen(pdes[0], type);
 +		(void)close(pdes[1]);
 +	} else {
 +		iop = fdopen(pdes[1], type);
 +		(void)close(pdes[0]);
 +	}
++
 +	return (iop);
 +}
++
  // }}}
  // vim6:ai:noexpandtab

 @@ -1,17 +1,18 @@
-# $NetBSD: Makefile,v 1.26 2008/06/20 01:09:24 joerg Exp $
+# $NetBSD: Makefile,v 1.26.20.1 2010/04/19 09:15:47 tron Exp $
+#
 DISTNAME=	spamass-milter-0.3.1
 PKGREVISION=	1
 CATEGORIES=	mail
 MASTER_SITES=	http://savannah.nongnu.org/download/spamass-milt/
 MAINTAINER=	pkgsrc-users@NetBSD.org
 HOMEPAGE=	http://savannah.nongnu.org/projects/spamass-milt/
 COMMENT=	Milter interface to Spamassassin
 PKG_DESTDIR_SUPPORT=	user-destdir
 DEPENDS+=	spamassassin>=2.44:../../mail/spamassassin
 GNU_CONFIGURE=	YES
 USE_LANGUAGES=	c c++

 @@ -1,6 +1,7 @@
-$NetBSD: distinfo,v 1.6 2006/10/12 12:19:09 obache Exp $
+$NetBSD: distinfo,v 1.6.32.1 2010/04/19 09:15:47 tron Exp $
 SHA1 (spamass-milter-0.3.1.tar.gz) = dd488eb9ab1f230440fba8a729bee80550f2fbff
 RMD160 (spamass-milter-0.3.1.tar.gz) = 5db6af6b31de1bf83eafbd9713d81cdc957b5033
 Size (spamass-milter-0.3.1.tar.gz) = 141144 bytes
-SHA1 (patch-aa) = a1eaf9d3d2dad72f7fa08628293f80cc15374800
+SHA1 (patch-aa) = c69afbafaba72ec59f77f024e2421b2df077a2ee
 SHA1 (patch-ab) = 5e7188cc212cc0b06671853fb13921e2e0f38c8c