Mon Nov 8 13:58:09 2021 UTC ()
mail/postfix: update to 3.6.3
Quote from release announce:
Fixed in Postfix 3.6.3, 3.5.13, 3.4.23, 3.3.20:
* (problem introduced in Postfix 2.4, released in 2007): queue
file corruption after a Milter (for example, MIMEDefang) made
a request to replace the message body with a copy of that message
body plus additional text (for example, a SpamAssassin report).
The most likely impacts were a) the queue manager reporting a
fatal error resulting in email delivery delays, or b) the queue
manager reporting the corruption and moving the message to the
corrupt queue for damaged messages.
However, a determined adversary could craft an email message
that would trigger the bug, and insert into its queue file a
content filter destination or a redirect email address. Postfix
would then deliver the message headers there, in most cases
without delivering the message body. With enough experimentation,
an attacker could make Postfix deliver both the message headers
and body.
Some details of a successful attack depend on the Milter
implementation, and on the Postfix and Milter configuration
details; these can be determined remotely through experimentation.
Failed experiments may be detected when the queue manager
terminates with a fatal error, or when the queue manager moves
damaged files to the "corrupt" queue as evidence.
Technical details: when Postfix executes a "replace body" Milter
request it will reuse queue file storage that was used by the
existing email message body. If the new body is larger, Postfix
will append body content to the end of the queue file. The
corruption happened when a Milter (for example, MIMEDefang)
made a request to replace the body of a message with a new body
that contained a copy of the original body plus some new text,
and the original body contained a line longer than $line_length_limit
bytes (for example, an image encoded in base64 without hard or
soft line breaks). In queue files, Postfix stores a long text
line as multiple records with up to $line_length_limit bytes
each. Unfortunately, Postfix's "replace body" support did not
account for the additional queue file space needed to store the
second etc. record headers. And thus, the last record(s) of a
long text line could overwrite one or more queue file records
immediately after the space that was previously occupied by the
original message body.
Problem report by Benoit Panizzon.
* (problem introduced in Postfix 2.10, released in 2012): The
postconf "-x" option could produce incorrect output, because
multiple functions were implicitly sharing a buffer for
intermediate results. Problem report by raf, root cause analysis
by Viktor Dukhovni.
* (problem introduced in Postfix 2.11, released in 2013): The
check_ccert_access feature worked as expected, but produced a
spurious warning when Postfix was built without SASL support.
Fix by Brad Barden.
* Fix for a compiler warning due to a missing 'const' qualifier
when compiling Postfix with OpenSSL 3. Depending on compiler
settings this could cause the build to fail.
Fixed in Postfix 3.6:
* The known_tcp_ports settings had no effect. It also wasn't fully
implemented. Problem report by Peter.
* Fix for missing space between a hostname and warning text.
(taca)
diff -r1.330 -r1.331 pkgsrc/mail/postfix/Makefile
diff -r1.37 -r1.38 pkgsrc/mail/postfix/Makefile.common
diff -r1.198 -r1.199 pkgsrc/mail/postfix/distinfo
--- pkgsrc/mail/postfix/Makefile 2021/08/29 21:04:55 1.330
+++ pkgsrc/mail/postfix/Makefile 2021/11/08 13:58:09 1.331
| @@ -1,16 +1,15 @@ | | | @@ -1,16 +1,15 @@ |
| 1 | # $NetBSD: Makefile,v 1.330 2021/08/29 21:04:55 khorben Exp $ | | 1 | # $NetBSD: Makefile,v 1.331 2021/11/08 13:58:09 taca Exp $ |
| 2 | | | 2 | |
| 3 | PKGREVISION= 2 | | | |
| 4 | .include "../../mail/postfix/Makefile.common" | | 3 | .include "../../mail/postfix/Makefile.common" |
| 5 | | | 4 | |
| 6 | COMMENT= Fast, easy to administer, and secure mail transfer agent | | 5 | COMMENT= Fast, easy to administer, and secure mail transfer agent |
| 7 | | | 6 | |
| 8 | CONFLICTS+= courier-mta-[0-9]* fastforward>=0.51nb2 sendmail-[0-9]* | | 7 | CONFLICTS+= courier-mta-[0-9]* fastforward>=0.51nb2 sendmail-[0-9]* |
| 9 | CONFLICTS+= esmtp>=1.2 nullmailer-[0-9]* | | 8 | CONFLICTS+= esmtp>=1.2 nullmailer-[0-9]* |
| 10 | | | 9 | |
| 11 | USE_TOOLS+= perl pkg-config m4 | | 10 | USE_TOOLS+= perl pkg-config m4 |
| 12 | | | 11 | |
| 13 | SPECIAL_PERMS+= sbin/postdrop ${POSTFIX_USER} ${MAILDROP_GROUP} 2555 | | 12 | SPECIAL_PERMS+= sbin/postdrop ${POSTFIX_USER} ${MAILDROP_GROUP} 2555 |
| 14 | SPECIAL_PERMS+= sbin/postqueue ${POSTFIX_USER} ${MAILDROP_GROUP} 2555 | | 13 | SPECIAL_PERMS+= sbin/postqueue ${POSTFIX_USER} ${MAILDROP_GROUP} 2555 |
| 15 | | | 14 | |
| 16 | REPLACE_PERL+= auxiliary/qshape/qshape.pl | | 15 | REPLACE_PERL+= auxiliary/qshape/qshape.pl |
--- pkgsrc/mail/postfix/Makefile.common 2021/07/26 15:38:10 1.37
+++ pkgsrc/mail/postfix/Makefile.common 2021/11/08 13:58:09 1.38
| @@ -1,18 +1,18 @@ | | | @@ -1,18 +1,18 @@ |
| 1 | # $NetBSD: Makefile.common,v 1.37 2021/07/26 15:38:10 taca Exp $ | | 1 | # $NetBSD: Makefile.common,v 1.38 2021/11/08 13:58:09 taca Exp $ |
| 2 | # used by mail/postfix/Makefile | | 2 | # used by mail/postfix/Makefile |
| 3 | # used by mail/postfix/Makefile.module | | 3 | # used by mail/postfix/Makefile.module |
| 4 | | | 4 | |
| 5 | DISTNAME= postfix-3.6.2 | | 5 | DISTNAME= postfix-3.6.3 |
| 6 | CATEGORIES= mail | | 6 | CATEGORIES= mail |
| 7 | MASTER_SITES= ftp://ftp.porcupine.org/mirrors/postfix-release/official/ | | 7 | MASTER_SITES= ftp://ftp.porcupine.org/mirrors/postfix-release/official/ |
| 8 | | | 8 | |
| 9 | MAINTAINER= pkgsrc-users@NetBSD.org | | 9 | MAINTAINER= pkgsrc-users@NetBSD.org |
| 10 | HOMEPAGE= http://www.postfix.org/ | | 10 | HOMEPAGE= http://www.postfix.org/ |
| 11 | # The postfix license has only very minor diffs from cpl-1.0. | | 11 | # The postfix license has only very minor diffs from cpl-1.0. |
| 12 | LICENSE= cpl-1.0 | | 12 | LICENSE= cpl-1.0 |
| 13 | #LICENSE= postfix-license | | 13 | #LICENSE= postfix-license |
| 14 | | | 14 | |
| 15 | DISTINFO_FILE= ${PKGDIR}/../../mail/postfix/distinfo | | 15 | DISTINFO_FILE= ${PKGDIR}/../../mail/postfix/distinfo |
| 16 | PATCHDIR= ${PKGDIR}/../../mail/postfix/patches | | 16 | PATCHDIR= ${PKGDIR}/../../mail/postfix/patches |
| 17 | | | 17 | |
| 18 | CHECK_HEADERS_SKIP+= src/global/mail_params.h | | 18 | CHECK_HEADERS_SKIP+= src/global/mail_params.h |
--- pkgsrc/mail/postfix/distinfo 2021/10/26 10:54:21 1.198
+++ pkgsrc/mail/postfix/distinfo 2021/11/08 13:58:09 1.199
| @@ -1,12 +1,12 @@ | | | @@ -1,12 +1,12 @@ |
| 1 | $NetBSD: distinfo,v 1.198 2021/10/26 10:54:21 nia Exp $ | | 1 | $NetBSD: distinfo,v 1.199 2021/11/08 13:58:09 taca Exp $ |
| 2 | | | 2 | |
| 3 | BLAKE2s (postfix-3.6.2.tar.gz) = 76c630269f750be4665370df8a3a922a7ec1bedfe88e450140c975d8b415d863 | | 3 | BLAKE2s (postfix-3.6.3.tar.gz) = 1ba19a223c40f45a0bf4e5994b2acba2ef6210ad7c524b72eb4adf7302446ce1 |
| 4 | SHA512 (postfix-3.6.2.tar.gz) = 464ce9ec77e637ede91123472a0383b2bfda52102f9e9852c7191016d4fda2e14f302f2db9793887c182688c2a14dde6eeda728523196a627a8028f99555a4d9 | | 4 | SHA512 (postfix-3.6.3.tar.gz) = 7179aaeeaf27838b867d9a07f9a889d7cd6b7f5053e123caef4dff2820d4df6d5be167effedde6c857b4468966b8449c631e56405e1ac2d589716fb4e3f15e3b |
| 5 | Size (postfix-3.6.2.tar.gz) = 4749530 bytes | | 5 | Size (postfix-3.6.3.tar.gz) = 4750833 bytes |
| 6 | SHA1 (patch-aa) = c8216f133e202a7bb37682b0dbc1448f021e7c1c | | 6 | SHA1 (patch-aa) = c8216f133e202a7bb37682b0dbc1448f021e7c1c |
| 7 | SHA1 (patch-ag) = feccf4aba580f581953b32e6c3a2c453fcb9131c | | 7 | SHA1 (patch-ag) = feccf4aba580f581953b32e6c3a2c453fcb9131c |
| 8 | SHA1 (patch-ai) = b93d8b4e7a52e2c281cf0815ef2cf653c3cd7efa | | 8 | SHA1 (patch-ai) = b93d8b4e7a52e2c281cf0815ef2cf653c3cd7efa |
| 9 | SHA1 (patch-src_smtpd_Makefile.in) = 8133f9cceb0c1c0250d6543cb060c66288571722 | | 9 | SHA1 (patch-src_smtpd_Makefile.in) = 8133f9cceb0c1c0250d6543cb060c66288571722 |
| 10 | SHA1 (patch-src_smtpd_pfilter.c) = c747d2f3584f694eb7b73b19118b4d8b450cfe7f | | 10 | SHA1 (patch-src_smtpd_pfilter.c) = c747d2f3584f694eb7b73b19118b4d8b450cfe7f |
| 11 | SHA1 (patch-src_smtpd_pfilter.h) = 153b516da89d709d293c6086c2f126791bd945d6 | | 11 | SHA1 (patch-src_smtpd_pfilter.h) = 153b516da89d709d293c6086c2f126791bd945d6 |
| 12 | SHA1 (patch-src_smtpd_smtpd.c) = 5f290ec55305702986beefdbbc194f5ce7987643 | | 12 | SHA1 (patch-src_smtpd_smtpd.c) = 5f290ec55305702986beefdbbc194f5ce7987643 |