I tried to upgrade to 4.93 today, and had to roll back to 4.92.3. I get: [I] ➜ grep -i taint /var/log/maillog <17>1 2020-02-20T10:38:44.854525-06:00 thebighonker.lerctr.org exim 59285 - - [1\2] 1j4oqa-000FQD-Nw Taint mismatch, Ustrncpy: ip_unixsocket 518 <17>1 2020-02-20T10:38:44.889621-06:00 thebighonker.lerctr.org exim 59224 - - 1j4oqa-000FPE-Nw attempt to expand tainted string '$1' <21>1 2020-02-20T10:38:44.890149-06:00 thebighonker.lerctr.org exim 59224 - - [1\52] 1j4oqa-000FPE-Nw H=malur.postgresql.org [2a02:16a8:dc51::56]:50652 I=[2001:470:1f0f:3ad:bb:dcff:fe50:d900]:25 X=TLS1.2:ECDHE-RSA-AES256-SHA:256 CV=yes DN="/CN=lists.postgresql.org" F=<pgsql-hackers-owner+M2386-214291@lists.postgresql.org> temporarily rejected during MIME ACL checks: failed to expand ACL string "${lookup{${lc:${sg{$mime_filename}{^.+\\.([a-zA-Z0-9]+)\$}{\$1}}}}lsearch{/usr/local/etc/exim/checkfiles/bad-exts}{yes}{no}}": attempt to expand tainted string '$1' <17>1 2020-02-20T10:38:44.973850-06:00 thebighonker.lerctr.org exim 59226 - - [1\2] 1j4oqa-000FPG-Nw Taint mismatch, Ustrncpy: ip_unixsocket 518 <17>1 2020-02-20T10:38:47.929854-06:00 thebighonker.lerctr.org exim 59345 - - [1\2] 1j4oqd-000FRB-R2 Taint mismatch, Ustrncpy: ip_unixsocket 518 <17>1 2020-02-20T10:38:48.027188-06:00 thebighonker.lerctr.org exim 59346 - - [1\2] 1j4oqd-000FRC-R2 Taint mismatch, Ustrncpy: ip_unixsocket 518 <17>1 2020-02-20T10:38:54.276084-06:00 thebighonker.lerctr.org exim 59437 - - [1\2] 1j4oqk-000FSf-5I Taint mismatch, Ustrncpy: ip_unixsocket 518 <17>1 2020-02-20T10:38:55.233514-06:00 thebighonker.lerctr.org exim 59440 - - [1\2] 1j4oql-000FSi-1N Taint mismatch, Ustrncpy: ip_unixsocket 518 <17>1 2020-02-20T10:38:56.331072-06:00 thebighonker.lerctr.org exim 59482 - - [1\2] 1j4oqm-000FTO-7i Taint mismatch, Ustrncpy: ip_unixsocket 518 <17>1 2020-02-20T10:38:57.252803-06:00 thebighonker.lerctr.org exim 59525 - - [1\2] 1j4oqn-000FU5-4V Taint mismatch, Ustrncpy: ip_unixsocket 518 <17>1 2020-02-20T10:38:57.583361-06:00 thebighonker.lerctr.org exim 59347 - - 1j4oqn-000FRD-EY attempt to expand tainted string '$1' <21>1 2020-02-20T10:38:57.583848-06:00 thebighonker.lerctr.org exim 59347 - - [1\52] 1j4oqn-000FRD-EY H=malur.postgresql.org [217.196.149.56]:53230 I=[192.147.25.65]:25 X=TLS1.2:ECDHE-RSA-AES256-SHA:256 CV=yes DN="/CN=lists.postgresql.org" F=<pgsql-hackers-owner+M2386-214291@lists.postgresql.org> temporarily rejected during MIME ACL checks: failed to expand ACL string "${lookup{${lc:${sg{$mime_filename}{^.+\\.([a-zA-Z0-9]+)\$}{\$1}}}}lsearch{/usr/local/etc/exim/checkfiles/bad-exts}{yes}{no}}": attempt to expand tainted string '$1' <17>1 2020-02-20T10:40:02.858804-06:00 thebighonker.lerctr.org exim 59708 - - [1\2] 1j4orq-000FX2-FA Taint mismatch, Ustrncpy: ip_unixsocket 518 <17>1 2020-02-20T10:40:04.243293-06:00 thebighonker.lerctr.org exim 59794 - - [1\2] 1j4ors-000FYQ-1m Taint mismatch, Ustrncpy: ip_unixsocket 518 <17>1 2020-02-20T10:40:05.443663-06:00 thebighonker.lerctr.org exim 59796 - - [1\2] 1j4ort-000FYS-7D Taint mismatch, Ustrncpy: ip_unixsocket 518 <17>1 2020-02-20T10:40:05.521456-06:00 thebighonker.lerctr.org exim 59797 - - [1\2] 1j4ort-000FYT-DD Taint mismatch, Ustrncpy: ip_unixsocket 518 <17>1 2020-02-20T10:40:06.318268-06:00 thebighonker.lerctr.org exim 59807 - - [1\2] 1j4oru-000FYd-7N Taint mismatch, Ustrncpy: ip_unixsocket 518 <17>1 2020-02-20T10:50:25.379393-06:00 thebighonker.lerctr.org exim 61381 - - [1\2] 1j4p1t-000Fy1-6l Taint mismatch, Ustrncpy: ip_unixsocket 518 <17>1 2020-02-20T10:50:54.614045-06:00 thebighonker.lerctr.org exim 61469 - - [1\2] 1j4p2M-000FzR-D7 Taint mismatch, Ustrncpy: ip_unixsocket 518 <17>1 2020-02-20T10:51:23.429945-06:00 thebighonker.lerctr.org exim 61481 - - [1\2] 1j4p2p-000Fzd-5G Taint mismatch, Ustrncpy: ip_unixsocket 518 <17>1 2020-02-20T11:03:16.207210-06:00 thebighonker.lerctr.org exim 64926 - - 1j4pEH-000GtC-Sf attempt to expand tainted string '$1' <21>1 2020-02-20T11:03:16.207829-06:00 thebighonker.lerctr.org exim 64926 - - [1\115] 1j4pEH-000GtC-Sf H=mail-qv1-xf2f.google.com [2607:f8b0:4864:20::f2f]:44553 I=[2001:470:1f0f:3ad:bb:dcff:fe50:d900]:25 X=TLS1.3:TLS_AES_128_GCM_SHA256:128 CV=yes DN="/C=US/ST=California/L=Mountain View/O=Google LLC/CN=smtp.gmail.com" SNI="thebighonker.lerctr.org" F=<m.ray.mullins+caf_=mrm=lerctr.org@gmail.com> temporarily rejected during MIME ACL checks: failed to expand ACL string "${lookup{${lc:${sg{$mime_filename}{^.+\\.([a-zA-Z0-9]+)\$}{\$1}}}}lsearch{/usr/local/etc/exim/checkfiles/bad-exts}{yes}{no}}": attempt to expand tainted string '$1' <17>1 2020-02-20T11:08:23.275666-06:00 thebighonker.lerctr.org exim 66252 - - 1j4pJH-000HEa-3y attempt to expand tainted string '$1' <21>1 2020-02-20T11:08:23.276207-06:00 thebighonker.lerctr.org exim 66252 - - [1\52] 1j4pJH-000HEa-3y H=malur.postgresql.org [2a02:16a8:dc51::56]:39768 I=[2001:470:1f0f:3ad:bb:dcff:fe50:d900]:25 X=TLS1.2:ECDHE-RSA-AES256-SHA:256 CV=yes DN="/CN=lists.postgresql.org" F=<pgsql-hackers-owner+M2386-214291@lists.postgresql.org> temporarily rejected during MIME ACL checks: failed to expand ACL string "${lookup{${lc:${sg{$mime_filename}{^.+\\.([a-zA-Z0-9]+)\$}{\$1}}}}lsearch{/usr/local/etc/exim/checkfiles/bad-exts}{yes}{no}}": attempt to expand tainted string '$1' <17>1 2020-02-20T11:08:35.318122-06:00 thebighonker.lerctr.org exim 66262 - - 1j4pJT-000HEk-5v attempt to expand tainted string '$1' <21>1 2020-02-20T11:08:35.318634-06:00 thebighonker.lerctr.org exim 66262 - - [1\52] 1j4pJT-000HEk-5v H=malur.postgresql.org [217.196.149.56]:40944 I=[192.147.25.65]:25 X=TLS1.2:ECDHE-RSA-AES256-SHA:256 CV=yes DN="/CN=lists.postgresql.org" F=<pgsql-hackers-owner+M2386-214291@lists.postgresql.org> temporarily rejected during MIME ACL checks: failed to expand ACL string "${lookup{${lc:${sg{$mime_filename}{^.+\\.([a-zA-Z0-9]+)\$}{\$1}}}}lsearch{/usr/local/etc/exim/checkfiles/bad-exts}{yes}{no}}": attempt to expand tainted string '$1' <17>1 2020-02-20T11:16:52.674144-06:00 thebighonker.lerctr.org exim 66815 - - 1j4pRU-000HNf-Gt attempt to expand tainted string '$1' <21>1 2020-02-20T11:16:52.674696-06:00 thebighonker.lerctr.org exim 66815 - - [1\52] 1j4pRU-000HNf-Gt H=malur.postgresql.org [2a02:16a8:dc51::56]:39884 I=[2001:470:1f0f:3ad:bb:dcff:fe50:d900]:25 X=TLS1.2:ECDHE-RSA-AES256-SHA:256 CV=yes DN="/CN=lists.postgresql.org" F=<pgsql-hackers-owner+M2386-214291@lists.postgresql.org> temporarily rejected during MIME ACL checks: failed to expand ACL string "${lookup{${lc:${sg{$mime_filename}{^.+\\.([a-zA-Z0-9]+)\$}{\$1}}}}lsearch{/usr/local/etc/exim/checkfiles/bad-exts}{yes}{no}}": attempt to expand tainted string '$1' <17>1 2020-02-20T11:17:04.489395-06:00 thebighonker.lerctr.org exim 66820 - - 1j4pRg-000HNk-BU attempt to expand tainted string '$1' <21>1 2020-02-20T11:17:04.489774-06:00 thebighonker.lerctr.org exim 66820 - - [1\52] 1j4pRg-000HNk-BU H=malur.postgresql.org [217.196.149.56]:41062 I=[192.147.25.65]:25 X=TLS1.2:ECDHE-RSA-AES256-SHA:256 CV=yes DN="/CN=lists.postgresql.org" F=<pgsql-hackers-owner+M2386-214291@lists.postgresql.org> temporarily rejected during MIME ACL checks: failed to expand ACL string "${lookup{${lc:${sg{$mime_filename}{^.+\\.([a-zA-Z0-9]+)\$}{\$1}}}}lsearch{/usr/local/etc/exim/checkfiles/bad-exts}{yes}{no}}": attempt to expand tainted string '$1' <17>1 2020-02-20T11:21:27.395015-06:00 thebighonker.lerctr.org exim 67063 - - 1j4pVu-000HRf-Oh attempt to expand tainted string '$1' <21>1 2020-02-20T11:21:27.395754-06:00 thebighonker.lerctr.org exim 67063 - - [1\113] 1j4pVu-000HRf-Oh H=mail-vk1-xa30.google.com [2607:f8b0:4864:20::a30]:32875 I=[2001:470:1f0f:3ad:bb:dcff:fe50:d900]:25 X=TLS1.3:TLS_AES_128_GCM_SHA256:128 CV=yes DN="/C=US/ST=California/L=Mountain View/O=Google LLC/CN=smtp.gmail.com" SNI="thebighonker.lerctr.org" F=<m.ray.mullins+caf_=mrm=lerctr.org@gmail.com> temporarily rejected during MIME ACL checks: failed to expand ACL string "${lookup{${lc:${sg{$mime_filename}{^.+\\.([a-zA-Z0-9]+)\$}{\$1}}}}lsearch{/usr/local/etc/exim/checkfiles/bad-exts}{yes}{no}}": attempt to expand tainted string '$1' <17>1 2020-02-20T11:25:22.416483-06:00 thebighonker.lerctr.org exim 68209 - - 1j4pZi-000Hk9-8c attempt to expand tainted string '$1' <21>1 2020-02-20T11:25:22.416966-06:00 thebighonker.lerctr.org exim 68209 - - [1\52] 1j4pZi-000Hk9-8c H=malur.postgresql.org [2a02:16a8:dc51::56]:47754 I=[2001:470:1f0f:3ad:bb:dcff:fe50:d900]:25 X=TLS1.2:ECDHE-RSA-AES256-SHA:256 CV=yes DN="/CN=lists.postgresql.org" F=<pgsql-hackers-owner+M2386-214291@lists.postgresql.org> temporarily rejected during MIME ACL checks: failed to expand ACL string "${lookup{${lc:${sg{$mime_filename}{^.+\\.([a-zA-Z0-9]+)\$}{\$1}}}}lsearch{/usr/local/etc/exim/checkfiles/bad-exts}{yes}{no}}": attempt to expand tainted string '$1' <17>1 2020-02-20T11:25:34.407034-06:00 thebighonker.lerctr.org exim 68417 - - 1j4pZu-000HnV-8o attempt to expand tainted string '$1' <21>1 2020-02-20T11:25:34.407583-06:00 thebighonker.lerctr.org exim 68417 - - [1\52] 1j4pZu-000HnV-8o H=malur.postgresql.org [217.196.149.56]:48932 I=[192.147.25.65]:25 X=TLS1.2:ECDHE-RSA-AES256-SHA:256 CV=yes DN="/CN=lists.postgresql.org" F=<pgsql-hackers-owner+M2386-214291@lists.postgresql.org> temporarily rejected during MIME ACL checks: failed to expand ACL string "${lookup{${lc:${sg{$mime_filename}{^.+\\.([a-zA-Z0-9]+)\$}{\$1}}}}lsearch{/usr/local/etc/exim/checkfiles/bad-exts}{yes}{no}}": attempt to expand tainted string '$1' ler in exim at thebighonker on master [!] [I] ➜ the unix socket was for clamd: in the ACL, and the others I'm not sure how to fix. A reply on the Exim list suggested the 4.93+fixes branch. Can we get the port to pull it's sources from that branch?
(In reply to Larry Rosenman from comment #0) I workin' on getting Exim port to more recent version with some patches from debian which we use locally
(In reply to Larry Rosenman from comment #0) Try this update on fresh portstree. Think it should fix the issue https://people.freebsd.org/~fluffy/-patches/exim4.93.0.4.diff
https://home.lerctr.org:8888/data/p120-S-amd64-host-ports/2020-02-24_12h20m24s/logs/errors/exim-4.93.0.4.log patch fails. :(
(In reply to Larry Rosenman from comment #3) Looks like you have messed up files/ directory patch-src_smtp__in.c should not to be exist, it comes as part of patch-pass-fd-to-tcpwrappers
Ok, removing that file (I'm not sure how the hell it was still in my tree) fixed it, *AND* it works :)
<21>1 2020-02-24T12:59:20.956095-06:00 thebighonker.lerctr.org exim 24803 - - [1\83] 1j6Iwq-0006S3-LL H=malur.postgresql.org [2a02:16a8:dc51::56]:59940 I=[2001:470:1f0f:3ad:bb:dcff:fe50:d900]:25 X=TLS1.2:ECDHE-RSA-AES256-SHA:256 CV=yes DN="/CN=lists.postgresql.org" F=<pgsql-hackers-owner+M2386-215359@lists.postgresql.org> temporarily rejected during MIME ACL checks: failed to expand ACL string "${lookup{${lc:${sg{$mime_filename}{^.+\\.([a-zA-Z0-9]+)\$}{\$1}}}}lsearch{/usr/local/etc/exim/checkfiles/bad-exts}{yes}{no}}": attempt to expand tainted string '$1' except for this.....
More clarification: +#FILENAME_EXT = ${lc:${sg{$mime_filename}{^.+\\.([a-zA-Z0-9]+)\$}{\$1}}} + #deny message = This message contains an unwanted file extension ($mime_filename) + # log_message = MALWARE: unwanted extension ($mime_filename) + # condition = ${lookup{FILENAME_EXT}lsearch{BLACKLIST_FILES}{yes}{no}} I'm not sure how to make the taint stuff happy here.
I'm stuck with 2020-02-25 08:47:55 1j6CJc-000CY9-Kg == bob@ish.com.au R=localuser T=local_delivery defer (0): Expansion of "${local_part}${local_part_suffix}@$domain" from command "/usr/local/libexec/dovecot/dovecot-lda -a ${local_part}${local_part_suffix}@$domain -d $local_part@$domain -f $sender_address" in local_delivery transport failed: attempt to expand tainted string '${local_part}${local_part_suffix}@$domain' 2020-02-25 08:47:55 1j6CJc-000CY9-Kg attempt to expand tainted string '${local_part}${local_part_suffix}@$domain' The new 4.93 version is very aggressive with the new taint function and its not a friendly simple upgrade from 4.92 Not sure if this is a FreeBSD problem or just an exim issue.
@ari, did you try the 4.93.0.4 patch? The only issue I saw was the entry I put above.
No, I thought those patches were about the FreeBSD socket issue. There is almost no documentation at all about the taint changes in exim docs, so its pretty hard to read the source code and figure out what is happening here.
the 4.93.0.4 patch @fluffy points to above fix a *LOT* of the taint issues.
A commit references this bug: Author: fluffy Date: Tue Feb 25 09:17:16 UTC 2020 New revision: 527069 URL: https://svnweb.freebsd.org/changeset/ports/527069 Log: mail/exim: update to 4.93.0.4 maintenance release This release is addressed to fix many of *taint* issues PR: 244322 Reported by: ler Changes: head/mail/exim/Makefile head/mail/exim/distinfo
(In reply to ari from comment #8) It is an Exim issue :( implementing new engine is a hard task Sure, better solution was stay with 4.92, however now it always updated and I will try to keep the port at fresh state without reverting
Folks, r527168 might be a light in the tunnel. At least I've adopt ALL git commits in 4.93+fixes branch since 4.93.0.4 release
Unfortunately there's an issue with the patches since r527168. Here's the output of 'make patch': ===> Patching for exim-4.93.0.4_3 ===> Applying extra patch /usr/ports/mail/exim/files/74_21-heimdal-auth-fix-the-increase-of-big_buffer-size.patch ===> Applying extra patch /usr/ports/mail/exim/files/74_24-TFO-even-in-binary-built-for-modern-Linux-handle-err.patch ===> Applying extra patch /usr/ports/mail/exim/files/74_19-SPF-fix-result-for-case-of-only-non-spf-TXT-RRs.patch ===> Applying extra patch /usr/ports/mail/exim/files/74_26-Auths-fix-cyrus-sasl-driver-for-gssapi-use.patch ===> Applying extra patch /usr/ports/mail/exim/files/74_22-Taint-hybrid-checking-mode.patch ===> Applying extra patch /usr/ports/mail/exim/files/74_25-Taint-slow-mode-checking-only.patch 2 out of 4 hunks failed--saving rejects to src/store.c.rej
(In reply to Ralf van der Enden from comment #15) Sorry, forgot about order, it matters :( r527169
Larry, did you have issues for now? If not, this PR finally can be closed :)
(In reply to Dima Panov from comment #17) No issues, my config (from 4.92) now works without taint whines. Closing :)