Bug 244322 - mail/exim: 4.93 causes taint issues
Summary: mail/exim: 4.93 causes taint issues
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: Dima Panov
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-02-22 20:25 UTC by Larry Rosenman
Modified: 2020-02-27 14:21 UTC (History)
3 users (show)

See Also:
bugzilla: maintainer-feedback? (vsevolod)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Larry Rosenman freebsd_committer freebsd_triage 2020-02-22 20:25:40 UTC 
I tried to upgrade to 4.93 today, and had to roll back to 4.92.3.

I get:
[I] ➜ grep -i taint /var/log/maillog
<17>1 2020-02-20T10:38:44.854525-06:00 thebighonker.lerctr.org exim 59285 - - [1\2] 1j4oqa-000FQD-Nw Taint mismatch, Ustrncpy: ip_unixsocket 518
<17>1 2020-02-20T10:38:44.889621-06:00 thebighonker.lerctr.org exim 59224 - - 1j4oqa-000FPE-Nw attempt to expand tainted string '$1'
<21>1 2020-02-20T10:38:44.890149-06:00 thebighonker.lerctr.org exim 59224 - - [1\52] 1j4oqa-000FPE-Nw H=malur.postgresql.org [2a02:16a8:dc51::56]:50652 I=[2001:470:1f0f:3ad:bb:dcff:fe50:d900]:25 X=TLS1.2:ECDHE-RSA-AES256-SHA:256 CV=yes DN="/CN=lists.postgresql.org" F=<pgsql-hackers-owner+M2386-214291@lists.postgresql.org> temporarily rejected during MIME ACL checks: failed to expand ACL string "${lookup{${lc:${sg{$mime_filename}{^.+\\.([a-zA-Z0-9]+)\$}{\$1}}}}lsearch{/usr/local/etc/exim/checkfiles/bad-exts}{yes}{no}}": attempt to expand tainted string '$1'
<17>1 2020-02-20T10:38:44.973850-06:00 thebighonker.lerctr.org exim 59226 - - [1\2] 1j4oqa-000FPG-Nw Taint mismatch, Ustrncpy: ip_unixsocket 518
<17>1 2020-02-20T10:38:47.929854-06:00 thebighonker.lerctr.org exim 59345 - - [1\2] 1j4oqd-000FRB-R2 Taint mismatch, Ustrncpy: ip_unixsocket 518
<17>1 2020-02-20T10:38:48.027188-06:00 thebighonker.lerctr.org exim 59346 - - [1\2] 1j4oqd-000FRC-R2 Taint mismatch, Ustrncpy: ip_unixsocket 518
<17>1 2020-02-20T10:38:54.276084-06:00 thebighonker.lerctr.org exim 59437 - - [1\2] 1j4oqk-000FSf-5I Taint mismatch, Ustrncpy: ip_unixsocket 518
<17>1 2020-02-20T10:38:55.233514-06:00 thebighonker.lerctr.org exim 59440 - - [1\2] 1j4oql-000FSi-1N Taint mismatch, Ustrncpy: ip_unixsocket 518
<17>1 2020-02-20T10:38:56.331072-06:00 thebighonker.lerctr.org exim 59482 - - [1\2] 1j4oqm-000FTO-7i Taint mismatch, Ustrncpy: ip_unixsocket 518
<17>1 2020-02-20T10:38:57.252803-06:00 thebighonker.lerctr.org exim 59525 - - [1\2] 1j4oqn-000FU5-4V Taint mismatch, Ustrncpy: ip_unixsocket 518
<17>1 2020-02-20T10:38:57.583361-06:00 thebighonker.lerctr.org exim 59347 - - 1j4oqn-000FRD-EY attempt to expand tainted string '$1'
<21>1 2020-02-20T10:38:57.583848-06:00 thebighonker.lerctr.org exim 59347 - - [1\52] 1j4oqn-000FRD-EY H=malur.postgresql.org [217.196.149.56]:53230 I=[192.147.25.65]:25 X=TLS1.2:ECDHE-RSA-AES256-SHA:256 CV=yes DN="/CN=lists.postgresql.org" F=<pgsql-hackers-owner+M2386-214291@lists.postgresql.org> temporarily rejected during MIME ACL checks: failed to expand ACL string "${lookup{${lc:${sg{$mime_filename}{^.+\\.([a-zA-Z0-9]+)\$}{\$1}}}}lsearch{/usr/local/etc/exim/checkfiles/bad-exts}{yes}{no}}": attempt to expand tainted string '$1'
<17>1 2020-02-20T10:40:02.858804-06:00 thebighonker.lerctr.org exim 59708 - - [1\2] 1j4orq-000FX2-FA Taint mismatch, Ustrncpy: ip_unixsocket 518
<17>1 2020-02-20T10:40:04.243293-06:00 thebighonker.lerctr.org exim 59794 - - [1\2] 1j4ors-000FYQ-1m Taint mismatch, Ustrncpy: ip_unixsocket 518
<17>1 2020-02-20T10:40:05.443663-06:00 thebighonker.lerctr.org exim 59796 - - [1\2] 1j4ort-000FYS-7D Taint mismatch, Ustrncpy: ip_unixsocket 518
<17>1 2020-02-20T10:40:05.521456-06:00 thebighonker.lerctr.org exim 59797 - - [1\2] 1j4ort-000FYT-DD Taint mismatch, Ustrncpy: ip_unixsocket 518
<17>1 2020-02-20T10:40:06.318268-06:00 thebighonker.lerctr.org exim 59807 - - [1\2] 1j4oru-000FYd-7N Taint mismatch, Ustrncpy: ip_unixsocket 518
<17>1 2020-02-20T10:50:25.379393-06:00 thebighonker.lerctr.org exim 61381 - - [1\2] 1j4p1t-000Fy1-6l Taint mismatch, Ustrncpy: ip_unixsocket 518
<17>1 2020-02-20T10:50:54.614045-06:00 thebighonker.lerctr.org exim 61469 - - [1\2] 1j4p2M-000FzR-D7 Taint mismatch, Ustrncpy: ip_unixsocket 518
<17>1 2020-02-20T10:51:23.429945-06:00 thebighonker.lerctr.org exim 61481 - - [1\2] 1j4p2p-000Fzd-5G Taint mismatch, Ustrncpy: ip_unixsocket 518
<17>1 2020-02-20T11:03:16.207210-06:00 thebighonker.lerctr.org exim 64926 - - 1j4pEH-000GtC-Sf attempt to expand tainted string '$1'
<21>1 2020-02-20T11:03:16.207829-06:00 thebighonker.lerctr.org exim 64926 - - [1\115] 1j4pEH-000GtC-Sf H=mail-qv1-xf2f.google.com [2607:f8b0:4864:20::f2f]:44553 I=[2001:470:1f0f:3ad:bb:dcff:fe50:d900]:25 X=TLS1.3:TLS_AES_128_GCM_SHA256:128 CV=yes DN="/C=US/ST=California/L=Mountain View/O=Google LLC/CN=smtp.gmail.com" SNI="thebighonker.lerctr.org" F=<m.ray.mullins+caf_=mrm=lerctr.org@gmail.com> temporarily rejected during MIME ACL checks: failed to expand ACL string "${lookup{${lc:${sg{$mime_filename}{^.+\\.([a-zA-Z0-9]+)\$}{\$1}}}}lsearch{/usr/local/etc/exim/checkfiles/bad-exts}{yes}{no}}": attempt to expand tainted string '$1'
<17>1 2020-02-20T11:08:23.275666-06:00 thebighonker.lerctr.org exim 66252 - - 1j4pJH-000HEa-3y attempt to expand tainted string '$1'
<21>1 2020-02-20T11:08:23.276207-06:00 thebighonker.lerctr.org exim 66252 - - [1\52] 1j4pJH-000HEa-3y H=malur.postgresql.org [2a02:16a8:dc51::56]:39768 I=[2001:470:1f0f:3ad:bb:dcff:fe50:d900]:25 X=TLS1.2:ECDHE-RSA-AES256-SHA:256 CV=yes DN="/CN=lists.postgresql.org" F=<pgsql-hackers-owner+M2386-214291@lists.postgresql.org> temporarily rejected during MIME ACL checks: failed to expand ACL string "${lookup{${lc:${sg{$mime_filename}{^.+\\.([a-zA-Z0-9]+)\$}{\$1}}}}lsearch{/usr/local/etc/exim/checkfiles/bad-exts}{yes}{no}}": attempt to expand tainted string '$1'
<17>1 2020-02-20T11:08:35.318122-06:00 thebighonker.lerctr.org exim 66262 - - 1j4pJT-000HEk-5v attempt to expand tainted string '$1'
<21>1 2020-02-20T11:08:35.318634-06:00 thebighonker.lerctr.org exim 66262 - - [1\52] 1j4pJT-000HEk-5v H=malur.postgresql.org [217.196.149.56]:40944 I=[192.147.25.65]:25 X=TLS1.2:ECDHE-RSA-AES256-SHA:256 CV=yes DN="/CN=lists.postgresql.org" F=<pgsql-hackers-owner+M2386-214291@lists.postgresql.org> temporarily rejected during MIME ACL checks: failed to expand ACL string "${lookup{${lc:${sg{$mime_filename}{^.+\\.([a-zA-Z0-9]+)\$}{\$1}}}}lsearch{/usr/local/etc/exim/checkfiles/bad-exts}{yes}{no}}": attempt to expand tainted string '$1'
<17>1 2020-02-20T11:16:52.674144-06:00 thebighonker.lerctr.org exim 66815 - - 1j4pRU-000HNf-Gt attempt to expand tainted string '$1'
<21>1 2020-02-20T11:16:52.674696-06:00 thebighonker.lerctr.org exim 66815 - - [1\52] 1j4pRU-000HNf-Gt H=malur.postgresql.org [2a02:16a8:dc51::56]:39884 I=[2001:470:1f0f:3ad:bb:dcff:fe50:d900]:25 X=TLS1.2:ECDHE-RSA-AES256-SHA:256 CV=yes DN="/CN=lists.postgresql.org" F=<pgsql-hackers-owner+M2386-214291@lists.postgresql.org> temporarily rejected during MIME ACL checks: failed to expand ACL string "${lookup{${lc:${sg{$mime_filename}{^.+\\.([a-zA-Z0-9]+)\$}{\$1}}}}lsearch{/usr/local/etc/exim/checkfiles/bad-exts}{yes}{no}}": attempt to expand tainted string '$1'
<17>1 2020-02-20T11:17:04.489395-06:00 thebighonker.lerctr.org exim 66820 - - 1j4pRg-000HNk-BU attempt to expand tainted string '$1'
<21>1 2020-02-20T11:17:04.489774-06:00 thebighonker.lerctr.org exim 66820 - - [1\52] 1j4pRg-000HNk-BU H=malur.postgresql.org [217.196.149.56]:41062 I=[192.147.25.65]:25 X=TLS1.2:ECDHE-RSA-AES256-SHA:256 CV=yes DN="/CN=lists.postgresql.org" F=<pgsql-hackers-owner+M2386-214291@lists.postgresql.org> temporarily rejected during MIME ACL checks: failed to expand ACL string "${lookup{${lc:${sg{$mime_filename}{^.+\\.([a-zA-Z0-9]+)\$}{\$1}}}}lsearch{/usr/local/etc/exim/checkfiles/bad-exts}{yes}{no}}": attempt to expand tainted string '$1'
<17>1 2020-02-20T11:21:27.395015-06:00 thebighonker.lerctr.org exim 67063 - - 1j4pVu-000HRf-Oh attempt to expand tainted string '$1'
<21>1 2020-02-20T11:21:27.395754-06:00 thebighonker.lerctr.org exim 67063 - - [1\113] 1j4pVu-000HRf-Oh H=mail-vk1-xa30.google.com [2607:f8b0:4864:20::a30]:32875 I=[2001:470:1f0f:3ad:bb:dcff:fe50:d900]:25 X=TLS1.3:TLS_AES_128_GCM_SHA256:128 CV=yes DN="/C=US/ST=California/L=Mountain View/O=Google LLC/CN=smtp.gmail.com" SNI="thebighonker.lerctr.org" F=<m.ray.mullins+caf_=mrm=lerctr.org@gmail.com> temporarily rejected during MIME ACL checks: failed to expand ACL string "${lookup{${lc:${sg{$mime_filename}{^.+\\.([a-zA-Z0-9]+)\$}{\$1}}}}lsearch{/usr/local/etc/exim/checkfiles/bad-exts}{yes}{no}}": attempt to expand tainted string '$1'
<17>1 2020-02-20T11:25:22.416483-06:00 thebighonker.lerctr.org exim 68209 - - 1j4pZi-000Hk9-8c attempt to expand tainted string '$1'
<21>1 2020-02-20T11:25:22.416966-06:00 thebighonker.lerctr.org exim 68209 - - [1\52] 1j4pZi-000Hk9-8c H=malur.postgresql.org [2a02:16a8:dc51::56]:47754 I=[2001:470:1f0f:3ad:bb:dcff:fe50:d900]:25 X=TLS1.2:ECDHE-RSA-AES256-SHA:256 CV=yes DN="/CN=lists.postgresql.org" F=<pgsql-hackers-owner+M2386-214291@lists.postgresql.org> temporarily rejected during MIME ACL checks: failed to expand ACL string "${lookup{${lc:${sg{$mime_filename}{^.+\\.([a-zA-Z0-9]+)\$}{\$1}}}}lsearch{/usr/local/etc/exim/checkfiles/bad-exts}{yes}{no}}": attempt to expand tainted string '$1'
<17>1 2020-02-20T11:25:34.407034-06:00 thebighonker.lerctr.org exim 68417 - - 1j4pZu-000HnV-8o attempt to expand tainted string '$1'
<21>1 2020-02-20T11:25:34.407583-06:00 thebighonker.lerctr.org exim 68417 - - [1\52] 1j4pZu-000HnV-8o H=malur.postgresql.org [217.196.149.56]:48932 I=[192.147.25.65]:25 X=TLS1.2:ECDHE-RSA-AES256-SHA:256 CV=yes DN="/CN=lists.postgresql.org" F=<pgsql-hackers-owner+M2386-214291@lists.postgresql.org> temporarily rejected during MIME ACL checks: failed to expand ACL string "${lookup{${lc:${sg{$mime_filename}{^.+\\.([a-zA-Z0-9]+)\$}{\$1}}}}lsearch{/usr/local/etc/exim/checkfiles/bad-exts}{yes}{no}}": attempt to expand tainted string '$1'

ler in exim  at thebighonker on  master [!]
[I] ➜

the unix socket was for clamd: in the ACL, and the others I'm not sure how to fix.


A reply on the Exim list suggested the 4.93+fixes branch.  Can we get the port to pull it's sources from that branch?
Comment 1 Dima Panov freebsd_committer freebsd_triage 2020-02-24 08:58:37 UTC 
(In reply to Larry Rosenman from comment #0)

I workin' on getting Exim port to more recent version with some patches from debian which we use locally
Comment 2 Dima Panov freebsd_committer freebsd_triage 2020-02-24 17:40:49 UTC 
(In reply to Larry Rosenman from comment #0)

Try this update on fresh portstree. 
Think it should fix the issue

https://people.freebsd.org/~fluffy/-patches/exim4.93.0.4.diff
Comment 4 Dima Panov freebsd_committer freebsd_triage 2020-02-24 18:47:03 UTC 
(In reply to Larry Rosenman from comment #3)
Looks like you have messed up files/ directory
patch-src_smtp__in.c should not to be exist, it comes as part of patch-pass-fd-to-tcpwrappers
Comment 5 Larry Rosenman freebsd_committer freebsd_triage 2020-02-24 18:58:37 UTC 
Ok, removing that file (I'm not sure how the hell it was still in my tree) fixed it, *AND* it works :)
Comment 6 Larry Rosenman freebsd_committer freebsd_triage 2020-02-24 18:59:54 UTC 
<21>1 2020-02-24T12:59:20.956095-06:00 thebighonker.lerctr.org exim 24803 - - [1\83] 1j6Iwq-0006S3-LL H=malur.postgresql.org [2a02:16a8:dc51::56]:59940 I=[2001:470:1f0f:3ad:bb:dcff:fe50:d900]:25 X=TLS1.2:ECDHE-RSA-AES256-SHA:256 CV=yes DN="/CN=lists.postgresql.org" F=<pgsql-hackers-owner+M2386-215359@lists.postgresql.org> temporarily rejected during MIME ACL checks: failed to expand ACL string "${lookup{${lc:${sg{$mime_filename}{^.+\\.([a-zA-Z0-9]+)\$}{\$1}}}}lsearch{/usr/local/etc/exim/checkfiles/bad-exts}{yes}{no}}": attempt to expand tainted string '$1'

except for this.....
Comment 7 Larry Rosenman freebsd_committer freebsd_triage 2020-02-24 19:02:08 UTC 
More clarification:

+#FILENAME_EXT = ${lc:${sg{$mime_filename}{^.+\\.([a-zA-Z0-9]+)\$}{\$1}}}

+  #deny  message = This message contains an unwanted file extension ($mime_filename)
+  #    log_message = MALWARE: unwanted extension ($mime_filename)
+  #      condition = ${lookup{FILENAME_EXT}lsearch{BLACKLIST_FILES}{yes}{no}}

I'm not sure how to make the taint stuff happy here.
Comment 8 ari 2020-02-25 00:57:54 UTC 
I'm stuck with

2020-02-25 08:47:55 1j6CJc-000CY9-Kg == bob@ish.com.au R=localuser T=local_delivery defer (0): Expansion of "${local_part}${local_part_suffix}@$domain" from command "/usr/local/libexec/dovecot/dovecot-lda -a ${local_part}${local_part_suffix}@$domain -d $local_part@$domain  -f $sender_address" in local_delivery transport failed: attempt to expand tainted string '${local_part}${local_part_suffix}@$domain'
2020-02-25 08:47:55 1j6CJc-000CY9-Kg attempt to expand tainted string '${local_part}${local_part_suffix}@$domain'

The new 4.93 version is very aggressive with the new taint function and its not a friendly simple upgrade from 4.92

Not sure if this is a FreeBSD problem or just an exim issue.
Comment 9 Larry Rosenman freebsd_committer freebsd_triage 2020-02-25 01:00:27 UTC 
@ari, did you try the 4.93.0.4 patch?

The only issue I saw was the entry I put above.
Comment 10 ari 2020-02-25 01:03:17 UTC 
No, I thought those patches were about the FreeBSD socket issue. There is almost no documentation at all about the taint changes in exim docs, so its pretty hard to read the source code and figure out what is happening here.
Comment 11 Larry Rosenman freebsd_committer freebsd_triage 2020-02-25 01:05:40 UTC 
the 4.93.0.4 patch @fluffy points to above fix a *LOT* of the taint issues.
Comment 12 commit-hook freebsd_committer freebsd_triage 2020-02-25 09:17:50 UTC 
A commit references this bug:

Author: fluffy
Date: Tue Feb 25 09:17:16 UTC 2020
New revision: 527069
URL: https://svnweb.freebsd.org/changeset/ports/527069

Log:
  mail/exim: update to 4.93.0.4 maintenance release

  This release is addressed to fix many of *taint* issues

  PR:		244322
  Reported by:	ler

Changes:
  head/mail/exim/Makefile
  head/mail/exim/distinfo
Comment 13 Dima Panov freebsd_committer freebsd_triage 2020-02-25 09:28:08 UTC 
(In reply to ari from comment #8)
It is an Exim issue :( implementing new engine is a hard task
Sure, better solution was stay with 4.92, however now it always updated and I will try to keep the port at fresh state without reverting
Comment 14 Dima Panov freebsd_committer freebsd_triage 2020-02-26 13:48:25 UTC 
Folks, r527168 might be a light in the tunnel. At least I've adopt ALL git commits in 4.93+fixes branch since 4.93.0.4 release
Comment 15 Ralf van der Enden 2020-02-26 14:08:36 UTC 
Unfortunately there's an issue with the patches since r527168.

Here's the output of 'make patch':

===>  Patching for exim-4.93.0.4_3
===>  Applying extra patch /usr/ports/mail/exim/files/74_21-heimdal-auth-fix-the-increase-of-big_buffer-size.patch
===>  Applying extra patch /usr/ports/mail/exim/files/74_24-TFO-even-in-binary-built-for-modern-Linux-handle-err.patch
===>  Applying extra patch /usr/ports/mail/exim/files/74_19-SPF-fix-result-for-case-of-only-non-spf-TXT-RRs.patch
===>  Applying extra patch /usr/ports/mail/exim/files/74_26-Auths-fix-cyrus-sasl-driver-for-gssapi-use.patch
===>  Applying extra patch /usr/ports/mail/exim/files/74_22-Taint-hybrid-checking-mode.patch
===>  Applying extra patch /usr/ports/mail/exim/files/74_25-Taint-slow-mode-checking-only.patch
2 out of 4 hunks failed--saving rejects to src/store.c.rej
Comment 16 Dima Panov freebsd_committer freebsd_triage 2020-02-26 14:26:25 UTC 
(In reply to Ralf van der Enden from comment #15)
Sorry, forgot about order, it matters :( 
r527169
Comment 17 Dima Panov freebsd_committer freebsd_triage 2020-02-27 13:31:24 UTC 
Larry, did you have issues for now? If not, this PR finally can be closed :)
Comment 18 Larry Rosenman freebsd_committer freebsd_triage 2020-02-27 14:21:49 UTC 
(In reply to Dima Panov from comment #17)
No issues, my config (from 4.92) now works without taint whines.

Closing :)