Attachment #114987 for bug #156738

View | Details | Raw Unified | Return to bug 156738
Collapse All | Expand All

Lines 6-13 Link Here

(-)Makefile (-2 / +1 lines)
6	#	6	#
7		7
8	PORTNAME= spamass-milter	8	PORTNAME= spamass-milter
9	PORTVERSION= 0.3.1	9	PORTVERSION= 0.3.2
10	PORTREVISION= 11
11	CATEGORIES= mail	10	CATEGORIES= mail
12	MASTER_SITES= ${MASTER_SITE_SAVANNAH}	11	MASTER_SITES= ${MASTER_SITE_SAVANNAH}
13	MASTER_SITE_SUBDIR= spamass-milt	12	MASTER_SITE_SUBDIR= spamass-milt

Lines 1-2 Link Here

(-)distinfo (-2 / +2 lines)
1	SHA256 (spamass-milter-0.3.1.tar.gz) = 4222b21d098f292b4899a84caf56458c876c6774fd14132fbd4c31f6190b27e5	1	SHA256 (spamass-milter-0.3.2.tar.gz) = c14b9021092f8c5408df1db25e5645db4cba5bac5ba487175230696a99d269cc
2	SIZE (spamass-milter-0.3.1.tar.gz) = 141144	2	SIZE (spamass-milter-0.3.2.tar.gz) = 154579




--- spamass-milter.cpp.orig	2006-03-23 22:41:36.000000000 +0100
+++ spamass-milter.cpp	2010-05-12 12:05:02.000000000 +0200
@@ -465,26 +465,11 @@
 			int rv;
 #endif
 			
-#if defined(HAVE_ASPRINTF)
-			char *buf;
-#else
-			char buf[1024];
-#endif
-			char *fmt="%s \"%s\"";
 			FILE *p;
+			char sendmail_prog[] = SENDMAIL;
+			char *const popen_argv[] = { sendmail_prog, spambucket, NULL };
+			pid_t pid;
 
-#if defined(HAVE_ASPRINTF)
-			asprintf(&buf, fmt, SENDMAIL, spambucket);
-#else
-#if defined(HAVE_SNPRINTF)
-			snprintf(buf, sizeof(buf)-1, fmt, SENDMAIL, spambucket);
-#else
-			/* XXX possible buffer overflow here */
-			sprintf(buf, fmt, SENDMAIL, spambucket);
-#endif
-#endif
-
-			debug(D_COPY, "calling %s", buf);
 #if defined(__FreeBSD__) /* popen bug - see PR bin/50770 */
 			rv = pthread_mutex_lock(&popen_mutex);
 			if (rv)
@@ -493,15 +478,17 @@
 				abort();
 			}		
 #endif
-			p = popen(buf, "w");
+			debug(D_COPY, "calling %s %s", SENDMAIL, spambucket);
+			p = popenv(popen_argv, "w", &pid);
 			if (!p)
 			{
-				debug(D_COPY, "popen failed(%s).  Will not send a copy to spambucket", strerror(errno));
+				debug(D_COPY, "popenv failed(%s).  Will not send a copy to spambucket", strerror(errno));
 			} else
 			{
 				// Send message provided by SpamAssassin
 				fwrite(assassin->d().c_str(), assassin->d().size(), 1, p);
-				pclose(p); p = NULL;
+				fclose(p); p = NULL;
+				waitpid(pid, NULL, 0);
 			}
 #if defined(__FreeBSD__)
 			rv = pthread_mutex_unlock(&popen_mutex);
@@ -511,9 +498,6 @@
 				abort();
 			}		
 #endif
-#if defined(HAVE_ASPRINTF)
-			free(buf);
-#endif 
 		}
 		return SMFIS_REJECT;
 	}
@@ -842,16 +826,12 @@
 		/* open a pipe to sendmail so we can do address expansion */
 
 		char buf[1024];
-		char *fmt="%s -bv \"%s\" 2>&1";
+		char sendmail_prog[] = SENDMAIL;
+		char sendmail_mode[] = "-bv";
+		char * const popen_argv[] = { sendmail_prog, sendmail_mode, envrcpt[0], NULL };
+		pid_t pid;
 
-#if defined(HAVE_SNPRINTF)
-		snprintf(buf, sizeof(buf)-1, fmt, SENDMAIL, envrcpt[0]);
-#else
-		/* XXX possible buffer overflow here */
-		sprintf(buf, fmt, SENDMAIL, envrcpt[0]);
-#endif
-
-		debug(D_RCPT, "calling %s", buf);
+		debug(D_RCPT, "calling %s -bv %s", SENDMAIL, envrcpt[0]);
 
 #if defined(__FreeBSD__) /* popen bug - see PR bin/50770 */
 		rv = pthread_mutex_lock(&popen_mutex);
@@ -862,10 +842,10 @@
 		}		
 #endif
 
-		p = popen(buf, "r");
+		p = popenv(popen_argv, "r", &pid);
 		if (!p)
 		{
-			debug(D_RCPT, "popen failed(%s).  Will not expand aliases", strerror(errno));
+			debug(D_RCPT, "popenv failed(%s).  Will not expand aliases", strerror(errno));
 			assassin->expandedrcpt.push_back(envrcpt[0]);
 		} else
 		{
@@ -890,7 +870,8 @@
 					assassin->expandedrcpt.push_back(p+7);
 				}
 			}
-			pclose(p); p = NULL;
+			fclose(p); p = NULL;
+			waitpid(pid, NULL, 0);
 		}
 #if defined(__FreeBSD__)
 		rv = pthread_mutex_unlock(&popen_mutex);
@@ -1002,9 +983,9 @@
 
 		assassin->output((string)
 			"Received: from "+macro_s+" ("+macro__+")\r\n\t"+
-			"by "+macro_j+"("+macro_v+"/"+macro_Z+") with "+macro_r+" id "+macro_i+"\r\n\t"+
+			"by "+macro_j+" ("+macro_v+"/"+macro_Z+") with "+macro_r+" id "+macro_i+";\r\n\t"+
 			macro_b+"\r\n\t"+
-			"(envelope-from "+assassin->from()+"\r\n");
+			"(envelope-from "+assassin->from()+")\r\n");
 
 	} else
 		assassin->output((string)"X-Envelope-To: "+envrcpt[0]+"\r\n");
@@ -2157,5 +2138,72 @@
 	warnedmacro = true;
 }
 
+/*
+   untrusted-argument-safe popen function - only supports "r" and "w" modes
+   for simplicity, and always reads stdout and stderr in "r" mode.  Call
+   fclose to close the FILE, and waitpid to reap the child process (pid).
+*/
+FILE *popenv(char *const argv[], const char *type, pid_t *pid)
+{
+       FILE *iop;
+       int pdes[2];
+       int save_errno;
+
+       if ((*type != 'r' && *type != 'w') || type[1])
+       {
+               errno = EINVAL;
+               return (NULL);
+       }
+       if (pipe(pdes) < 0)
+               return (NULL);
+       switch (*pid = fork()) {
+
+       case -1:                        /* Error. */
+               save_errno = errno;
+               (void)close(pdes[0]);
+               (void)close(pdes[1]);
+               errno = save_errno;
+               return (NULL);
+               /* NOTREACHED */
+       case 0:                         /* Child. */
+               if (*type == 'r') {
+                       /*
+                        * The dup2() to STDIN_FILENO is repeated to avoid
+                        * writing to pdes[1], which might corrupt the
+                        * parent's copy.  This isn't good enough in
+                        * general, since the exit() is no return, so
+                        * the compiler is free to corrupt all the local
+                        * variables.
+                        */
+                       (void)close(pdes[0]);
+                       (void)dup2(pdes[1], STDOUT_FILENO);
+                       (void)dup2(pdes[1], STDERR_FILENO);
+                       if (pdes[1] != STDOUT_FILENO && pdes[1] != STDERR_FILENO) {
+                               (void)close(pdes[1]);
+                       }
+               } else {
+                       if (pdes[0] != STDIN_FILENO) {
+                               (void)dup2(pdes[0], STDIN_FILENO);
+                               (void)close(pdes[0]);
+                       }
+                       (void)close(pdes[1]);
+               }
+               execv(argv[0], argv);
+               exit(127);
+               /* NOTREACHED */
+       }
+
+       /* Parent; assume fdopen can't fail. */
+       if (*type == 'r') {
+               iop = fdopen(pdes[0], type);
+               (void)close(pdes[1]);
+       } else {
+               iop = fdopen(pdes[1], type);
+               (void)close(pdes[0]);
+       }
+
+       return (iop);
+}
+
 // }}}
 // vim6:ai:noexpandtab

Removed Link Here

(-)files/patch-spamass-milter.h (-9 lines)
1	--- spamass-milter.h.orig 2010-05-12 11:58:14.000000000 +0200
2	+++ spamass-milter.h 2010-05-12 12:05:27.000000000 +0200
3	@@ -186,5 +186,6 @@
4	void parse_debuglevel(char* string);
5	char strlwr(char str);
6	void warnmacro(char macro, char scope);
7	+FILE popenv(char const argv[], const char type, pid_t pid);
8
9	#endif

Return to bug 156738

Removed Link Here

(-)files/patch-spamass-milter.cpp (-193 lines)
1	--- spamass-milter.cpp.orig 2006-03-23 22:41:36.000000000 +0100
2	+++ spamass-milter.cpp 2010-05-12 12:05:02.000000000 +0200
3	@@ -465,26 +465,11 @@
4	int rv;
5	#endif
6
7	-#if defined(HAVE_ASPRINTF)
8	- char *buf;
9	-#else
10	- char buf[1024];
11	-#endif
12	- char *fmt="%s \"%s\"";
13	FILE *p;
14	+ char sendmail_prog[] = SENDMAIL;
15	+ char *const popen_argv[] = { sendmail_prog, spambucket, NULL };
16	+ pid_t pid;
17
18	-#if defined(HAVE_ASPRINTF)
19	- asprintf(&buf, fmt, SENDMAIL, spambucket);
20	-#else
21	-#if defined(HAVE_SNPRINTF)
22	- snprintf(buf, sizeof(buf)-1, fmt, SENDMAIL, spambucket);
23	-#else
24	- /* XXX possible buffer overflow here */
25	- sprintf(buf, fmt, SENDMAIL, spambucket);
26	-#endif
27	-#endif
28	-
29	- debug(D_COPY, "calling %s", buf);
30	#if defined(__FreeBSD__) /* popen bug - see PR bin/50770 */
31	rv = pthread_mutex_lock(&popen_mutex);
32	if (rv)
33	@@ -493,15 +478,17 @@
34	abort();
35	}
36	#endif
37	- p = popen(buf, "w");
38	+ debug(D_COPY, "calling %s %s", SENDMAIL, spambucket);
39	+ p = popenv(popen_argv, "w", &pid);
40	if (!p)
41	{
42	- debug(D_COPY, "popen failed(%s). Will not send a copy to spambucket", strerror(errno));
43	+ debug(D_COPY, "popenv failed(%s). Will not send a copy to spambucket", strerror(errno));
44	} else
45	{
46	// Send message provided by SpamAssassin
47	fwrite(assassin->d().c_str(), assassin->d().size(), 1, p);
48	- pclose(p); p = NULL;
49	+ fclose(p); p = NULL;
50	+ waitpid(pid, NULL, 0);
51	}
52	#if defined(__FreeBSD__)
53	rv = pthread_mutex_unlock(&popen_mutex);
54	@@ -511,9 +498,6 @@
55	abort();
56	}
57	#endif
58	-#if defined(HAVE_ASPRINTF)
59	- free(buf);
60	-#endif
61	}
62	return SMFIS_REJECT;
63	}
64	@@ -842,16 +826,12 @@
65	/* open a pipe to sendmail so we can do address expansion */
66
67	char buf[1024];
68	- char *fmt="%s -bv \"%s\" 2>&1";
69	+ char sendmail_prog[] = SENDMAIL;
70	+ char sendmail_mode[] = "-bv";
71	+ char * const popen_argv[] = { sendmail_prog, sendmail_mode, envrcpt[0], NULL };
72	+ pid_t pid;
73
74	-#if defined(HAVE_SNPRINTF)
75	- snprintf(buf, sizeof(buf)-1, fmt, SENDMAIL, envrcpt[0]);
76	-#else
77	- /* XXX possible buffer overflow here */
78	- sprintf(buf, fmt, SENDMAIL, envrcpt[0]);
79	-#endif
80	-
81	- debug(D_RCPT, "calling %s", buf);
82	+ debug(D_RCPT, "calling %s -bv %s", SENDMAIL, envrcpt[0]);
83
84	#if defined(__FreeBSD__) /* popen bug - see PR bin/50770 */
85	rv = pthread_mutex_lock(&popen_mutex);
86	@@ -862,10 +842,10 @@
87	}
88	#endif
89
90	- p = popen(buf, "r");
91	+ p = popenv(popen_argv, "r", &pid);
92	if (!p)
93	{
94	- debug(D_RCPT, "popen failed(%s). Will not expand aliases", strerror(errno));
95	+ debug(D_RCPT, "popenv failed(%s). Will not expand aliases", strerror(errno));
96	assassin->expandedrcpt.push_back(envrcpt[0]);
97	} else
98	{
99	@@ -890,7 +870,8 @@
100	assassin->expandedrcpt.push_back(p+7);
101	}
102	}
103	- pclose(p); p = NULL;
104	+ fclose(p); p = NULL;
105	+ waitpid(pid, NULL, 0);
106	}
107	#if defined(__FreeBSD__)
108	rv = pthread_mutex_unlock(&popen_mutex);
109	@@ -1002,9 +983,9 @@
110
111	assassin->output((string)
112	"Received: from "+macro_s+" ("+macro__+")\r\n\t"+
113	- "by "+macro_j+"("+macro_v+"/"+macro_Z+") with "+macro_r+" id "+macro_i+"\r\n\t"+
114	+ "by "+macro_j+" ("+macro_v+"/"+macro_Z+") with "+macro_r+" id "+macro_i+";\r\n\t"+
115	macro_b+"\r\n\t"+
116	- "(envelope-from "+assassin->from()+"\r\n");
117	+ "(envelope-from "+assassin->from()+")\r\n");
118
119	} else
120	assassin->output((string)"X-Envelope-To: "+envrcpt[0]+"\r\n");
121	@@ -2157,5 +2138,72 @@
122	warnedmacro = true;
123	}
124
125	+/*
126	+ untrusted-argument-safe popen function - only supports "r" and "w" modes
127	+ for simplicity, and always reads stdout and stderr in "r" mode. Call
128	+ fclose to close the FILE, and waitpid to reap the child process (pid).
129	+*/
130	+FILE popenv(char const argv[], const char type, pid_t pid)
131	+{
132	+ FILE *iop;
133	+ int pdes[2];
134	+ int save_errno;
135	+
136	+ if ((type != 'r' && type != 'w') \|\| type[1])
137	+ {
138	+ errno = EINVAL;
139	+ return (NULL);
140	+ }
141	+ if (pipe(pdes) < 0)
142	+ return (NULL);
143	+ switch (*pid = fork()) {
144	+
145	+ case -1: /* Error. */
146	+ save_errno = errno;
147	+ (void)close(pdes[0]);
148	+ (void)close(pdes[1]);
149	+ errno = save_errno;
150	+ return (NULL);
151	+ /* NOTREACHED */
152	+ case 0: /* Child. */
153	+ if (*type == 'r') {
154	+ /*
155	+ * The dup2() to STDIN_FILENO is repeated to avoid
156	+ * writing to pdes[1], which might corrupt the
157	+ * parent's copy. This isn't good enough in
158	+ * general, since the exit() is no return, so
159	+ * the compiler is free to corrupt all the local
160	+ * variables.
161	+ */
162	+ (void)close(pdes[0]);
163	+ (void)dup2(pdes[1], STDOUT_FILENO);
164	+ (void)dup2(pdes[1], STDERR_FILENO);
165	+ if (pdes[1] != STDOUT_FILENO && pdes[1] != STDERR_FILENO) {
166	+ (void)close(pdes[1]);
167	+ }
168	+ } else {
169	+ if (pdes[0] != STDIN_FILENO) {
170	+ (void)dup2(pdes[0], STDIN_FILENO);
171	+ (void)close(pdes[0]);
172	+ }
173	+ (void)close(pdes[1]);
174	+ }
175	+ execv(argv[0], argv);
176	+ exit(127);
177	+ /* NOTREACHED */
178	+ }
179	+
180	+ /* Parent; assume fdopen can't fail. */
181	+ if (*type == 'r') {
182	+ iop = fdopen(pdes[0], type);
183	+ (void)close(pdes[1]);
184	+ } else {
185	+ iop = fdopen(pdes[1], type);
186	+ (void)close(pdes[0]);
187	+ }
188	+
189	+ return (iop);
190	+}
191	+
192	// }}}
193	// vim6:ai:noexpandtab