From: Gustavo Zacarias Date: Mon, 4 Aug 2014 19:34:55 +0000 (-0300) Subject: exim: security bump to version 4.83 X-Git-Url: https://git.libre-soc.org/?a=commitdiff_plain;h=80cfab8fdefa20cef32e5e591ebf9bc47d1d7bc5;p=buildroot.git exim: security bump to version 4.83 Fixes CVE-2014-2972 - prevent double expansion in math comparison functions (can expand unsanitized data). Also rename patches according to patch naming policy. Signed-off-by: Gustavo Zacarias Signed-off-by: Thomas Petazzoni --- diff --git a/package/exim/exim-0001-Build-buildconfig-for-the-host.patch b/package/exim/exim-0001-Build-buildconfig-for-the-host.patch new file mode 100644 index 0000000000..a926fbdab3 --- /dev/null +++ b/package/exim/exim-0001-Build-buildconfig-for-the-host.patch @@ -0,0 +1,23 @@ +buildconfig is meant to be executed on the host, so it has to be compiled +using $(HOSTCC), not $(CC). + +Signed-off-by: Luca Ceresoli +--- + OS/Makefile-Base | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/OS/Makefile-Base b/OS/Makefile-Base +index 29a6ad3..420ba60 100644 +--- a/OS/Makefile-Base ++++ b/OS/Makefile-Base +@@ -114,8 +114,8 @@ allexim: config.h $(EXIM_MONITOR) exicyclog exinext exiwhat \ + + # Targets for special-purpose configuration header builders + buildconfig: buildconfig.c +- @echo "$(CC) buildconfig.c" +- $(FE)$(CC) $(CFLAGS) $(INCLUDE) -o buildconfig buildconfig.c $(LIBS) ++ @echo "$(HOSTCC) buildconfig.c" ++ $(FE)$(HOSTCC) $(HOSTCFLAGS) $(INCLUDE) -o buildconfig buildconfig.c $(LIBS) + + + # Target for the exicyclog utility script diff --git a/package/exim/exim-0002-Don-t-make-backup-copies-of-installed-files.patch b/package/exim/exim-0002-Don-t-make-backup-copies-of-installed-files.patch new file mode 100644 index 0000000000..0cdaa744bc --- /dev/null +++ b/package/exim/exim-0002-Don-t-make-backup-copies-of-installed-files.patch @@ -0,0 +1,40 @@ +If exim had already been installed, the install script makes backup +copies of the pre-existing executables with a ".0" suffix. + +This leads to useless duplicated files on the target, so disable this +piece of code. + +Signed-off-by: Luca Ceresoli +--- + scripts/exim_install | 18 +++++++++--------- + 1 files changed, 9 insertions(+), 9 deletions(-) + +diff --git a/scripts/exim_install b/scripts/exim_install +index 616ab3c..e68e7d5 100755 +--- a/scripts/exim_install ++++ b/scripts/exim_install +@@ -344,15 +344,15 @@ while [ $# -gt 0 ]; do + + else + if ../scripts/newer ${name} ${BIN_DIRECTORY}/${name}; then +- if [ -f ${BIN_DIRECTORY}/${name} ]; then +- echo ${CP} ${BIN_DIRECTORY}/${name} ${BIN_DIRECTORY}/${name}.O +- ${real} ${CP} ${BIN_DIRECTORY}/${name} ${BIN_DIRECTORY}/${name}.O +- if [ $? -ne 0 ]; then +- echo $com "" +- echo $com "*** Exim installation ${ver}failed ***" +- exit 1 +- fi +- fi ++# if [ -f ${BIN_DIRECTORY}/${name} ]; then ++# echo ${CP} ${BIN_DIRECTORY}/${name} ${BIN_DIRECTORY}/${name}.O ++# ${real} ${CP} ${BIN_DIRECTORY}/${name} ${BIN_DIRECTORY}/${name}.O ++# if [ $? -ne 0 ]; then ++# echo $com "" ++# echo $com "*** Exim installation ${ver}failed ***" ++# exit 1 ++# fi ++# fi + echo ${CP} ${name} ${BIN_DIRECTORY} + ${real} ${CP} ${name} ${BIN_DIRECTORY} + if [ $? -ne 0 ]; then diff --git a/package/exim/exim-0003-Skip-version-check-and-symlink-installation.patch b/package/exim/exim-0003-Skip-version-check-and-symlink-installation.patch new file mode 100644 index 0000000000..94d21ae114 --- /dev/null +++ b/package/exim/exim-0003-Skip-version-check-and-symlink-installation.patch @@ -0,0 +1,40 @@ +The exim install script installs a binary named exim-, plus a symlink +to it named exim. +In order to achieve this "feature" (of dubious usefulness) it runs the +executable (on the host) and then filters its output to grab the version number. +This clearly cannot work if the executable is cross-compiled, so get rid of all +of it and just install an executable file called exim. + +Inspired by: +http://patch-tracker.debian.org/patch/series/view/exim4/4.76-2/35_install.dpatch + +Signed-off-by: Luca Ceresoli +--- + scripts/exim_install | 7 +++++-- + 1 files changed, 5 insertions(+), 2 deletions(-) + +diff --git a/scripts/exim_install b/scripts/exim_install +index e68e7d5..487a4e1 100755 +--- a/scripts/exim_install ++++ b/scripts/exim_install +@@ -59,6 +59,8 @@ while [ $# -gt 0 ] ; do + shift + done + ++do_symlink=no ++ + # Get the values of BIN_DIRECTORY, CONFIGURE_FILE, INFO_DIRECTORY, NO_SYMLINK, + # SYSTEM_ALIASES_FILE, and EXE from the global Makefile (in the build + # directory). EXE is empty except in the Cygwin environment. In each case, keep +@@ -218,8 +220,9 @@ while [ $# -gt 0 ]; do + # The exim binary is handled specially + + if [ $name = exim${EXE} ]; then +- version=exim-`./exim -bV -C /dev/null | \ +- awk '/Exim version/ { OFS=""; print $3,"-",substr($4,2,length($4)-1) }'`${EXE} ++ version=exim ++# version=exim-`./exim -bV -C /dev/null | \ ++# awk '/Exim version/ { OFS=""; print $3,"-",substr($4,2,length($4)-1) }'`${EXE} + + if [ "${version}" = "exim-${EXE}" ]; then + echo $com "" diff --git a/package/exim/exim-Build-buildconfig-for-the-host.patch b/package/exim/exim-Build-buildconfig-for-the-host.patch deleted file mode 100644 index a926fbdab3..0000000000 --- a/package/exim/exim-Build-buildconfig-for-the-host.patch +++ /dev/null @@ -1,23 +0,0 @@ -buildconfig is meant to be executed on the host, so it has to be compiled -using $(HOSTCC), not $(CC). - -Signed-off-by: Luca Ceresoli ---- - OS/Makefile-Base | 4 ++-- - 1 files changed, 2 insertions(+), 2 deletions(-) - -diff --git a/OS/Makefile-Base b/OS/Makefile-Base -index 29a6ad3..420ba60 100644 ---- a/OS/Makefile-Base -+++ b/OS/Makefile-Base -@@ -114,8 +114,8 @@ allexim: config.h $(EXIM_MONITOR) exicyclog exinext exiwhat \ - - # Targets for special-purpose configuration header builders - buildconfig: buildconfig.c -- @echo "$(CC) buildconfig.c" -- $(FE)$(CC) $(CFLAGS) $(INCLUDE) -o buildconfig buildconfig.c $(LIBS) -+ @echo "$(HOSTCC) buildconfig.c" -+ $(FE)$(HOSTCC) $(HOSTCFLAGS) $(INCLUDE) -o buildconfig buildconfig.c $(LIBS) - - - # Target for the exicyclog utility script diff --git a/package/exim/exim-Don-t-make-backup-copies-of-installed-files.patch b/package/exim/exim-Don-t-make-backup-copies-of-installed-files.patch deleted file mode 100644 index 0cdaa744bc..0000000000 --- a/package/exim/exim-Don-t-make-backup-copies-of-installed-files.patch +++ /dev/null @@ -1,40 +0,0 @@ -If exim had already been installed, the install script makes backup -copies of the pre-existing executables with a ".0" suffix. - -This leads to useless duplicated files on the target, so disable this -piece of code. - -Signed-off-by: Luca Ceresoli ---- - scripts/exim_install | 18 +++++++++--------- - 1 files changed, 9 insertions(+), 9 deletions(-) - -diff --git a/scripts/exim_install b/scripts/exim_install -index 616ab3c..e68e7d5 100755 ---- a/scripts/exim_install -+++ b/scripts/exim_install -@@ -344,15 +344,15 @@ while [ $# -gt 0 ]; do - - else - if ../scripts/newer ${name} ${BIN_DIRECTORY}/${name}; then -- if [ -f ${BIN_DIRECTORY}/${name} ]; then -- echo ${CP} ${BIN_DIRECTORY}/${name} ${BIN_DIRECTORY}/${name}.O -- ${real} ${CP} ${BIN_DIRECTORY}/${name} ${BIN_DIRECTORY}/${name}.O -- if [ $? -ne 0 ]; then -- echo $com "" -- echo $com "*** Exim installation ${ver}failed ***" -- exit 1 -- fi -- fi -+# if [ -f ${BIN_DIRECTORY}/${name} ]; then -+# echo ${CP} ${BIN_DIRECTORY}/${name} ${BIN_DIRECTORY}/${name}.O -+# ${real} ${CP} ${BIN_DIRECTORY}/${name} ${BIN_DIRECTORY}/${name}.O -+# if [ $? -ne 0 ]; then -+# echo $com "" -+# echo $com "*** Exim installation ${ver}failed ***" -+# exit 1 -+# fi -+# fi - echo ${CP} ${name} ${BIN_DIRECTORY} - ${real} ${CP} ${name} ${BIN_DIRECTORY} - if [ $? -ne 0 ]; then diff --git a/package/exim/exim-Skip-version-check-and-symlink-installation.patch b/package/exim/exim-Skip-version-check-and-symlink-installation.patch deleted file mode 100644 index 94d21ae114..0000000000 --- a/package/exim/exim-Skip-version-check-and-symlink-installation.patch +++ /dev/null @@ -1,40 +0,0 @@ -The exim install script installs a binary named exim-, plus a symlink -to it named exim. -In order to achieve this "feature" (of dubious usefulness) it runs the -executable (on the host) and then filters its output to grab the version number. -This clearly cannot work if the executable is cross-compiled, so get rid of all -of it and just install an executable file called exim. - -Inspired by: -http://patch-tracker.debian.org/patch/series/view/exim4/4.76-2/35_install.dpatch - -Signed-off-by: Luca Ceresoli ---- - scripts/exim_install | 7 +++++-- - 1 files changed, 5 insertions(+), 2 deletions(-) - -diff --git a/scripts/exim_install b/scripts/exim_install -index e68e7d5..487a4e1 100755 ---- a/scripts/exim_install -+++ b/scripts/exim_install -@@ -59,6 +59,8 @@ while [ $# -gt 0 ] ; do - shift - done - -+do_symlink=no -+ - # Get the values of BIN_DIRECTORY, CONFIGURE_FILE, INFO_DIRECTORY, NO_SYMLINK, - # SYSTEM_ALIASES_FILE, and EXE from the global Makefile (in the build - # directory). EXE is empty except in the Cygwin environment. In each case, keep -@@ -218,8 +220,9 @@ while [ $# -gt 0 ]; do - # The exim binary is handled specially - - if [ $name = exim${EXE} ]; then -- version=exim-`./exim -bV -C /dev/null | \ -- awk '/Exim version/ { OFS=""; print $3,"-",substr($4,2,length($4)-1) }'`${EXE} -+ version=exim -+# version=exim-`./exim -bV -C /dev/null | \ -+# awk '/Exim version/ { OFS=""; print $3,"-",substr($4,2,length($4)-1) }'`${EXE} - - if [ "${version}" = "exim-${EXE}" ]; then - echo $com "" diff --git a/package/exim/exim.mk b/package/exim/exim.mk index 8be8e75cf3..845c5f8ab9 100644 --- a/package/exim/exim.mk +++ b/package/exim/exim.mk @@ -4,7 +4,7 @@ # ################################################################################ -EXIM_VERSION = 4.82.1 +EXIM_VERSION = 4.83 EXIM_SOURCE = exim-$(EXIM_VERSION).tar.bz2 EXIM_SITE = ftp://ftp.exim.org/pub/exim/exim4 EXIM_LICENSE = GPLv2+