MFH: r527012

mail/opensmtpd: update to 6.6.4p1 security releaase

SECURITY RELEASE

An out of bounds read in smtpd allows an attacker to inject arbitrary commands into the envelope file which are then executed as root. Separately, missing privilege revocation in smtpctl allows arbitrary commands to be run with the _smtpq group.

Approved by:	ports-secteam (joneum)
Security:	CVE-2020-8793, CVE-2020-8794

3 files changed, 9 insertions, 6 deletions

diff --git a/mail/opensmtpd/Makefile b/mail/opensmtpd/Makefile
index eaa992b11e8b..af5fc866ed74 100644
--- a/mail/opensmtpd/Makefile
+++ b/mail/opensmtpd/Makefile
@@ -2,7 +2,7 @@
 # $FreeBSD$
 
 PORTNAME=	opensmtpd
-PORTVERSION=	6.6.3
+PORTVERSION=	6.6.4
 DISTVERSIONSUFFIX=	p1
 PORTEPOCH=	1
 PORTREVISION=	0
@@ -55,7 +55,10 @@ TABLE_DB_CONFIGURE_WITH=	table-db
 
 CONFIGURE_ARGS+=	--with-libasr=${LOCALBASE} \
 			--with-libevent=${LOCALBASE} \
-			--sysconfdir=${PREFIX}/etc/mail/
+			--sysconfdir=${PREFIX}/etc/mail/ \
+			--with-user-smtpd=_smtpd \
+			--with-user-queue=_smtpq \
+			--with-group-queue=_smtpq
 
 .include <bsd.port.pre.mk>
 
diff --git a/mail/opensmtpd/distinfo b/mail/opensmtpd/distinfo
index b73b1d54e9d8..3dce126e5263 100644
--- a/mail/opensmtpd/distinfo
+++ b/mail/opensmtpd/distinfo
@@ -1,3 +1,3 @@
-TIMESTAMP = 1581434283
-SHA256 (opensmtpd-6.6.3p1.tar.gz) = 9ef7c0eb7ffc5c84dca7651cec69bd7b180014cd5227f6dbc7a303eaa9d41eb7
-SIZE (opensmtpd-6.6.3p1.tar.gz) = 787196
+TIMESTAMP = 1582566329
+SHA256 (opensmtpd-6.6.4p1.tar.gz) = e2f9962a6b99b3cc1572b63a10db648fdca4ad2b58079b680b4202cc7c82d7cf
+SIZE (opensmtpd-6.6.4p1.tar.gz) = 790754
diff --git a/mail/opensmtpd/pkg-plist b/mail/opensmtpd/pkg-plist
index 001970f94371..7ddf01b07681 100644
--- a/mail/opensmtpd/pkg-plist
+++ b/mail/opensmtpd/pkg-plist
@@ -8,7 +8,7 @@ libexec/opensmtpd/mail.maildir
 libexec/opensmtpd/mail.mboxfile
 libexec/opensmtpd/mail.mda
 %%TABLE_DB%%libexec/opensmtpd/makemap
-@(,,2555) sbin/smtpctl
+@(,_smtpq,2555) sbin/smtpctl
 sbin/smtpd
 man/man1/smtp.1.gz
 man/man5/aliases.5.gz