MFH: r556289

mail/exim: import exim-4.94+fixes branch as state of 2020.11.25

Used git diffs:

[38/42] GnuTLS: clear errno before any data i/o op, so error logging does not see stale values
[39/42] Fix non-TLS build
[40/42] eximon: fix FreeBSD build
[41/42] LDAP: fix taint-check in server list walk. Bug 2646
[42/42] Pass authenticator pubname through spool. Bug 2648

Also patch files/150.exim-tidydb to prevent its output when daily_show_success=NO. [1]

Submitted by:	Dmitry Selivanov <sd@rlan.ru> via email [1]

Approved by:	ports-secteam (with hat on)

7 files changed, 314 insertions, 2 deletions

diff --git a/mail/exim/Makefile b/mail/exim/Makefile
index d5add0c80bef..6d184106ace1 100644
--- a/mail/exim/Makefile
+++ b/mail/exim/Makefile
@@ -3,7 +3,7 @@
 
 PORTNAME=	exim
 PORTVERSION?=	${EXIM_VERSION}
-PORTREVISION?=	2
+PORTREVISION?=	3
 CATEGORIES=	mail
 MASTER_SITES=	EXIM:exim
 MASTER_SITE_SUBDIR=	/exim4/:exim \
diff --git a/mail/exim/files/150.exim-tidydb.sh b/mail/exim/files/150.exim-tidydb.sh
index 95a49c088b4f..1fec3fd67c81 100644
--- a/mail/exim/files/150.exim-tidydb.sh
+++ b/mail/exim/files/150.exim-tidydb.sh
@@ -38,7 +38,12 @@ case "$exim_tidydb_enable" in
 	echo ""
 	echo "Tidying Exim hints databases:"
 	eval tidy "$exim_tidydb_filter"
-	rc=1;;
+	if [ $? = 0 ]; then
+		rc=0
+	else
+		rc=1
+	fi
+	;;
 
     *)  rc=0;;
 esac
diff --git a/mail/exim/files/patch-z0038-GnuTLS-clear-errno-before-any-data-i-o-op-so-error-logging b/mail/exim/files/patch-z0038-GnuTLS-clear-errno-before-any-data-i-o-op-so-error-logging
new file mode 100644
index 000000000000..b3c9af46aee7
--- /dev/null
+++ b/mail/exim/files/patch-z0038-GnuTLS-clear-errno-before-any-data-i-o-op-so-error-logging
@@ -0,0 +1,41 @@
+From 49d173f4e4c05bbc9e6f256f8914979dad85e9d3 Mon Sep 17 00:00:00 2001
+From: Jeremy Harris <jgh146exb@wizmail.org>
+Date: Sun, 6 Sep 2020 12:15:10 +0100
+Subject: [PATCH 38/42] GnuTLS: clear errno before any data i/o op, so error
+ logging does not see stale values
+
+(cherry picked from commit d52a8ce8499fbb88f4670623df9f52d3e790292b)
+---
+ src/tls-gnu.c | 3 +++
+
+diff --git src/tls-gnu.c src/tls-gnu.c
+index dafe1be0c..6ee603595 100644
+--- src/tls-gnu.c
++++ src/tls-gnu.c
+@@ -3162,6 +3162,7 @@ DEBUG(D_tls) debug_printf("Calling gnutls_record_recv(session=%p, buffer=%p, buf
+ sigalrm_seen = FALSE;
+ if (smtp_receive_timeout > 0) ALARM(smtp_receive_timeout);
+ 
++errno = 0;
+ do
+   inbytes = gnutls_record_recv(state->session, state->xfer_buffer,
+     MIN(ssl_xfer_buffer_size, lim));
+@@ -3322,6 +3323,7 @@ DEBUG(D_tls)
+   debug_printf("Calling gnutls_record_recv(session=%p, buffer=%p, len=" SIZE_T_FMT ")\n",
+       state->session, buff, len);
+ 
++errno = 0;
+ do
+   inbytes = gnutls_record_recv(state->session, buff, len);
+ while (inbytes == GNUTLS_E_AGAIN);
+@@ -3385,6 +3387,7 @@ while (left > 0)
+   DEBUG(D_tls) debug_printf("gnutls_record_send(session=%p, buffer=%p, left=" SIZE_T_FMT ")\n",
+       state->session, buff, left);
+ 
++  errno = 0;
+   do
+     outbytes = gnutls_record_send(state->session, buff, left);
+   while (outbytes == GNUTLS_E_AGAIN);
+-- 
+2.29.2
+
diff --git a/mail/exim/files/patch-z0039-Fix-non-TLS-build b/mail/exim/files/patch-z0039-Fix-non-TLS-build
new file mode 100644
index 000000000000..ef9ef5c34095
--- /dev/null
+++ b/mail/exim/files/patch-z0039-Fix-non-TLS-build
@@ -0,0 +1,83 @@
+From 7a534c812646a7a6f680827352d6209c6ff7be96 Mon Sep 17 00:00:00 2001
+From: Jeremy Harris <jgh146exb@wizmail.org>
+Date: Thu, 27 Aug 2020 21:15:19 +0100
+Subject: [PATCH 39/42] Fix non-TLS build
+
+(cherry picked from commit b38a477da0a5248ed1d2b7590922c89c6337ec3b)
+---
+ src/transports/smtp.c | 18 +++++++++---------
+
+diff --git src/transports/smtp.c src/transports/smtp.c
+index 77335af09..b0dedfa8c 100644
+--- src/transports/smtp.c
++++ src/transports/smtp.c
+@@ -1989,7 +1989,7 @@ if (sx->smtps)
+ 	    DEFER, FALSE, &sx->delivery_start);
+   return ERROR;
+   }
+-#endif
++#else
+ 
+ /* If we have a proxied TLS connection, check usability for this message */
+ 
+@@ -1998,7 +1998,7 @@ if (continue_hostname && continue_proxy_cipher)
+   int rc;
+   const uschar * sni = US"";
+ 
+-#ifdef SUPPORT_DANE
++# ifdef SUPPORT_DANE
+   /* Check if the message will be DANE-verified; if so force its SNI */
+ 
+   tls_out.dane_verified = FALSE;
+@@ -2018,14 +2018,14 @@ if (continue_hostname && continue_proxy_cipher)
+ 			      string_sprintf("DANE error: tlsa lookup %s",
+ 				rc_to_string(rc)),
+ 			      rc, FALSE, &sx->delivery_start);
+-# ifndef DISABLE_EVENT
++#  ifndef DISABLE_EVENT
+ 			    (void) event_raise(sx->conn_args.tblock->event_action,
+ 			      US"dane:fail", sx->dane_required
+ 				?  US"dane-required" : US"dnssec-invalid");
+-# endif
++#  endif
+ 			    return rc;
+       }
+-#endif
++# endif
+ 
+   /* If the SNI or the DANE status required for the new message differs from the
+   existing conn drop the connection to force a new one. */
+@@ -2035,7 +2035,7 @@ if (continue_hostname && continue_proxy_cipher)
+       "<%s>: failed to expand transport's tls_sni value: %s",
+       sx->addrlist->address, expand_string_message);
+ 
+-#ifdef SUPPORT_DANE
++# ifdef SUPPORT_DANE
+   if (  (continue_proxy_sni ? (Ustrcmp(continue_proxy_sni, sni) == 0) : !*sni)
+      && continue_proxy_dane == sx->conn_args.dane)
+     {
+@@ -2043,10 +2043,10 @@ if (continue_hostname && continue_proxy_cipher)
+     if ((tls_out.dane_verified = continue_proxy_dane))
+       sx->conn_args.host->dnssec = DS_YES;
+     }
+-#else
++# else
+   if ((continue_proxy_sni ? (Ustrcmp(continue_proxy_sni, sni) == 0) : !*sni))
+     tls_out.sni = US sni;
+-#endif
++# endif
+   else
+     {
+     DEBUG(D_transport)
+@@ -2062,7 +2062,7 @@ if (continue_hostname && continue_proxy_cipher)
+ 				back through reporting pipe. */
+     }
+   }
+-
++#endif	/*!DISABLE_TLS*/
+ 
+ /* Make a connection to the host if this isn't a continued delivery, and handle
+ the initial interaction and HELO/EHLO/LHLO. Connect timeout errors are handled
+-- 
+2.29.2
+
diff --git a/mail/exim/files/patch-z0040-eximon-fix-FreeBSD-build b/mail/exim/files/patch-z0040-eximon-fix-FreeBSD-build
new file mode 100644
index 000000000000..5486082bdd76
--- /dev/null
+++ b/mail/exim/files/patch-z0040-eximon-fix-FreeBSD-build
@@ -0,0 +1,25 @@
+From f521f0d2120be2ccfb93306cc05790b9b0f162c1 Mon Sep 17 00:00:00 2001
+From: Richard Clayton <richard@highwayman.com>
+Date: Sat, 12 Sep 2020 22:10:04 +0100
+Subject: [PATCH 40/42] eximon: fix FreeBSD build
+
+(cherry picked from commit ba00bdd4609501dd3ffe187074ff7f8197a9059f)
+---
+ exim_monitor/em_menu.c | 2 +-
+
+diff --git exim_monitor/em_menu.c exim_monitor/em_menu.c
+index 33b3e0c94..2a70a1831 100644
+--- exim_monitor/em_menu.c
++++ exim_monitor/em_menu.c
+@@ -670,7 +670,7 @@ if (spool_read_header(buffer, TRUE, FALSE) != spool_read_OK)
+     sprintf(CS big_buffer, "%s/input/%s", spool_directory, buffer);
+     if (Ustat(big_buffer, &statbuf) == 0)
+       text_showf(text, "Format error in spool file %s: size=%lu\n", buffer,
+-        (ulong)statbuf.st_size);
++        (unsigned long)statbuf.st_size);
+     else text_showf(text, "Format error in spool file %s\n", buffer);
+     }
+   else text_showf(text, "Read error for spool file %s\n", buffer);
+-- 
+2.29.2
+
diff --git a/mail/exim/files/patch-z0041-LDAP-fix-taint-check-in-server-list-walk.-Bug-2646 b/mail/exim/files/patch-z0041-LDAP-fix-taint-check-in-server-list-walk.-Bug-2646
new file mode 100644
index 000000000000..14a0a02fa090
--- /dev/null
+++ b/mail/exim/files/patch-z0041-LDAP-fix-taint-check-in-server-list-walk.-Bug-2646
@@ -0,0 +1,51 @@
+From e12d2e7bc2e9f0c30a1029602e57e5ae8df1b9db Mon Sep 17 00:00:00 2001
+From: Jeremy Harris <jgh146exb@wizmail.org>
+Date: Fri, 30 Oct 2020 13:58:01 +0000
+Subject: [PATCH 41/42]     LDAP: fix taint-check in server list walk.  Bug
+ 2646
+
+    (cherry picked from commit 51b611aa81d7ee01243b196abc34a0e2eabd293c)
+---
+ doc/ChangeLog      | 5 +++++
+ src/lookups/ldap.c | 3 +--
+
+diff --git doc/ChangeLog doc/ChangeLog
+index ec1b03304..9924fca5c 100644
+--- doc/ChangeLog
++++ doc/ChangeLog
+@@ -102,6 +102,11 @@ JH/22 Bug 2265: Force SNI usage for smtp transport DANE'd connections, to be
+ JH/23 Logging: with the +tls_sni log_selector, do not wrap the received SNI
+       in quotes.
+ 
++JH/26 Bug 2646: fix a memory usage issue in ldap lookups.  Previously, when more
++      than one server was defined and depending on the platform memory layout
++      details, an internal consistency trap could be hit while walking the list
++      of servers.
++
+ 
+ Exim version 4.94
+ -----------------
+diff --git src/lookups/ldap.c src/lookups/ldap.c
+index ef550a08d..34908a351 100644
+--- src/lookups/ldap.c
++++ src/lookups/ldap.c
+@@ -1093,7 +1093,6 @@ uschar *password = NULL;
+ uschar *local_servers = NULL;
+ uschar *server;
+ const uschar *list;
+-uschar buffer[512];
+ 
+ while (isspace(*url)) url++;
+ 
+@@ -1254,7 +1253,7 @@ if (!eldap_default_servers && !local_servers  || p[3] != '/')
+ /* Loop through the default servers until OK or FAIL. Use local_servers list
+  * if defined in the lookup, otherwise use the global default list */
+ list = !local_servers ? eldap_default_servers : local_servers;
+-while ((server = string_nextinlist(&list, &sep, buffer, sizeof(buffer))))
++while ((server = string_nextinlist(&list, &sep, NULL, 0)))
+   {
+   int rc;
+   int port = 0;
+-- 
+2.29.2
+
diff --git a/mail/exim/files/patch-z0042-Pass-authenticator-pubname-through-spool.-Bug-2648 b/mail/exim/files/patch-z0042-Pass-authenticator-pubname-through-spool.-Bug-2648
new file mode 100644
index 000000000000..365d36034fd0
--- /dev/null
+++ b/mail/exim/files/patch-z0042-Pass-authenticator-pubname-through-spool.-Bug-2648
@@ -0,0 +1,107 @@
+From a3ab48f23ee4a83f796440ef67d7ac7b43aad4b5 Mon Sep 17 00:00:00 2001
+From: Jeremy Harris <jgh146exb@wizmail.org>
+Date: Sat, 31 Oct 2020 23:58:11 +0000
+Subject: [PATCH 42/42] Pass authenticator pubname through spool.  Bug 2648
+
+(cherry picked from commit a75ebe0dcc5faeb915cacb0d9db66d2475789116)
+---
+ doc/ChangeLog                 |  4 ++++
+ exim_monitor/em_globals.c |  1 +
+ src/smtp_in.c                 | 12 +++++++-----
+ src/spool_in.c                |  4 +++-
+ src/spool_out.c               |  6 ++++--
+
+diff --git doc/ChangeLog doc/ChangeLog
+index 9924fca5c..4759e018e 100644
+--- doc/ChangeLog
++++ doc/ChangeLog
+@@ -107,6 +107,10 @@ JH/26 Bug 2646: fix a memory usage issue in ldap lookups.  Previously, when more
+       details, an internal consistency trap could be hit while walking the list
+       of servers.
+ 
++JH/27 Bug 2648: fix the passing of an authenticator public-name through spool
++      files.  The value is used by the authresults expansion item.  Previously
++      if this was used in a router or transport, a crash could result.
++
+ 
+ Exim version 4.94
+ -----------------
+diff --git exim_monitor/em_globals.c exim_monitor/em_globals.c
+index 925e88e05..30d22b5eb 100644
+--- exim_monitor/em_globals.c
++++ exim_monitor/em_globals.c
+@@ -205,6 +205,7 @@ uschar *sender_address         = NULL;
+ uschar *sender_fullhost        = NULL;
+ uschar *sender_helo_name       = NULL;
+ uschar *sender_host_address    = NULL;
++uschar *sender_host_auth_pubname = NULL;
+ uschar *sender_host_authenticated = NULL;
+ uschar *sender_host_name       = NULL;
+ int     sender_host_port       = 0;
+diff --git src/smtp_in.c src/smtp_in.c
+index a13f0ed63..f53c3cf65 100644
+--- src/smtp_in.c
++++ src/smtp_in.c
+@@ -5935,12 +5935,14 @@ if (!sender_host_authenticated)
+ 
+ g = string_append(g, 2, US";\n\tauth=pass (", sender_host_auth_pubname);
+ 
+-if (Ustrcmp(sender_host_auth_pubname, "tls") != 0)
+-  g = string_append(g, 2, US") smtp.auth=", authenticated_id);
+-else if (authenticated_id)
+-  g = string_append(g, 2, US") x509.auth=", authenticated_id);
++if (Ustrcmp(sender_host_auth_pubname, "tls") == 0)
++  g = authenticated_id
++    ? string_append(g, 2, US") x509.auth=", authenticated_id)
++    : string_cat(g, US") reason=x509.auth");
+ else
+-  g = string_catn(g, US") reason=x509.auth", 17);
++  g = authenticated_id
++    ? string_append(g, 2, US") smtp.auth=", authenticated_id)
++    : string_cat(g, US", no id saved)");
+ 
+ if (authenticated_sender)
+   g = string_append(g, 2, US" smtp.mailfrom=", authenticated_sender);
+diff --git src/spool_in.c src/spool_in.c
+index 1b4cefdb2..35e44df26 100644
+--- src/spool_in.c
++++ src/spool_in.c
+@@ -253,7 +253,7 @@ sender_helo_name = NULL;
+ sender_host_address = NULL;
+ sender_host_name = NULL;
+ sender_host_port = 0;
+-sender_host_authenticated = NULL;
++sender_host_authenticated = sender_host_auth_pubname = NULL;
+ sender_ident = NULL;
+ f.sender_local = FALSE;
+ f.sender_set_untrusted = FALSE;
+@@ -580,6 +580,8 @@ for (;;)
+       host_lookup_deferred = TRUE;
+     else if (Ustrcmp(p, "ost_lookup_failed") == 0)
+       host_lookup_failed = TRUE;
++    else if (Ustrncmp(p, "ost_auth_pubname", 16) == 0)
++      sender_host_auth_pubname = string_copy_taint(var + 18, tainted);
+     else if (Ustrncmp(p, "ost_auth", 8) == 0)
+       sender_host_authenticated = string_copy_taint(var + 10, tainted);
+     else if (Ustrncmp(p, "ost_name", 8) == 0)
+diff --git src/spool_out.c src/spool_out.c
+index 4b6539ecd..0851ce956 100644
+--- src/spool_out.c
++++ src/spool_out.c
+@@ -174,9 +174,11 @@ if (sender_host_address)
+   fprintf(fp, "-host_address %s.%d\n", sender_host_address, sender_host_port);
+   if (sender_host_name)
+     spool_var_write(fp, US"host_name", sender_host_name);
+-  if (sender_host_authenticated)
+-    spool_var_write(fp, US"host_auth", sender_host_authenticated);
+   }
++if (sender_host_authenticated)
++  spool_var_write(fp, US"host_auth", sender_host_authenticated);
++if (sender_host_auth_pubname)
++  spool_var_write(fp, US"host_auth_pubname", sender_host_auth_pubname);
+ 
+ /* Also about the interface a message came in on */
+ 
+-- 
+2.29.2
+