From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-commits+bounces-1141401-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by finch.gentoo.org (Postfix) with ESMTPS id 57BEA138350
	for <garchives@archives.gentoo.org>; Wed, 29 Jan 2020 08:51:44 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 784A3E0848;
	Wed, 29 Jan 2020 08:51:43 +0000 (UTC)
Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id 49949E0848
	for <gentoo-commits@lists.gentoo.org>; Wed, 29 Jan 2020 08:51:43 +0000 (UTC)
Received: from oystercatcher.gentoo.org (unknown [IPv6:2a01:4f8:202:4333:225:90ff:fed9:fc84])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.gentoo.org (Postfix) with ESMTPS id AA11B34E4D9
	for <gentoo-commits@lists.gentoo.org>; Wed, 29 Jan 2020 08:51:41 +0000 (UTC)
Received: from localhost.localdomain (localhost [IPv6:::1])
	by oystercatcher.gentoo.org (Postfix) with ESMTP id 368B5107
	for <gentoo-commits@lists.gentoo.org>; Wed, 29 Jan 2020 08:51:39 +0000 (UTC)
From: "Jason A. Donenfeld" <zx2c4@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: 8bit
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "Jason A. Donenfeld" <zx2c4@gentoo.org>
Message-ID: <1580287886.fabf7b6f4a9b8240f1ae4cef4dde4a2300722c9c.zx2c4@gentoo>
Subject: [gentoo-commits] repo/gentoo:master commit in: mail-mta/opensmtpd/files/, mail-mta/opensmtpd/
X-VCS-Repository: repo/gentoo
X-VCS-Files: mail-mta/opensmtpd/files/opensmtpd-6.0.3_p1-security-fixes.patch mail-mta/opensmtpd/opensmtpd-6.0.3_p1-r1.ebuild mail-mta/opensmtpd/opensmtpd-6.0.3_p1-r2.ebuild
X-VCS-Directories: mail-mta/opensmtpd/ mail-mta/opensmtpd/files/
X-VCS-Committer: zx2c4
X-VCS-Committer-Name: Jason A. Donenfeld
X-VCS-Revision: fabf7b6f4a9b8240f1ae4cef4dde4a2300722c9c
X-VCS-Branch: master
Date: Wed, 29 Jan 2020 08:51:39 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply
X-Archives-Salt: 732b09b5-5710-4c08-9f4d-fa5fb988c9ba
X-Archives-Hash: 8e8ed66835a02bc43b5f7b2709e73dfe

commit:     fabf7b6f4a9b8240f1ae4cef4dde4a2300722c9c
Author:     Jason A. Donenfeld <zx2c4 <AT> gentoo <DOT> org>
AuthorDate: Wed Jan 29 08:51:03 2020 +0000
Commit:     Jason A. Donenfeld <zx2c4 <AT> gentoo <DOT> org>
CommitDate: Wed Jan 29 08:51:26 2020 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fabf7b6f

mail-mta/opensmtpd: bump for security disaster

Package-Manager: Portage-2.3.84, Repoman-2.3.20
Signed-off-by: Jason A. Donenfeld <zx2c4 <AT> gentoo.org>

 .../files/opensmtpd-6.0.3_p1-security-fixes.patch  | 91 ++++++++++++++++++++++
 ...3_p1-r1.ebuild => opensmtpd-6.0.3_p1-r2.ebuild} |  3 +-
 2 files changed, 93 insertions(+), 1 deletion(-)

diff --git a/mail-mta/opensmtpd/files/opensmtpd-6.0.3_p1-security-fixes.patch b/mail-mta/opensmtpd/files/opensmtpd-6.0.3_p1-security-fixes.patch
new file mode 100644
index 00000000000..58f3ed8c38b
--- /dev/null
+++ b/mail-mta/opensmtpd/files/opensmtpd-6.0.3_p1-security-fixes.patch
@@ -0,0 +1,91 @@
+diff -ru OpenSMTPD-opensmtpd-6.0.3/smtpd/mta_session.c OpenSMTPD-opensmtpd-6.0.3-fixed/smtpd/mta_session.c
+--- OpenSMTPD-opensmtpd-6.0.3/smtpd/mta_session.c	2018-01-04 23:24:01.000000000 +0100
++++ OpenSMTPD-opensmtpd-6.0.3-fixed/smtpd/mta_session.c	2020-01-29 09:47:24.607457717 +0100
+@@ -1290,40 +1290,20 @@
+ 		break;
+ 
+ 	case IO_ERROR:
++	case IO_TLSERROR:
+ 		log_debug("debug: mta: %p: IO error: %s", s, io_error(io));
+-		if (!s->ready) {
+-			mta_error(s, "IO Error: %s", io_error(io));
+-			mta_connect(s);
+-			break;
+-		}
+-		else if (!(s->flags & (MTA_FORCE_TLS|MTA_FORCE_SMTPS|MTA_FORCE_ANYSSL))) {
+-			/* error in non-strict SSL negotiation, downgrade to plain */
+-			if (s->flags & MTA_TLS) {
+-				log_info("smtp-out: Error on session %016"PRIx64
+-				    ": opportunistic TLS failed, "
+-				    "downgrading to plain", s->id);
+-				s->flags &= ~MTA_TLS;
+-				s->flags |= MTA_DOWNGRADE_PLAIN;
+-				mta_connect(s);
+-				break;
+-			}
+-		}
+-		mta_error(s, "IO Error: %s", io_error(io));
+-		mta_free(s);
+-		break;
+ 
+-	case IO_TLSERROR:
+-		log_debug("debug: mta: %p: TLS IO error: %s", s, io_error(io));
+-		if (!(s->flags & (MTA_FORCE_TLS|MTA_FORCE_SMTPS|MTA_FORCE_ANYSSL))) {
++		if (s->state == MTA_STARTTLS && s->use_smtp_tls) {
+ 			/* error in non-strict SSL negotiation, downgrade to plain */
+-			log_info("smtp-out: TLS Error on session %016"PRIx64
+-			    ": TLS failed, "
++			log_info("smtp-out: Error on session %016"PRIx64
++			    ": opportunistic TLS failed, "
+ 			    "downgrading to plain", s->id);
+ 			s->flags &= ~MTA_TLS;
+ 			s->flags |= MTA_DOWNGRADE_PLAIN;
+ 			mta_connect(s);
+ 			break;
+ 		}
++
+ 		mta_error(s, "IO Error: %s", io_error(io));
+ 		mta_free(s);
+ 		break;
+diff -ru OpenSMTPD-opensmtpd-6.0.3/smtpd/smtp_session.c OpenSMTPD-opensmtpd-6.0.3-fixed/smtpd/smtp_session.c
+--- OpenSMTPD-opensmtpd-6.0.3/smtpd/smtp_session.c	2018-01-04 23:24:01.000000000 +0100
++++ OpenSMTPD-opensmtpd-6.0.3-fixed/smtpd/smtp_session.c	2020-01-29 09:47:24.610791335 +0100
+@@ -2004,25 +2004,23 @@
+ 		memmove(maddr->user, p, strlen(p) + 1);
+ 	}
+ 
+-	if (!valid_localpart(maddr->user) ||
+-	    !valid_domainpart(maddr->domain)) {
+-		/* accept empty return-path in MAIL FROM, required for bounces */
+-		if (mailfrom && maddr->user[0] == '\0' && maddr->domain[0] == '\0')
+-			return (1);
++	/* accept empty return-path in MAIL FROM, required for bounces */
++	if (mailfrom && maddr->user[0] == '\0' && maddr->domain[0] == '\0')
++		return (1);
+ 
+-		/* no user-part, reject */
+-		if (maddr->user[0] == '\0')
+-			return (0);
+-
+-		/* no domain, local user */
+-		if (maddr->domain[0] == '\0') {
+-			(void)strlcpy(maddr->domain, domain,
+-			    sizeof(maddr->domain));
+-			return (1);
+-		}
++	/* no or invalid user-part, reject */
++	if (maddr->user[0] == '\0' || !valid_localpart(maddr->user))
+ 		return (0);
++
++	/* no domain part, local user */
++	if (maddr->domain[0] == '\0') {
++		(void)strlcpy(maddr->domain, domain,
++			sizeof(maddr->domain));
+ 	}
+ 
++	if (!valid_domainpart(maddr->domain))
++		return (0);
++
+ 	return (1);
+ }
+ 

diff --git a/mail-mta/opensmtpd/opensmtpd-6.0.3_p1-r1.ebuild b/mail-mta/opensmtpd/opensmtpd-6.0.3_p1-r2.ebuild
similarity index 96%
rename from mail-mta/opensmtpd/opensmtpd-6.0.3_p1-r1.ebuild
rename to mail-mta/opensmtpd/opensmtpd-6.0.3_p1-r2.ebuild
index bd087d961d5..bed05258e9c 100644
--- a/mail-mta/opensmtpd/opensmtpd-6.0.3_p1-r1.ebuild
+++ b/mail-mta/opensmtpd/opensmtpd-6.0.3_p1-r2.ebuild
@@ -1,4 +1,4 @@
-# Copyright 1999-2019 Gentoo Authors
+# Copyright 1999-2020 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
 EAPI=7
@@ -42,6 +42,7 @@ S=${WORKDIR}/${P/_}
 PATCHES=(
 	"${FILESDIR}/${P}-fix-crash-on-auth.patch"
 	"${FILESDIR}/${P}-openssl_1.1.patch"
+	"${FILESDIR}/${P}-security-fixes.patch"
 )
 
 src_configure() {