[gentoo-commits] repo/gentoo:master commit in: mail-mta/exim/, mail-mta/exim/files/

["Fabian Groffen" <grobian@gentoo.org>]

commit:     1097635d14eeaaa52eeda75da3257a08c27bcf30
Author:     Fabian Groffen <grobian <AT> gentoo <DOT> org>
AuthorDate: Wed Aug 21 07:39:00 2024 +0000
Commit:     Fabian Groffen <grobian <AT> gentoo <DOT> org>
CommitDate: Wed Aug 21 07:39:47 2024 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1097635d

mail-mta/exim-4.97.1-r6: CVE-2024-39929

Bug: https://bugs.gentoo.org/938214
Signed-off-by: Fabian Groffen <grobian <AT> gentoo.org>

 mail-mta/exim/exim-4.97.1-r6.ebuild                | 637 +++++++++++++++++++++
 .../files/exim-4.97.1-CVE-2024-39929-part1.patch   | 111 ++++
 .../files/exim-4.97.1-CVE-2024-39929-part2.patch   | 247 ++++++++
 3 files changed, 995 insertions(+)

diff --git a/mail-mta/exim/exim-4.97.1-r6.ebuild b/mail-mta/exim/exim-4.97.1-r6.ebuild
new file mode 100644
index 000000000000..fbc02d2e7b6f
--- /dev/null
+++ b/mail-mta/exim/exim-4.97.1-r6.ebuild
@@ -0,0 +1,637 @@
+# Copyright 1999-2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI="7"
+
+inherit db-use flag-o-matic toolchain-funcs pam systemd
+
+IUSE="arc berkdb +dane dcc +dkim dlfunc dmarc +dnsdb doc dovecot-sasl
+dsn gdbm gnutls idn ipv6 ldap lmtp maildir mbx
+mysql nis pam perl pkcs11 postgres +prdr proxy radius redis sasl selinux
+socks5 spf sqlite srs +ssl syslog tdb tcpd +tpda X"
+REQUIRED_USE="
+	arc? ( dkim spf )
+	dane? ( ssl !gnutls )
+	!dane? ( ssl? ( gnutls ) )
+	dmarc? ( dkim spf )
+	dkim? ( ssl !gnutls )
+	gnutls? ( ssl )
+	pkcs11? ( ssl )
+	|| ( berkdb gdbm tdb )
+"
+# NOTE on USE="gnutls dane", gnutls[dane] is masked in base, unmasked
+# for x86 and amd64 only (probably due to unbound dep)
+# Exim supports it but we cannot express the dep USE=dane when
+# USE=gnutls is in effect only in package.use.mask, the only option we
+# have left is to a) ignore the dependency (but that results in bug
+# #661164) or b) mask the usage of USE=dane with USE=gnutls.  Both are
+# incorrect, but b) is the only "correct" view from dep-pointofview.
+# Bug #925108 showed that DANE is basically non-optional with OpenSSL,
+# so we make -dane mandatory to use gnutls.  Bleh.
+# We cannot express a required use for berkdb/gdbm/tdb correctly because
+# berkdb and gdbm are both enabled in base profile
+
+SDIR=$([[ ${PV} == *_rc* ]]   && echo /test
+	 [[ ${PV} == *.*.*.* ]] && echo /fixes)
+COMM_URI="https://downloads.exim.org/exim4${SDIR}"
+
+GPV="r0"
+DESCRIPTION="A highly configurable, drop-in replacement for sendmail"
+SRC_URI="${COMM_URI}/${P//_rc/-RC}.tar.xz
+	mirror://gentoo/system_filter.exim.gz
+	doc? ( ${COMM_URI}/${PN}-pdf-${PV//_rc/-RC}.tar.xz )"
+HOMEPAGE="https://www.exim.org/"
+
+SLOT="0"
+LICENSE="GPL-2"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~ppc ~ppc64 ~sparc ~x86"
+
+COMMON_DEPEND=">=sys-apps/sed-4.0.5
+	dev-libs/libpcre2:=
+	tdb? ( sys-libs/tdb:= )
+	!tdb? ( berkdb? ( >=sys-libs/db-3.2:= <sys-libs/db-6:= ) )
+	!tdb? ( !berkdb? ( sys-libs/gdbm:= ) )
+	idn? ( net-dns/libidn:= net-dns/libidn2:= )
+	perl? ( dev-lang/perl:= )
+	pam? ( sys-libs/pam )
+	tcpd? ( sys-apps/tcp-wrappers )
+	ssl? (
+		gnutls? (
+			net-libs/gnutls:0=[pkcs11?]
+			dev-libs/libtasn1
+		)
+		!gnutls? (
+			dev-libs/openssl:0=
+		)
+	)
+	ldap? ( >=net-nds/openldap-2.0.7:= )
+	elibc_glibc? (
+		net-libs/libnsl:=
+		nis? (
+			net-libs/libtirpc:=
+			>=net-libs/libnsl-1:=
+		)
+	)
+	mysql? ( dev-db/mysql-connector-c:= )
+	postgres? ( dev-db/postgresql:= )
+	sasl? ( >=dev-libs/cyrus-sasl-2.1.26-r2 )
+	redis? ( dev-libs/hiredis:= )
+	spf? ( >=mail-filter/libspf2-1.2.5-r1 )
+	dmarc? ( mail-filter/opendmarc:= )
+	X? (
+		x11-libs/libX11
+		x11-libs/libXmu
+		x11-libs/libXt
+		x11-libs/libXaw
+	)
+	sqlite? ( dev-db/sqlite )
+	radius? ( net-dialup/freeradius-client )
+	virtual/libcrypt:=
+	virtual/libiconv
+	"
+	# added X check for #57206
+BDEPEND="virtual/pkgconfig"
+DEPEND="${COMMON_DEPEND}"
+RDEPEND="${COMMON_DEPEND}
+	!mail-mta/courier
+	!mail-mta/esmtp
+	!mail-mta/msmtp[mta]
+	!mail-mta/netqmail
+	!mail-mta/nullmailer
+	!mail-mta/postfix
+	!mail-mta/sendmail
+	!mail-mta/opensmtpd
+	!mail-mta/ssmtp[mta]
+	>=net-mail/mailbase-0.00-r5
+	virtual/logger
+	dcc? ( mail-filter/dcc )
+	selinux? ( sec-policy/selinux-exim )
+	"
+
+S=${WORKDIR}/${P//_rc/-RC}
+
+src_prepare() {
+	# Legacy patches which need a respin for -p1
+	eapply -p0 "${FILESDIR}"/exim-4.14-tail.patch
+	eapply -p0 "${FILESDIR}"/exim-4.74-radius-db-ENV-clash.patch # 287426
+	eapply     "${FILESDIR}"/exim-4.97-as-needed-ldflags.patch # 352265, 391279
+	eapply -p0 "${FILESDIR}"/exim-4.76-crosscompile.patch # 266591
+	eapply     "${FILESDIR}"/exim-4.69-r1.27021.patch
+	eapply     "${FILESDIR}"/exim-4.97-localscan_dlopen.patch
+	eapply     "${FILESDIR}"/exim-4.97-no-exim_id_update.patch
+	eapply     "${FILESDIR}"/exim-4.97.1-memory-usage-bug-3047.patch # 922780
+
+	eapply -p2 "${FILESDIR}"/exim-4.97.1-CVE-2024-39929-part1.patch
+	eapply -p2 "${FILESDIR}"/exim-4.97.1-CVE-2024-39929-part2.patch
+
+	# oddity, they disable berkdb as hack, and then throw an error when
+	# berkdb isn't enabled
+	sed -i \
+		-e 's/_DB_/_DONTMESS_/' \
+		-e 's/define DB void/define DONTMESS void/' \
+		src/auths/call_radius.c || die
+
+	if use maildir ; then
+		eapply "${FILESDIR}"/exim-4.94-maildir.patch
+	else
+		eapply -p0 "${FILESDIR}"/exim-4.80-spool-mail-group.patch # 438606
+	fi
+
+	eapply_user
+
+	# user Exim believes it should be
+	MAILUSER=mail
+	MAILGROUP=mail
+	if use prefix && [[ ${EUID} != 0 ]] ; then
+		MAILUSER=$(id -un)
+		MAILGROUP=$(id -gn)
+	fi
+}
+
+src_configure() {
+	# general config and paths
+
+	local aliases="${EPREFIX}/etc/mail/aliases"
+	sed -i \
+		-e "/SYSTEM_ALIASES_FILE/s'SYSTEM_ALIASES_FILE'${aliases}'" \
+		src/configure.default || die
+
+	sed -i -e 's/^buildname=.*/buildname=exim-gentoo/' Makefile || die
+
+	if use elibc_musl; then
+		sed -i -e 's/^LIBS = -lnsl/LIBS =/g' OS/Makefile-Linux || die
+		append-cflags -DNO_EXECINFO
+	fi
+
+	local conffile="${EPREFIX}/etc/exim/exim.conf"
+	sed -e "48i\CFLAGS=${CFLAGS}" \
+		-e "s:BIN_DIRECTORY=/usr/exim/bin:BIN_DIRECTORY=${EPREFIX}/usr/sbin:" \
+		-e "s;EXIM_USER=;EXIM_USER=ref:${MAILUSER};" \
+		-e "s:CONFIGURE_FILE=.*$:CONFIGURE_FILE=${conffile}:" \
+		-e "s:ZCAT_COMMAND=.*$:ZCAT_COMMAND=${EPREFIX}/bin/zcat:" \
+		-e "s:COMPRESS_COMMAND=.*$:COMPRESS_COMMAND=${EPREFIX}/bin/gzip:" \
+		src/EDITME > Local/Makefile || die
+
+	# work on Local/Makefile from now on
+	cd Local
+
+	cat >> Makefile <<- EOC
+		INFO_DIRECTORY=${EPREFIX}/usr/share/info
+		PID_FILE_PATH=${EPREFIX}/run/exim.pid
+		SPOOL_DIRECTORY=${EPREFIX}/var/spool/exim
+		HAVE_ICONV=yes
+		WITH_CONTENT_SCAN=yes
+	EOC
+
+	# configure db implementation, Exim always needs one for its hints
+	# database, we prefer tdb and gdbm, since bdb is kind of getting
+	# less and less support
+	if use tdb ; then
+		cat >> Makefile <<- EOC
+			USE_TDB=yes
+			DBMLIB = -ltdb
+		EOC
+		sed -i -e 's:^USE_DB=yes:# USE_DB=yes:' Makefile || die
+		sed -i -e 's:^USE_GDBM=yes:# USE_GDBM=yes:' Makefile || die
+	elif use gdbm ; then
+		cat >> Makefile <<- EOC
+			USE_GDBM=yes
+			DBMLIB = -lgdbm
+		EOC
+		sed -i -e 's:^USE_DB=yes:# USE_DB=yes:' Makefile || die
+		sed -i -e 's:^USE_TDB=yes:# USE_TDB=yes:' Makefile || die
+	else # must be berkdb via required_use
+		# use the "native" interfaces to the DBM and CDB libraries, support
+		# passwd and directory lookups by default
+		local DB_VERS="5.3 5.1 4.8 4.7 4.6 4.5 4.4 4.3 4.2 3.2"
+		cat >> Makefile <<- EOC
+			USE_DB=yes
+			# keep include in CFLAGS because exim.h -> dbstuff.h -> db.h
+			CFLAGS += -I$(db_includedir ${DB_VERS})
+			DBMLIB = -l$(db_libname ${DB_VERS})
+		EOC
+		sed -i -e 's:^USE_GDBM=yes:# USE_GDBM=yes:' Makefile || die
+		sed -i -e 's:^USE_TDB=yes:# USE_TDB=yes:' Makefile || die
+	fi
+
+	# if we use libiconv, now is the time to tell so
+	if use !elibc_glibc && use !elibc_musl ; then
+		cat >> Makefile <<- EOC
+			EXTRALIBS_EXIM=-liconv
+		EOC
+	fi
+
+	# support for IPv6
+	if use ipv6; then
+		cat >> Makefile <<- EOC
+			HAVE_IPV6=YES
+		EOC
+	fi
+
+	# support i18n/IDNA
+	if use idn; then
+		cat >> Makefile <<- EOC
+			SUPPORT_I18N=yes
+			SUPPORT_I18N_2008=yes
+			EXTRALIBS_EXIM += -lidn -lidn2
+		EOC
+	fi
+
+	#
+	# mail storage formats
+	#
+
+	# mailstore is Exim's traditional storage format
+	cat >> Makefile <<- EOC
+		SUPPORT_MAILSTORE=yes
+	EOC
+
+	# mbox
+	if use mbx; then
+		cat >> Makefile <<- EOC
+			SUPPORT_MBX=yes
+		EOC
+	fi
+
+	# maildir
+	if use maildir; then
+		cat >> Makefile <<- EOC
+			SUPPORT_MAILDIR=yes
+		EOC
+	fi
+
+	#
+	# lookup methods
+	#
+
+	# support passwd and directory lookups by default
+	cat >> Makefile <<- EOC
+		LOOKUP_CDB=yes
+		LOOKUP_PASSWD=yes
+		LOOKUP_DSEARCH=yes
+	EOC
+
+	if ! use dnsdb; then
+		# DNSDB lookup is enabled by default
+		sed -i -e 's:^LOOKUP_DNSDB=yes:# LOOKUP_DNSDB=yes:' Makefile || die
+	fi
+
+	if use ldap; then
+		cat >> Makefile <<- EOC
+			LOOKUP_LDAP=yes
+			LDAP_LIB_TYPE=OPENLDAP2
+			LOOKUP_INCLUDE += -I"${EPREFIX}"/usr/include/ldap
+			LOOKUP_LIBS += -lldap -llber
+		EOC
+	fi
+
+	if use mysql; then
+		cat >> Makefile <<- EOC
+			LOOKUP_MYSQL=yes
+			LOOKUP_INCLUDE += $(mysql_config --include)
+			LOOKUP_LIBS += $(mysql_config --libs)
+		EOC
+	fi
+
+	if use nis; then
+		cat >> Makefile <<- EOC
+			LOOKUP_NIS=yes
+			LOOKUP_NISPLUS=yes
+		EOC
+		if use elibc_glibc ; then
+			cat >> Makefile <<- EOC
+				LOOKUP_INCLUDE += -I"${EPREFIX}"/usr/include/tirpc
+				LOOKUP_LIBS += -lnsl
+			EOC
+		fi
+	fi
+
+	if use postgres; then
+		cat >> Makefile <<- EOC
+			LOOKUP_PGSQL=yes
+			LOOKUP_INCLUDE += -I$(pg_config --includedir)
+			LOOKUP_LIBS += -L$(pg_config --libdir) -lpq
+		EOC
+	fi
+
+	if use sqlite; then
+		cat >> Makefile <<- EOC
+			LOOKUP_SQLITE=yes
+			LOOKUP_SQLITE_PC=sqlite3
+		EOC
+	fi
+
+	if use redis; then
+		cat >> Makefile <<- EOC
+			LOOKUP_REDIS=yes
+			LOOKUP_LIBS += -lhiredis
+		EOC
+	fi
+
+	# Exim monitor, enabled by default, controlled via X USE-flag,
+	# disable if not requested, bug #46778
+	if use X; then
+		cp ../exim_monitor/EDITME eximon.conf || die
+		cat >> Makefile <<- EOC
+			EXIM_MONITOR=eximon.bin
+		EOC
+	fi
+
+	#
+	# features
+	#
+
+	# DomainKeys Identified Mail, RFC4871
+	if ! use dkim; then
+		# DKIM is enabled by default
+		cat >> Makefile <<- EOC
+			DISABLE_DKIM=yes
+		EOC
+	fi
+
+	# Per-Recipient-Data-Response
+	if ! use prdr; then
+		# PRDR is enabled by default
+		cat >> Makefile <<- EOC
+			DISABLE_PRDR=yes
+		EOC
+	fi
+
+	# Transport post-delivery actions
+	if use !tpda && use !dane; then
+		# EVENT is enabled by default
+		cat >> Makefile <<- EOC
+			DISABLE_EVENT=yes
+		EOC
+	fi
+
+	# log to syslog
+	if use syslog; then
+		local eximlog="${EPREFIX}/var/log/exim/exim_%s.log"
+		sed -i \
+			-e "s:LOG_FILE_PATH=${eximlog}:LOG_FILE_PATH=syslog:" \
+			Makefile || die
+		cat >> Makefile <<- EOC
+			LOG_FILE_PATH=syslog
+		EOC
+	else
+		cat >> Makefile <<- EOC
+			LOG_FILE_PATH=${EPREFIX}/var/log/exim/exim_%s.log
+		EOC
+	fi
+
+	# starttls support (ssl)
+	if use ssl; then
+		if use gnutls; then
+			echo "USE_GNUTLS=yes" >> Makefile
+			echo "USE_GNUTLS_PC=gnutls $(use dane && echo gnutls-dane)" \
+				>> Makefile
+			use pkcs11 || echo "AVOID_GNUTLS_PKCS11=yes" >> Makefile
+		else
+			echo "USE_OPENSSL=yes" >> Makefile
+			echo "USE_OPENSSL_PC=openssl" >> Makefile
+		fi
+	else
+		echo "DISABLE_TLS=yes" >> Makefile
+	fi
+
+	# TCP wrappers
+	if use tcpd; then
+		cat >> Makefile <<- EOC
+			USE_TCP_WRAPPERS=yes
+			EXTRALIBS_EXIM += -lwrap
+		EOC
+	fi
+
+	# Light Mail Transport Protocol
+	if use lmtp; then
+		cat >> Makefile <<- EOC
+			TRANSPORT_LMTP=yes
+		EOC
+	fi
+
+	# embedded Perl
+	if use perl; then
+		cat >> Makefile <<- EOC
+			EXIM_PERL=perl.o
+		EOC
+	fi
+
+	# dlfunc
+	if use dlfunc; then
+		cat >> Makefile <<- EOC
+			EXPAND_DLFUNC=yes
+			HAVE_LOCAL_SCAN=yes
+			DLOPEN_LOCAL_SCAN=yes
+		EOC
+	fi
+
+	# Proxy Protocol
+	if use proxy; then
+		cat >> Makefile <<- EOC
+			SUPPORT_PROXY=yes
+		EOC
+	fi
+
+	# SOCKS5 (outbound) proxy support
+	if use socks5; then
+		cat >> Makefile <<- EOC
+			SUPPORT_SOCKS=yes
+		EOC
+	fi
+
+	# DANE
+	if use !dane; then
+		# DANE is enabled by default
+		sed -i -e 's:^SUPPORT_DANE=yes:# SUPPORT_DANE=yes:' Makefile || die
+	fi
+
+	# DMARC
+	if use dmarc; then
+		cat >> Makefile <<- EOC
+			SUPPORT_DMARC=yes
+			EXTRALIBS_EXIM += -lopendmarc
+		EOC
+	fi
+
+	# Sender Policy Framework
+	if use spf; then
+		cat >> Makefile <<- EOC
+			SUPPORT_SPF=yes
+			EXTRALIBS_EXIM += -lspf2
+		EOC
+	fi
+
+	#
+	# experimental features
+	#
+
+	# Authenticated Receive Chain
+	if use arc; then
+		echo "EXPERIMENTAL_ARC=yes">> Makefile
+	fi
+
+	# Distributed Checksum Clearinghouse
+	if use dcc; then
+		echo "EXPERIMENTAL_DCC=yes">> Makefile
+	fi
+
+	# Sender Rewriting Scheme
+	if use srs; then
+		# this one is the default/supported variant since 4.95, and the
+		# only variant available since 4.96
+		cat >> Makefile <<- EOC
+			SUPPORT_SRS=yes
+		EOC
+	fi
+
+	# Delivery Sender Notifications extra information in fail message
+	if use dsn; then
+		cat >> Makefile <<- EOC
+			EXPERIMENTAL_DSN_INFO=yes
+		EOC
+	fi
+
+	#
+	# authentication (SMTP AUTH)
+	#
+
+	# standard bits
+	cat >> Makefile <<- EOC
+		AUTH_SPA=yes
+		AUTH_CRAM_MD5=yes
+		AUTH_PLAINTEXT=yes
+	EOC
+
+	# Cyrus SASL
+	if use sasl; then
+		cat >> Makefile <<- EOC
+			CYRUS_SASLAUTHD_SOCKET=${EPREFIX}/run/saslauthd/mux
+			AUTH_CYRUS_SASL=yes
+			AUTH_LIBS += -lsasl2
+		EOC
+	fi
+
+	# Dovecot
+	if use dovecot-sasl; then
+		cat >> Makefile <<- EOC
+			AUTH_DOVECOT=yes
+		EOC
+	fi
+
+	# Pluggable Authentication Modules
+	if use pam; then
+		cat >> Makefile <<- EOC
+			SUPPORT_PAM=yes
+			AUTH_LIBS += -lpam
+		EOC
+	fi
+
+	# Radius
+	if use radius; then
+		cat >> Makefile <<- EOC
+			RADIUS_CONFIG_FILE=${EPREFIX}/etc/radiusclient/radiusclient.conf
+			RADIUS_LIB_TYPE=RADIUSCLIENTNEW
+			AUTH_LIBS += -lfreeradius-client
+		EOC
+	fi
+}
+
+src_compile() {
+	emake CC="$(tc-getCC)" HOSTCC="$(tc-getBUILD_CC)" \
+		AR="$(tc-getAR) cq" RANLIB="$(tc-getRANLIB)" FULLECHO=''
+}
+
+src_install() {
+	cd "${S}"/build-exim-gentoo || die
+	dosbin exim
+	if use X; then
+		dosbin eximon.bin
+		dosbin eximon
+	fi
+	fperms 4755 /usr/sbin/exim
+
+	dosym exim /usr/sbin/sendmail
+	dosym exim /usr/sbin/rsmtp
+	dosym exim /usr/sbin/rmail
+	dosym ../sbin/exim /usr/bin/mailq
+	dosym ../sbin/exim /usr/bin/newaliases
+	dosym ../sbin/sendmail /usr/lib/sendmail
+
+	for i in exicyclog exim_dbmbuild exim_dumpdb exim_fixdb exim_lock \
+		exim_tidydb exinext exiwhat exigrep eximstats exiqsumm exiqgrep \
+		convert4r3 convert4r4 exipick
+	do
+		dosbin $i
+	done
+
+	dodoc -r "${S}"/doc/.
+	doman "${S}"/doc/exim.8
+	use dsn && dodoc "${S}"/README.DSN
+	use doc && dodoc "${WORKDIR}"/${PN}-pdf-${PV//rc/RC}/doc/*.pdf
+
+	# conf files
+	insinto /etc/exim
+	newins "${S}"/src/configure.default exim.conf.dist
+	doins "${WORKDIR}"/system_filter.exim
+	doins "${FILESDIR}"/auth_conf.sub
+
+	if use pam; then
+		pamd_mimic system-auth exim auth account
+	fi
+
+	# headers, #436406
+	if use dlfunc ; then
+		# fixup includes so they actually can be found when including
+		sed -i \
+			-e '/#include "\(config\|store\|mytypes\).h"/s:"\(.\+\)":<exim/\1>:' \
+			local_scan.h || die
+		insinto /usr/include/exim
+		doins {config,local_scan}.h ../src/{mytypes,store}.h
+	fi
+
+	insinto /etc/logrotate.d
+	newins "${FILESDIR}/exim.logrotate" exim
+
+	newinitd "${FILESDIR}"/exim.rc10 exim
+	newconfd "${FILESDIR}"/exim.confd exim
+
+	systemd_dounit \
+		"${FILESDIR}"/{exim.service,exim.socket,exim-submission.socket}
+	systemd_newunit \
+		"${FILESDIR}"/exim_at.service 'exim@.service'
+	systemd_newunit \
+		"${FILESDIR}"/exim-submission_at.service 'exim-submission@.service'
+
+	diropts -m 0750 -o ${MAILUSER} -g ${MAILGROUP}
+	keepdir /var/log/${PN}
+}
+
+pkg_postinst() {
+	if [[ ! -f ${EROOT}/etc/exim/exim.conf ]] ; then
+		einfo "${EROOT}/etc/exim/system_filter.exim is a sample system_filter."
+		einfo "${EROOT}/etc/exim/auth_conf.sub contains the configuration sub"
+		einfo "for using smtp auth."
+		einfo "Please create ${EROOT}/etc/exim/exim.conf from"
+		einfo "  ${EROOT}/etc/exim/exim.conf.dist."
+	fi
+	if use berkdb && ( use gdbm || use tdb ) ; then
+		ewarn "USE=berkdb is ignored because USE=gdbm or USE=tdb is enabled!"
+	fi
+	if use dmarc ; then
+		einfo "DMARC support requires ${EROOT}/etc/exim/opendmarc.tlds"
+		einfo "you can populate this file with the contents downloaded from"
+		einfo "  https://publicsuffix.org/list/public_suffix_list.dat"
+	fi
+	if use dcc ; then
+		einfo "DCC support is experimental, you can find some limited"
+		einfo "documentation at the bottom of this prerelease message:"
+		einfo "  http://article.gmane.org/gmane.mail.exim.devel/3579"
+	fi
+	use dsn && einfo "extra information in fail DSN message is experimental"
+	einfo
+	elog "Note that this release contains a tainted variable check that"
+	elog "is likely to break your configuration used with Exim 4.93 and before."
+	elog "Please check your transports for occurences of \$local_part, and"
+	elog "use a replacement like \$local_part_data where possible."
+}

diff --git a/mail-mta/exim/files/exim-4.97.1-CVE-2024-39929-part1.patch b/mail-mta/exim/files/exim-4.97.1-CVE-2024-39929-part1.patch
new file mode 100644
index 000000000000..e83a44abc986
--- /dev/null
+++ b/mail-mta/exim/files/exim-4.97.1-CVE-2024-39929-part1.patch
@@ -0,0 +1,111 @@
+patch reduced to code only
+
+From: Jeremy Harris <jgh146exb@wizmail.org>
+Date: Mon, 1 Jul 2024 18:35:12 +0000 (+0100)
+Subject: Fix MIME parsing of filenames specified using multiple parameters.  Bug 3099
+X-Git-Tag: exim-4.98-RC3~2
+X-Git-Url: https://git.exim.org/exim.git/commitdiff_plain/6ce5c70cff89
+
+Fix MIME parsing of filenames specified using multiple parameters.  Bug 3099
+---
+
+diff --git a/src/src/mime.c b/src/src/mime.c
+index 975ddca85..5f9e1ade7 100644
+--- a/src/src/mime.c
++++ b/src/src/mime.c
+@@ -587,10 +587,10 @@ while(1)
+ 
+ 	while (*p)
+ 	  {
+-	  DEBUG(D_acl) debug_printf_indent("MIME:   considering paramlist '%s'\n", p);
++	  DEBUG(D_acl)
++	    debug_printf_indent("MIME:   considering paramlist '%s'\n", p);
+ 
+-	  if (  !mime_filename
+-	     && strncmpic(CUS"content-disposition:", header, 20) == 0
++	  if (  strncmpic(CUS"content-disposition:", header, 20) == 0
+ 	     && strncmpic(CUS"filename*", p, 9) == 0
+ 	     )
+ 	    {					/* RFC 2231 filename */
+@@ -604,11 +604,12 @@ while(1)
+ 
+ 	    if (q && *q)
+ 	      {
+-	      uschar * temp_string, * err_msg;
++	      uschar * temp_string, * err_msg, * fname = q;
+ 	      int slen;
+ 
+ 	      /* build up an un-decoded filename over successive
+ 	      filename*= parameters (for use when 2047 decode fails) */
++/*XXX could grow a gstring here */
+ 
+ 	      mime_fname_rfc2231 = string_sprintf("%#s%s",
+ 		mime_fname_rfc2231, q);
+@@ -623,26 +624,32 @@ while(1)
+ 		  /* look for a ' in the "filename" */
+ 		  while(*s != '\'' && *s) s++;	/* s is 1st ' or NUL */
+ 
+-		  if ((size = s-q) > 0)
+-		    mime_filename_charset = string_copyn(q, size);
++		  if (*s)			/* there was a ' */
++		    {
++		    if ((size = s-q) > 0)
++		      mime_filename_charset = string_copyn(q, size);
+ 
+-		  if (*(p = s)) p++;
+-		  while(*p == '\'') p++;	/* p is after 2nd ' */
++		    if (*(fname = s)) fname++;
++		    while(*fname == '\'') fname++;    /* fname is after 2nd ' */
++		    }
+ 		  }
+-		else
+-		  p = q;
+ 
+-		DEBUG(D_acl) debug_printf_indent("MIME:    charset %s fname '%s'\n",
+-		  mime_filename_charset ? mime_filename_charset : US"<NULL>", p);
++		DEBUG(D_acl)
++		  debug_printf_indent("MIME:    charset %s fname '%s'\n",
++		    mime_filename_charset ? mime_filename_charset : US"<NULL>",
++		    fname);
+ 
+-		temp_string = rfc2231_to_2047(p, mime_filename_charset, &slen);
+-		DEBUG(D_acl) debug_printf_indent("MIME:    2047-name %s\n", temp_string);
++		temp_string = rfc2231_to_2047(fname, mime_filename_charset,
++					      &slen);
++		DEBUG(D_acl)
++		  debug_printf_indent("MIME:    2047-name %s\n", temp_string);
+ 
+ 		temp_string = rfc2047_decode(temp_string, FALSE, NULL, ' ',
+-		  NULL, &err_msg);
+-		DEBUG(D_acl) debug_printf_indent("MIME:    plain-name %s\n", temp_string);
++					      NULL, &err_msg);
++		DEBUG(D_acl)
++		  debug_printf_indent("MIME:    plain-name %s\n", temp_string);
+ 
+-		if (!temp_string || (size = Ustrlen(temp_string))  == slen)
++		if (!temp_string || (size = Ustrlen(temp_string)) == slen)
+ 		  decoding_failed = TRUE;
+ 		else
+ 		  /* build up a decoded filename over successive
+@@ -651,9 +658,9 @@ while(1)
+ 		  mime_filename = mime_fname = mime_fname
+ 		    ? string_sprintf("%s%s", mime_fname, temp_string)
+ 		    : temp_string;
+-		}
+-	      }
+-	    }
++		}	/*!decoding_failed*/
++	      }		/*q*/
++	    }		/*2231 filename*/
+ 
+ 	  else
+ 	    /* look for interesting parameters */
+@@ -682,7 +689,7 @@ while(1)
+ 
+ 
+ 	  /* There is something, but not one of our interesting parameters.
+-	     Advance past the next semicolon */
++	  Advance past the next semicolon */
+ 	  p = mime_next_semicolon(p);
+ 	  if (*p) p++;
+ 	  }				/* param scan on line */

diff --git a/mail-mta/exim/files/exim-4.97.1-CVE-2024-39929-part2.patch b/mail-mta/exim/files/exim-4.97.1-CVE-2024-39929-part2.patch
new file mode 100644
index 000000000000..f33e33598379
--- /dev/null
+++ b/mail-mta/exim/files/exim-4.97.1-CVE-2024-39929-part2.patch
@@ -0,0 +1,247 @@
+patch reduced to code only
+
+From: Jeremy Harris <jgh146exb@wizmail.org>
+Date: Tue, 2 Jul 2024 13:41:19 +0000 (+0100)
+Subject: MIME: support RFC 2331 for name=.  Bug 3099
+X-Git-Tag: exim-4.98-RC3~1
+X-Git-Url: https://git.exim.org/exim.git/commitdiff_plain/1b3209b0577a
+
+MIME: support RFC 2331 for name=.  Bug 3099
+---
+
+diff --git a/src/src/mime.c b/src/src/mime.c
+index 5f9e1ade7..8044bb3fd 100644
+--- a/src/src/mime.c
++++ b/src/src/mime.c
+@@ -30,10 +30,10 @@ static int mime_header_list_size = nelem(mime_header_list);
+ 
+ static mime_parameter mime_parameter_list[] = {
+   /*	name	namelen	 value */
+-  { US"name=",     5, &mime_filename },
+-  { US"filename=", 9, &mime_filename },
+-  { US"charset=",  8, &mime_charset  },
+-  { US"boundary=", 9, &mime_boundary }
++  { US"name",     4, &mime_filename },
++  { US"filename", 8, &mime_filename },
++  { US"charset",  7, &mime_charset  },
++  { US"boundary", 8, &mime_boundary }
+ };
+ 
+ 
+@@ -577,8 +577,8 @@ while(1)
+       if (*(p = q)) p++;			/* jump past the ; */
+ 
+ 	{
+-	uschar * mime_fname = NULL;
+-	uschar * mime_fname_rfc2231 = NULL;
++	gstring * mime_fname = NULL;
++	gstring * mime_fname_rfc2231 = NULL;
+ 	uschar * mime_filename_charset = NULL;
+ 	BOOL decoding_failed = FALSE;
+ 
+@@ -590,90 +590,92 @@ while(1)
+ 	  DEBUG(D_acl)
+ 	    debug_printf_indent("MIME:   considering paramlist '%s'\n", p);
+ 
+-	  if (  strncmpic(CUS"content-disposition:", header, 20) == 0
+-	     && strncmpic(CUS"filename*", p, 9) == 0
+-	     )
+-	    {					/* RFC 2231 filename */
+-	    uschar * q;
+-
+-	    /* find value of the filename */
+-	    p += 9;
+-	    while(*p != '=' && *p) p++;
+-	    if (*p) p++;			/* p is filename or NUL */
+-	    q = mime_param_val(&p);		/* p now trailing ; or NUL */
+-
+-	    if (q && *q)
++	  /* look for interesting parameters */
++	  for (mime_parameter * mp = mime_parameter_list;
++	       mp < mime_parameter_list + nelem(mime_parameter_list);
++	       mp++
++	      ) if (strncmpic(mp->name, p, mp->namelen) == 0)
++	    {
++	    p += mp->namelen;
++	    if (*p == '*')			/* RFC 2231 */
+ 	      {
+-	      uschar * temp_string, * err_msg, * fname = q;
+-	      int slen;
+-
+-	      /* build up an un-decoded filename over successive
+-	      filename*= parameters (for use when 2047 decode fails) */
+-/*XXX could grow a gstring here */
+-
+-	      mime_fname_rfc2231 = string_sprintf("%#s%s",
+-		mime_fname_rfc2231, q);
+-
+-	      if (!decoding_failed)
++	      while (isdigit(*++p)) ;		/* ignore cont-cnt values */
++	      if (*p == '*') p++;		/* step over sep chset mark */
++	      if (*p == '=')
+ 		{
+-		int size;
+-		if (!mime_filename_charset)
++		uschar * q;
++		p++;				/* step over = */
++		q = mime_param_val(&p);		/* p now trailing ; or NUL */
++
++		if (q && *q)			/* q is the dequoted value */
+ 		  {
+-		  uschar * s = q;
++		  uschar * err_msg, * fname = q;
++		  int slen;
++
++		  /* build up an un-decoded filename over successive
++		  filename*= parameters (for use when 2047 decode fails) */
+ 
+-		  /* look for a ' in the "filename" */
+-		  while(*s != '\'' && *s) s++;	/* s is 1st ' or NUL */
++		  mime_fname_rfc2231 = string_cat(mime_fname_rfc2231, q);
+ 
+-		  if (*s)			/* there was a ' */
++		  if (!decoding_failed)
+ 		    {
+-		    if ((size = s-q) > 0)
+-		      mime_filename_charset = string_copyn(q, size);
+-
+-		    if (*(fname = s)) fname++;
+-		    while(*fname == '\'') fname++;    /* fname is after 2nd ' */
+-		    }
+-		  }
+-
+-		DEBUG(D_acl)
+-		  debug_printf_indent("MIME:    charset %s fname '%s'\n",
+-		    mime_filename_charset ? mime_filename_charset : US"<NULL>",
+-		    fname);
+-
+-		temp_string = rfc2231_to_2047(fname, mime_filename_charset,
+-					      &slen);
+-		DEBUG(D_acl)
+-		  debug_printf_indent("MIME:    2047-name %s\n", temp_string);
+-
+-		temp_string = rfc2047_decode(temp_string, FALSE, NULL, ' ',
+-					      NULL, &err_msg);
+-		DEBUG(D_acl)
+-		  debug_printf_indent("MIME:    plain-name %s\n", temp_string);
+-
+-		if (!temp_string || (size = Ustrlen(temp_string)) == slen)
+-		  decoding_failed = TRUE;
+-		else
+-		  /* build up a decoded filename over successive
+-		  filename*= parameters */
+-
+-		  mime_filename = mime_fname = mime_fname
+-		    ? string_sprintf("%s%s", mime_fname, temp_string)
+-		    : temp_string;
+-		}	/*!decoding_failed*/
+-	      }		/*q*/
+-	    }		/*2231 filename*/
+-
+-	  else
+-	    /* look for interesting parameters */
+-	    for (mime_parameter * mp = mime_parameter_list;
+-		 mp < mime_parameter_list + nelem(mime_parameter_list);
+-		 mp++
+-		) if (strncmpic(mp->name, p, mp->namelen) == 0)
+-	      {
+-	      uschar * q;
+-	      uschar * dummy_errstr;
++		    if (!mime_filename_charset)
++		      {			/* try for RFC 2231 chset/lang */
++		      uschar * s = q;
++
++		      /* look for a ' in the raw paramval */
++		      while(*s != '\'' && *s) s++;	/* s is 1st ' or NUL */
++
++		      if (*s)				/* there was a ' */
++			{
++			int size;
++			if ((size = s-q) > 0)
++			  mime_filename_charset = string_copyn(q, size);
++
++			if (*(fname = s)) fname++;
++			while(*fname == '\'') fname++;    /*fname is after 2nd '*/
++			}
++		      }
++
++		    DEBUG(D_acl)
++		      debug_printf_indent("MIME:    charset %s fname '%s'\n",
++			mime_filename_charset ? mime_filename_charset : US"<NULL>",
++			fname);
++
++		    fname = rfc2231_to_2047(fname, mime_filename_charset,
++						  &slen);
++		    DEBUG(D_acl)
++		      debug_printf_indent("MIME:    2047-name %s\n", fname);
++
++		    fname = rfc2047_decode(fname, FALSE, NULL, ' ',
++						  NULL, &err_msg);
++		    DEBUG(D_acl) debug_printf_indent(
++				    "MIME:    plain-name %s\n", fname);
++
++		    if (!fname || Ustrlen(fname) == slen)
++		      decoding_failed = TRUE;
++		    else if (mp->value == &mime_filename)
++		      {
++		      /* build up a decoded filename over successive
++		      filename*= parameters */
++
++		      mime_fname = string_cat(mime_fname, fname);
++		      mime_filename = string_from_gstring(mime_fname);
++		      }
++		    }	/*!decoding_failed*/
++		  }	/*q*/
++
++		if (*p) p++;			/* p is past ; */
++		goto param_done;		/* done matching param names */
++		}		/*2231 param coding extension*/
++	      }
++	    else if (*p == '=')
++	      {		/* non-2231 param */
++	      uschar * q, * dummy_errstr;
+ 
+ 	      /* grab the value and copy to its expansion variable */
+-	      p += mp->namelen;
++
++	      if (*p) p++;			/* step over = */
+ 	      q = mime_param_val(&p);		/* p now trailing ; or NUL */
+ 
+ 	      *mp->value = q && *q
+@@ -684,26 +686,31 @@ while(1)
+ 		"MIME:  found %s parameter in %s header, value '%s'\n",
+ 		mp->name, mh->name, *mp->value);
+ 
+-	      break;			/* done matching param names */
++	      if (*p) p++;			/* p is past ; */
++	      goto param_done;			/* done matching param names */
+ 	      }
+-
++	    }					/* interesting parameters */
+ 
+ 	  /* There is something, but not one of our interesting parameters.
+ 	  Advance past the next semicolon */
++
+ 	  p = mime_next_semicolon(p);
+ 	  if (*p) p++;
+-	  }				/* param scan on line */
++  param_done:
++	  }					/* param scan on line */
+ 
+ 	if (strncmpic(CUS"content-disposition:", header, 20) == 0)
+ 	  {
+-	  if (decoding_failed) mime_filename = mime_fname_rfc2231;
++	  if (decoding_failed)
++	    mime_filename = string_from_gstring(mime_fname_rfc2231);
+ 
+ 	  DEBUG(D_acl) debug_printf_indent(
+ 	    "MIME:  found %s parameter in %s header, value is '%s'\n",
+ 	    "filename", mh->name, mime_filename);
+ 	  }
+ 	}
+-      }
++      break;
++      }	/* interesting headers */
+ 
+   /* set additional flag variables (easier access) */
+   if (  mime_content_type