doc/exim.8 | 80 50 + 30 - 0 !
1 file changed, 50 insertions(+), 30 deletions(-)

 we ship the binary as exim4 instead of exim, fix manpage
 accordingly.

OS/Makefile-Linux | 4 2 + 2 - 0 !
src/exicyclog.src | 2 1 + 1 - 0 !
src/exim_checkaccess.src | 2 1 + 1 - 0 !
src/eximon.src | 2 1 + 1 - 0 !
src/exinext.src | 4 2 + 2 - 0 !
src/exiqgrep.src | 2 1 + 1 - 0 !
src/exiwhat.src | 2 1 + 1 - 0 !
src/globals.c | 2 1 + 1 - 0 !
8 files changed, 10 insertions(+), 10 deletions(-)

 accommodate source for installing exim as exim4.

OS/eximon.conf-Default | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

---

src/eximstats.src | 4 4 + 0 - 0 !
1 file changed, 4 insertions(+)

 add note about installing perl-modules on debian to
 generated manpage

scripts/exim_install | 12 6 + 6 - 0 !
1 file changed, 6 insertions(+), 6 deletions(-)

 exim's installation scripts install the binary as
 exim-<version> - disable this feature.

src/convert4r4.src | 26 26 + 0 - 0 !
1 file changed, 26 insertions(+)

 add a warning message to convert4r4

src/exicyclog.src | 4 2 + 2 - 0 !
src/eximon.src | 4 2 + 2 - 0 !
src/exinext.src | 6 3 + 3 - 0 !
src/exiwhat.src | 4 2 + 2 - 0 !
4 files changed, 9 insertions(+), 9 deletions(-)

 stop using exim's -c option in utility scripts (exiwhat
  et al.) since this breaks with ALT_CONFIG_PREFIX.

README | 12 10 + 2 - 0 !
src/eximstats.src | 3 1 + 2 - 0 !
2 files changed, 11 insertions(+), 4 deletions(-)

 point debian users to debian specific ml.

doc/spec.txt | 4 4 + 0 - 0 !
src/expand.c | 13 8 + 5 - 0 !
2 files changed, 12 insertions(+), 5 deletions(-)

 [patch 1/7] fix json extract operator for unfound case

(cherry picked from commit e73798976812e652320f096870359ef35ed069ff)

doc/ChangeLog | 7 7 + 0 - 0 !
src/transport.c | 4 2 + 2 - 0 !
2 files changed, 9 insertions(+), 2 deletions(-)

 [patch 3/7] fix transport buffer size handling broken-by: 59932f7dcd

(cherry picked from commit 05bf16f6217e93594929c8bbbbbc852caf3ed374)

OS/Makefile-Default | 10 8 + 2 - 0 !
1 file changed, 8 insertions(+), 2 deletions(-)

 [patch 5/7] fix info on using local_scan() in the default makefile

Broken-by: 9723f96673
(cherry picked from commit 882bc1704d33aa34873e3a0f72e657b0cc2985e5)

doc/ChangeLog | 7 7 + 0 - 0 !
src/deliver.c | 2 1 + 1 - 0 !
src/smtp_out.c | 10 6 + 4 - 0 !
src/tls-gnu.c | 23 7 + 16 - 0 !
src/transports/lmtp.c | 3 2 + 1 - 0 !
src/transports/smtp.c | 81 64 + 17 - 0 !
6 files changed, 87 insertions(+), 39 deletions(-)

 [patch 7/7] gnutls: fix client detection of server reject of client
 cert under TLS1.3

(cherry picked from commit fc243e944ec00b59b75f41d07494116f925d58b4)

doc/ChangeLog | 3 3 + 0 - 0 !
src/expand.c | 19 7 + 12 - 0 !
2 files changed, 10 insertions(+), 12 deletions(-)

 [patch 1/5] fix expansions for rfc 822 addresses having comments in
 local-part and/or domain.  Bug 2375

(cherry picked from commit e2ff8e24f41caca3623228b1ec66a3f3961ecad6)

doc/ChangeLog | 2 1 + 1 - 0 !
doc/spec.txt | 10 9 + 1 - 0 !
2 files changed, 10 insertions(+), 2 deletions(-)

 [patch 2/5] docs: add note on lsearch for ipv4-mapped ipv6 addresses

doc/ChangeLog | 4 4 + 0 - 0 !
src/dns.c | 10 7 + 3 - 0 !
2 files changed, 11 insertions(+), 3 deletions(-)

 [patch 3/5] fix crash from srv lookup hitting a cname

(cherry picked from commit 14bc9cf085aff7bd5147881e5b7068769a29b026)

doc/ChangeLog | 4 4 + 0 - 0 !
src/daemon.c | 73 46 + 27 - 0 !
src/host.c | 1 1 + 0 - 0 !
src/structs.h | 1 1 + 0 - 0 !
4 files changed, 52 insertions(+), 27 deletions(-)

 [patch 4/5] logging: fix initial listening-on log line

(cherry picked from commit 254f38d1c5ada5e4df0bccb385dc466549620c71)

doc/ChangeLog | 5 5 + 0 - 0 !
src/tls-openssl.c | 24 18 + 6 - 0 !
test/log/2152 | 1 0 + 1 - 0 !
3 files changed, 23 insertions(+), 7 deletions(-)

 [patch 5/5] openssl: fix aggregation of messages.

Broken-by: a5ffa9b475
(cherry picked from commit c09dbcfb71f4b9a42cbfd8a20e0be6bfa1b12488)

doc/ChangeLog | 5 5 + 0 - 0 !
src/auths/plaintext.c | 6 1 + 5 - 0 !
2 files changed, 6 insertions(+), 5 deletions(-)

 [patch] harden plaintext authenticator

doc/ChangeLog | 3 3 + 0 - 0 !
src/tls-gnu.c | 12 8 + 4 - 0 !
2 files changed, 11 insertions(+), 4 deletions(-)

 [patch] gnutls: fix $tls_out_ocsp under hosts_request_ocsp

(cherry picked from commit 7a501c874f028f689c44999ab05bb0d39da46941)

doc/ChangeLog | 4 4 + 0 - 0 !
src/tls-gnu.c | 8 8 + 0 - 0 !
2 files changed, 12 insertions(+)

 [patch 1/2] gnutls: fix the advertising of acceptable certs by the
 server.  Bug 2389

(cherry picked from commit 12d95aa62042377fc9f603245a17a43142972447)

doc/ChangeLog | 4 4 + 0 - 0 !
src/deliver.c | 4 2 + 2 - 0 !
2 files changed, 6 insertions(+), 2 deletions(-)

 [patch 2/2] use dsn_from for success-dsn messages.  bug 2404

(cherry picked from commit 87abcb247b4444bab5fd0bcb212ddb26d5fd9191)

doc/ChangeLog | 7 7 + 0 - 0 !
src/functions.h | 4 2 + 2 - 0 !
src/ip.c | 16 7 + 9 - 0 !
src/malware.c | 26 13 + 13 - 0 !
src/routers/iplookup.c | 2 1 + 1 - 0 !
src/smtp_out.c | 9 5 + 4 - 0 !
src/spam.c | 2 1 + 1 - 0 !
src/transports/smtp_socks.c | 6 3 + 3 - 0 !
src/verify.c | 2 1 + 1 - 0 !
9 files changed, 40 insertions(+), 34 deletions(-)

 [patch 1/2] fix smtp response timeout

src/buildconfig.c | 12 7 + 5 - 0 !
1 file changed, 7 insertions(+), 5 deletions(-)

 [patch 2/2] fix detection of 32b platform at build time.  bug 2405

src/expand.c | 210 145 + 65 - 0 !
1 file changed, 145 insertions(+), 65 deletions(-)

 [patch] avoid re-expansion in ${sort } cve-2019-13917
 OVE-20190718-0006

(cherry picked from commit 5c887f836e4d8e3f79da1c15565b56b40d9bd0dd)

doc/ChangeLog | 5 5 + 0 - 0 !
src/string.c | 7 5 + 2 - 0 !
2 files changed, 10 insertions(+), 2 deletions(-)

 [patch] string.c: do not interpret '\\' before '\0' (cve-2019-15846)

src/string.c | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

 [patch] fix buffer overflow in string_vformat.  bug 2449

doc/ChangeLog | 5 5 + 0 - 0 !
src/auths/spa.c | 22 16 + 6 - 0 !
2 files changed, 21 insertions(+), 6 deletions(-)

 [patch 1/2] fix spa authenticator, checking client-supplied data
 before using it.  Bug 2571

(cherry picked from commit 57aa14b216432be381b6295c312065b2fd034f86)

src/auths/spa.c | 13 9 + 4 - 0 !
1 file changed, 9 insertions(+), 4 deletions(-)

 [patch 2/2] rework spa fix to avoid overflows.  bug 2571

Amends: 6a7edbf660
(cherry picked from commit a04174dc2a84ae1008c23b6a7109e7fa3fb7b8b0)

doc/ChangeLog | 5 5 + 0 - 0 !
src/tls-gnu.c | 24 14 + 10 - 0 !
2 files changed, 19 insertions(+), 10 deletions(-)

 [patch 4/6] gnutls: fix hanging callout connections

Broken-by: 925ac8e4f1
(cherry picked from commit bd95ffc2ba87fbd3c752df17bc8fd9c01586d45a)

src/tls-gnu.c | 34 28 + 6 - 0 !
1 file changed, 28 insertions(+), 6 deletions(-)

 [patch 5/6] gnutls: tls_write(): wait after uncorking the session

(cherry picked from commit 8f9adfd36222d4e9e730734e00dffe874073e5b4)

src/tls-gnu.c | 31 15 + 16 - 0 !
1 file changed, 15 insertions(+), 16 deletions(-)

 [patch 6/6] gnutls: do not care about corked data when uncorking

(cherry picked from commit d8d7e3a4162b52382daf8319f221c085c76c5b8f)

doc/ChangeLog | 5 5 + 0 - 0 !
src/host.c | 23 20 + 3 - 0 !
src/structs.h | 19 11 + 8 - 0 !
src/tls-gnu.c | 4 2 + 2 - 0 !
src/tls-openssl.c | 12 6 + 6 - 0 !
5 files changed, 44 insertions(+), 19 deletions(-)

 tls: use rfc 6125 rules for certificate name checks when
 CNAMES are present. Bug 2594

src/pdkim/pdkim.c | 6 3 + 3 - 0 !
1 file changed, 3 insertions(+), 3 deletions(-)

 [patch 01/29] cve-2020-28025: heap out-of-bounds read in
 pdkim_finish_bodyhash()

src/tls-openssl.c | 4 0 + 4 - 0 !
1 file changed, 4 deletions(-)

 [patch 02/29] cve-2020-28018: use-after-free in tls-openssl.c

src/acl.c | 3 2 + 1 - 0 !
src/macros.h | 1 1 + 0 - 0 !
src/smtp_in.c | 4 2 + 2 - 0 !
3 files changed, 5 insertions(+), 3 deletions(-)

 [patch 03/29] cve-2020-28023: out-of-bounds read in smtp_setup_msg()

Extracted from Jeremy Harris's commit afaf5a50.

src/exim.c | 11 6 + 5 - 0 !
1 file changed, 6 insertions(+), 5 deletions(-)

 [patch 04/29] cve-2020-28010: heap out-of-bounds write in main()

Based on Phil Pennock's commit 0f57feb4.

src/queue.c | 14 10 + 4 - 0 !
1 file changed, 10 insertions(+), 4 deletions(-)

 [patch 05/29] cve-2020-28011: heap buffer overflow in queue_run()

src/parse.c | 9 6 + 3 - 0 !
1 file changed, 6 insertions(+), 3 deletions(-)

 [patch 06/29] cve-2020-28013: heap buffer overflow in
 parse_fix_phrase()

Based on Phil Pennock's commit 8a50c88a.

src/store.c | 29 28 + 1 - 0 !
1 file changed, 28 insertions(+), 1 deletion(-)

 [patch 07/29] security: refuse negative and large store allocations

Based on Phil Pennock's commits b34d3046 and e6c1606a.

src/receive.c | 10 8 + 2 - 0 !
1 file changed, 8 insertions(+), 2 deletions(-)

 [patch 08/29] cve-2020-28017: integer overflow in
 receive_add_recipient()

Based on Phil Pennock's commit e3b441f7.

src/smtp_in.c | 20 13 + 7 - 0 !
1 file changed, 13 insertions(+), 7 deletions(-)

 [patch 09/29] cve-2020-28022: heap out-of-bounds read and write in
 extract_option()

Based on Phil Pennock's commit c5017adf.

src/spool_in.c | 48 33 + 15 - 0 !
1 file changed, 33 insertions(+), 15 deletions(-)

 [patch 10/29] cve-2020-28026: line truncation and injection in
 spool_read_header()

This also fixes:

2/ In src/spool_in.c:

 462   while (  (len = Ustrlen(big_buffer)) == big_buffer_size-1
 463         && big_buffer[len-1] != '\n'
 464         )
 465     {   /* buffer not big enough for line; certs make this possible */
 466     uschar * buf;
 467     if (big_buffer_size >= BIG_BUFFER_SIZE*4) goto SPOOL_READ_ERROR;
 468     buf = store_get_perm(big_buffer_size *= 2, FALSE);
 469     memcpy(buf, big_buffer, --len);

The --len in memcpy() chops off a useful byte (we know for sure that
big_buffer[len-1] is not a '\n' because we entered the while loop).

src/spool_out.c | 21 17 + 4 - 0 !
1 file changed, 17 insertions(+), 4 deletions(-)

 [patch 11/29] cve-2020-28015+28021: new-line injection into spool
 header file

src/string.c | 23 22 + 1 - 0 !
1 file changed, 22 insertions(+), 1 deletion(-)

 [patch 12/29] cve-2020-28009: integer overflow in get_stdinput()

src/smtp_in.c | 3 3 + 0 - 0 !
src/tls.c | 3 3 + 0 - 0 !
2 files changed, 6 insertions(+)

 [patch 13/29] cve-2020-28024: heap buffer underflow in smtp_ungetc()

src/rda.c | 4 4 + 0 - 0 !
1 file changed, 4 insertions(+)

 [patch 14/29] cve-2020-28012: missing close-on-exec flag for
 privileged pipe

src/deliver.c | 4 4 + 0 - 0 !
1 file changed, 4 insertions(+)

 [patch 15/29] security: safeguard against relative names for msglog
 files.

Based on Heiko Schlittermann's commit 4f0ac4ad. This fixes:

3/ In src/deliver.c:

 333 static int
 334 open_msglog_file(uschar *filename, int mode, uschar **error)
 335 {
 336 if (Ustrstr(filename, US"/../"))
 337   log_write(0, LOG_MAIN|LOG_PANIC,
 338     "Attempt to open msglog file path with upward-traversal: '%s'\n", filename);

Should this be LOG_PANIC_DIE instead of LOG_PANIC? Right now it will log
the /../ attempt but will open the file anyway.

src/smtp_in.c | 2 2 + 0 - 0 !
1 file changed, 2 insertions(+)

 [patch 16/29] security: check overrun rcpt_count integer

Based on Heiko Schlittermann's commit e5cb5e61. This fixes:

4/ In src/smtp_in.c:

4966     case RCPT_CMD:
4967       HAD(SCH_RCPT);
4968       rcpt_count++;
....
5123       if (rcpt_count > recipients_max && recipients_max > 0)

In theory this recipients_max check can be bypassed, because the int
rcpt_count can overflow (become negative). In practice this would either
consume too much memory or generate too much network traffic, but maybe
it should be fixed anyway.

src/log.c | 1 1 + 0 - 0 !
1 file changed, 1 insertion(+)

 [patch 17/29] security: always exit when log_panic_die is set

src/transports/smtp.c | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

 [patch 18/29] security: fix off-by-one in smtp transport (read
 response)

Based on Heiko Schlittermann's commit 1887a160. This fixes:

1/ In src/transports/smtp.c:

2281       int n = sizeof(sx->buffer);
2282       uschar * rsp = sx->buffer;
2283
2284       if (sx->esmtp_sent && (n = Ustrlen(sx->buffer)) < sizeof(sx->buffer)/2)
2285         { rsp = sx->buffer + n + 1; n = sizeof(sx->buffer) - n; }

This should probably be either:

rsp = sx->buffer + n + 1; n = sizeof(sx->buffer) - n - 1;

or:

rsp = sx->buffer + n; n = sizeof(sx->buffer) - n;

(not sure which) to avoid an off-by-one.

src/pdkim/pdkim.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 [patch 19/29] security: avoid decrement of dkim_collect_input if
 already at 0

Based on Heiko Schlittermann's commit bf2d6e58. This fixes:

5/ receive_msg() calls dkim_exim_verify_finish(), which sets
dkim_collect_input to 0 and calls pdkim_feed_finish(), which calls
pdkim_header_complete(), which decreases dkim_collect_input to UINT_MAX,
which reactivates the DKIM code.

As a result, pdkim_feed() is called again (through receive_getc at the
end of receive_msg()), but functions like pdkim_finish_bodyhash() and
exim_sha_finish() have already been called (in pdkim_feed_finish()).
This suggests a use-after-free.

But it seems that a use-after-free would happen only with
EVP_DigestFinal() (in exim_sha_finish()), which does not seem to be
reachable via DKIM (no SHA3). But we checked OpenSSL only, not GnuTLS.

Here is a proof of concept that triggers the bug (which came very close
to a security vulnerability):

src/smtp_out.c | 6 4 + 2 - 0 !
1 file changed, 4 insertions(+), 2 deletions(-)

 [patch 20/29] security: leave a clean smtp_out input buffer even in
 case of read error

Based on Heiko Schlittermann's commit 54895bc3. This fixes:

7/ In src/smtp_out.c, read_response_line(), inblock->ptr is not updated
when -1 is returned. This does not seem to have bad consequences, but is
maybe not the intended behavior.

src/pdkim/pdkim.c | 21 12 + 9 - 0 !
1 file changed, 12 insertions(+), 9 deletions(-)

 [patch 21/29] security: avoid modification of constant data in dkim
 handling

Based on Heiko Schlittermann's commits f880c7f3 and c118c7f4. This
fixes:

6/ In src/pdkim/pdkim.c, pdkim_update_ctx_bodyhash() is sometimes called
with a global orig_data and hence canon_data, and the following line can
therefore modify data that should be constant:

 773   canon_data->len = b->bodylength - b->signed_body_bytes;

For example, the following proof of concept sets lineending.len to 0
(this should not be possible):

src/globals.c | 1 1 + 0 - 0 !
src/globals.h | 1 1 + 0 - 0 !
src/smtp_in.c | 55 46 + 9 - 0 !
3 files changed, 48 insertions(+), 9 deletions(-)

 [patch 22/29] cve-2020-28019: failure to reset function pointer after
 BDAT error

Based on Phil Pennock's commits 4715403e and 151ffd72, and Jeremy
Harris's commits aa171254 and 9aceb5c2.

src/dmarc.c | 179 91 + 88 - 0 !
src/exim.c | 14 2 + 12 - 0 !
src/functions.h | 3 1 + 2 - 0 !
src/log.c | 214 137 + 77 - 0 !
4 files changed, 231 insertions(+), 179 deletions(-)

 [patch 23/29] cve-2020-28007: link attack in exim's log directory

We patch this vulnerability by opening (instead of just creating) the
log file in an unprivileged (exim) child process, and by passing this
file descriptor back to the privileged (root) parent process. The two
functions log_send_fd() and log_recv_fd() are inspired by OpenSSH's
functions mm_send_fd() and mm_receive_fd(); thanks!

This patch also fixes:

- a NULL-pointer dereference in usr1_handler() (this signal handler is
  installed before process_log_path is initialized);

- a file-descriptor leak in dmarc_write_history_file() (two return paths
  did not close history_file_fd).

Note: the use of log_open_as_exim() in dmarc_write_history_file() should
be fine because the documentation explicitly states "Make sure the
directory of this file is writable by the user exim runs as."

(cherry picked from commit 2502cc41d1d92c1413eca6a4ba035c21162662bd)
(cherry picked from commit 93e9a18fbf09deb59bd133986f4c89aeb2d2d86a)

doc/ChangeLog | 6 6 + 0 - 0 !
src/dbfn.c | 110 65 + 45 - 0 !
2 files changed, 71 insertions(+), 45 deletions(-)

 [patch 24/29] cve-2020-28008: assorted attacks in exim's spool
 directory

We patch dbfn_open() by introducing two functions priv_drop_temp() and
priv_restore() (inspired by OpenSSH's functions temporarily_use_uid()
and restore_uid()), which temporarily drop and restore root privileges
thanks to seteuid(). This goes against Exim's developers' wishes ("Exim
(the project) doesn't trust seteuid to work reliably") but, to the best
of our knowledge, seteuid() works everywhere and is the only way to
securely fix dbfn_open().

(cherry picked from commit 18da59151dbafa89be61c63580bdb295db36e374)
(cherry picked from commit b05dc3573f4cd476482374b0ac0393153d344338)

doc/ChangeLog | 5 5 + 0 - 0 !
src/daemon.c | 212 193 + 19 - 0 !
src/exim.c | 12 10 + 2 - 0 !
3 files changed, 208 insertions(+), 21 deletions(-)

 [patch 26/29] cve-2020-28014, cve-2021-27216: arbitrary pid file
 creation, clobbering, and deletion

Arbitrary PID file creation, clobbering, and deletion.
Patch provided by Qualys.

(cherry picked from commit 974f32939a922512b27d9f0a8a1cb5dec60e7d37)
(cherry picked from commit 43c6f0b83200b7082353c50187ef75de3704580a)

src/daemon.c | 32 0 + 32 - 0 !
1 file changed, 32 deletions(-)

 [patch 27/29] testsuite: adjustments for cve-2020-28014,
 CVE-2021-27216 (Arbitrary PID file creation)

src/smtp_in.c | 1 1 + 0 - 0 !
1 file changed, 1 insertion(+)

 [patch 29/29] fix bdat issue for body w/o trailing crlf (again bug
 1974)

(cherry picked from commit 919111edac911ba9c15422eafd7c5bf14d416d26)

src/EDITME | 15 15 + 0 - 0 !
src/config.h.defaults | 2 2 + 0 - 0 !
src/globals.c | 4 4 + 0 - 0 !
src/globals.h | 3 3 + 0 - 0 !
src/local_scan.c | 166 118 + 48 - 0 !
src/local_scan.h | 3 3 + 0 - 0 !
src/readconf.c | 3 3 + 0 - 0 !
7 files changed, 148 insertions(+), 48 deletions(-)

 allow one to use and switch between different local_scan functions
 without recompiling exim.
 http://marc.merlins.org/linux/exim/files/sa-exim-current/ Original patch from
 David Woodhouse, modified first by Derrick 'dman' Hudson and then by Marc
 MERLIN for SA-Exim and minor/major API version tracking