Subversion Repositories sa-exim

Compare Revisions

Ignore whitespace Rev 94 → Rev 95

/trunk/debian/changelog
1,3 → 1,10
sa-exim (4.2.1-19) unstable; urgency=medium
 
* no_eval.patch: [CVE-2019-19920] Manually parse option string in
Greylisting plugin, avoiding use of eval() (Closes: #946829, #947198).
 
-- Magnus Holmgren <holmgren@debian.org> Sat, 08 Feb 2020 18:10:43 +0100
 
sa-exim (4.2.1-18) unstable; urgency=medium
 
* Build with -DLOCAL_SCAN.
/trunk/debian/patches/no_eval.patch
0,0 → 1,31
--- a/Greylisting.pm
+++ b/Greylisting.pm
@@ -21,6 +21,7 @@ package Greylisting;
use strict;
use Mail::SpamAssassin::Plugin;
+use Mail::SpamAssassin::Util qw(untaint_var);
use NetAddr::IP;
use File::Path qw(mkpath);
our @ISA = qw(Mail::SpamAssassin::Plugin);
@@ -71,9 +72,17 @@ sub greylisting
}
Mail::SpamAssassin::Plugin::dbg("GREYLISTING: called function");
- $optionhash =~ s/;/,/g;
- # This is safe, right? (users shouldn't be able to set it in their config)
- %option=eval $optionhash;
+ while ($optionhash =~ /(?:\G(?<!^)|^\s*\()\s*(?>(?<quot1>['"])(?<opt>.*?)\g{quot1})
+ \s*=>\s*
+ (?>(?<quot2>['"])(?<val>.*?)\g{quot2}
+ |
+ (?<val>-?(?:\d+(?:\.\d*)?|(?:\d*\.)?\d+))
+ )\s*(?:;?\s*\)\s*$|;(?!$))/gxc) {
+ $option{$+{opt}} = untaint_var($+{val});
+ }
+ if ((pos($optionhash) // 0) < length $optionhash) {
+ die "Syntax error";
+ }
$self->{'rangreylisting'}=1;
foreach my $reqoption (qw ( method greylistsecs dontgreylistthreshold
/trunk/debian/patches/series
11,3 → 11,4
delete-ext-html-references.patch
remove-header-crs.patch
sprintf_no_format_string.diff
no_eval.patch