Fix security bug #372967. Also fixes bugs #335077, #331901, #370611, #403893, #404225.

(Portage version: 2.2.0_alpha177/cvs/Linux x86_64, unsigned Manifest commit)

9 files changed, 209 insertions, 22 deletions

diff --git a/mail-mta/netqmail/ChangeLog b/mail-mta/netqmail/ChangeLog
index 35094576c6b2..40c1f8925eec 100644
--- a/mail-mta/netqmail/ChangeLog
+++ b/mail-mta/netqmail/ChangeLog
@@ -1,6 +1,15 @@
 # ChangeLog for mail-mta/netqmail
 # Copyright 1999-2013 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/mail-mta/netqmail/ChangeLog,v 1.62 2013/04/15 22:55:10 robbat2 Exp $
+# $Header: /var/cvsroot/gentoo-x86/mail-mta/netqmail/ChangeLog,v 1.63 2013/05/27 00:45:52 robbat2 Exp $
+
+*netqmail-1.06-r2 (27 May 2013)
+
+  27 May 2013; Robin H. Johnson <robbat2@gentoo.org>
+  +files/genqmail-20080406-ldflags.patch, +netqmail-1.06-r2.ebuild,
+  files/conf-common, files/conf-qmqpd, files/conf-qmtpd, files/conf-smtpd,
+  files/servercert.cnf, netqmail-1.06-r1.ebuild:
+  Fix security bug #372967. Also fixes bugs #335077, #331901, #370611, #403893,
+  #404225.
 
 *netqmail-1.06-r1 (15 Apr 2013)
 
diff --git a/mail-mta/netqmail/files/conf-common b/mail-mta/netqmail/files/conf-common
index 613193cc9773..008fe63c3076 100644
--- a/mail-mta/netqmail/files/conf-common
+++ b/mail-mta/netqmail/files/conf-common
@@ -1,6 +1,6 @@
 #!/bin/bash
 # Common Configuration file for all qmail daemons
-# $Header: /var/cvsroot/gentoo-x86/mail-mta/netqmail/files/conf-common,v 1.1 2006/02/12 18:42:33 hansmi Exp $
+# $Header: /var/cvsroot/gentoo-x86/mail-mta/netqmail/files/conf-common,v 1.2 2013/05/27 00:45:52 robbat2 Exp $
 
 # Qmail User IDS to run daemons as
 QMAILDUID=$(id -u qmaild)
@@ -17,7 +17,7 @@ TCPSERVER_PORT=${SERVICE}
 
 # you do not need to specify -x, -c, -u or -g in this variable as those are
 # added later
-TCPSERVER_OPTS="-p -v"
+TCPSERVER_OPTS="-p -v -R"
 
 #  This tells tcpserver where to file the rules cdb file
 [[ -d /etc/tcprules.d/ ]] && \
@@ -25,9 +25,10 @@ TCPSERVER_OPTS="-p -v"
 [[ ! -f "${TCPSERVER_RULESCDB}" ]] && \
 	TCPSERVER_RULESCDB=/etc/tcp.${SERVICE}.cdb
 
-# we limit data and stack segments to 8mbytes, you may need to raise this if
-# you are using a filter in QMAILQUEUE
-SOFTLIMIT_OPTS="-m 16000000"
+# we limit data and stack segments to 32mbytes, you may need to raise this if
+# you are using a filter in QMAILQUEUE. 
+# Per bug #403893 amd64 needs a higher limit.
+SOFTLIMIT_OPTS="-m 32000000"
 
 # We don't have anything to set QMAILQUEUE to at the moment, so we leave it
 # alone. Generally it is best to add this in your appropriate (usually SMTP)
diff --git a/mail-mta/netqmail/files/conf-qmqpd b/mail-mta/netqmail/files/conf-qmqpd
index b3622411dc3a..2b337d930772 100644
--- a/mail-mta/netqmail/files/conf-qmqpd
+++ b/mail-mta/netqmail/files/conf-qmqpd
@@ -1,5 +1,5 @@
 # Configuration file for qmail-qmqpd
-# $Header: /var/cvsroot/gentoo-x86/mail-mta/netqmail/files/conf-qmqpd,v 1.1 2006/02/12 18:42:33 hansmi Exp $
+# $Header: /var/cvsroot/gentoo-x86/mail-mta/netqmail/files/conf-qmqpd,v 1.2 2013/05/27 00:45:52 robbat2 Exp $
 
 # Stuff to run before tcpserver
 #QMAIL_TCPSERVER_PRE=""
@@ -8,8 +8,5 @@
 # Stuff to after qmail-qmqpd
 #QMAIL_QMQP_POST=""
 
-# this turns off the IDENT grab attempt on connecting
-TCPSERVER_OPTS="${TCPSERVER_OPTS} -R"
-
 # I don't trust /etc/services to have obscure ports
 TCPSERVER_PORT=628
diff --git a/mail-mta/netqmail/files/conf-qmtpd b/mail-mta/netqmail/files/conf-qmtpd
index 7116efc29672..6d6df72e6506 100644
--- a/mail-mta/netqmail/files/conf-qmtpd
+++ b/mail-mta/netqmail/files/conf-qmtpd
@@ -1,5 +1,5 @@
 # Configuration file for qmail-qmtpd
-# $Header: /var/cvsroot/gentoo-x86/mail-mta/netqmail/files/conf-qmtpd,v 1.1 2006/02/12 18:42:33 hansmi Exp $
+# $Header: /var/cvsroot/gentoo-x86/mail-mta/netqmail/files/conf-qmtpd,v 1.2 2013/05/27 00:45:52 robbat2 Exp $
 
 # For more information on making your servers talk QMTP
 # see http://cr.yp.to/im/mxps.html
@@ -11,8 +11,5 @@
 # Stuff to after qmail-qmtpd
 #QMAIL_QMTP_POST=""
 
-# this turns off the IDENT grab attempt on connecting
-TCPSERVER_OPTS="${TCPSERVER_OPTS} -R"
-
 # I don't trust /etc/services to have obscure ports
 TCPSERVER_PORT=209
diff --git a/mail-mta/netqmail/files/conf-smtpd b/mail-mta/netqmail/files/conf-smtpd
index cfbdad49a52d..d7cc2c3d3d59 100644
--- a/mail-mta/netqmail/files/conf-smtpd
+++ b/mail-mta/netqmail/files/conf-smtpd
@@ -1,5 +1,5 @@
 # Configuration file for qmail-smtpd
-# $Header: /var/cvsroot/gentoo-x86/mail-mta/netqmail/files/conf-smtpd,v 1.1 2006/02/12 18:42:33 hansmi Exp $
+# $Header: /var/cvsroot/gentoo-x86/mail-mta/netqmail/files/conf-smtpd,v 1.2 2013/05/27 00:45:52 robbat2 Exp $
 
 # Stuff to run before tcpserver
 #QMAIL_TCPSERVER_PRE=""
@@ -8,9 +8,6 @@
 # Stuff to after qmail-smtpd
 #QMAIL_SMTP_POST=""
 
-# this turns off the IDENT grab attempt on connecting
-TCPSERVER_OPTS="${TCPSERVER_OPTS} -R"
-
 # fixcrio inserts missing CRs at the ends of lines. See:
 # http://cr.yp.to/ucspi-tcp/fixcrio.html
 # http://cr.yp.to/docs/smtplf.html
diff --git a/mail-mta/netqmail/files/genqmail-20080406-ldflags.patch b/mail-mta/netqmail/files/genqmail-20080406-ldflags.patch
new file mode 100644
index 000000000000..1eb334c259c1
--- /dev/null
+++ b/mail-mta/netqmail/files/genqmail-20080406-ldflags.patch
@@ -0,0 +1,13 @@
+diff -Nuar genqmail-20080406.orig/spp/Makefile genqmail-20080406/spp/Makefile
+--- genqmail-20080406.orig/spp/Makefile	2008-04-06 15:44:14.000000000 +0000
++++ genqmail-20080406/spp/Makefile	2013-05-27 00:37:58.687763457 +0000
+@@ -14,7 +14,7 @@
+ 	rm -f $(TARGETS)
+ 
+ $(RESOLV_OBJS):
+-	$(CC) $(CFLAGS) -o $@ $@.c -lresolv
++	$(CC) $(CFLAGS) $(LDFLAGS) -o $@ $@.c -lresolv
+ 
+ $(SIMPLE_OBJS):
+-	$(CC) $(CFLAGS) -o $@ $@.c
++	$(CC) $(CFLAGS) $(LDFLAGS) -o $@ $@.c
diff --git a/mail-mta/netqmail/files/servercert.cnf b/mail-mta/netqmail/files/servercert.cnf
index 735445eacc87..aa48938ea655 100644
--- a/mail-mta/netqmail/files/servercert.cnf
+++ b/mail-mta/netqmail/files/servercert.cnf
@@ -1,4 +1,4 @@
-# $Header: /var/cvsroot/gentoo-x86/mail-mta/netqmail/files/servercert.cnf,v 1.1 2006/02/12 18:42:33 hansmi Exp $
+# $Header: /var/cvsroot/gentoo-x86/mail-mta/netqmail/files/servercert.cnf,v 1.2 2013/05/27 00:45:52 robbat2 Exp $
 # This is the openssl config file to generate keys for qmail
 
 [ req ]
@@ -6,7 +6,7 @@
 # this should be a power of 2!
 default_bits = 1024
 # leave the rest of these alone!
-encrypt_key = yes
+encrypt_key = no
 distinguished_name = req_dn
 x509_extensions = cert_type
 prompt = no
diff --git a/mail-mta/netqmail/netqmail-1.06-r1.ebuild b/mail-mta/netqmail/netqmail-1.06-r1.ebuild
index 3576da46d899..20387d64a909 100644
--- a/mail-mta/netqmail/netqmail-1.06-r1.ebuild
+++ b/mail-mta/netqmail/netqmail-1.06-r1.ebuild
@@ -1,6 +1,6 @@
 # Copyright 1999-2013 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/mail-mta/netqmail/netqmail-1.06-r1.ebuild,v 1.1 2013/04/15 22:55:10 robbat2 Exp $
+# $Header: /var/cvsroot/gentoo-x86/mail-mta/netqmail/netqmail-1.06-r1.ebuild,v 1.2 2013/05/27 00:45:52 robbat2 Exp $
 
 EAPI=5
 
@@ -94,7 +94,11 @@ src_prepare() {
 	ht_fix_file Makefile*
 
 	if ! use vanilla; then
-		use ssl        && epatch "${DISTDIR}"/${QMAIL_TLS_F}
+		# This patch contains relative paths and needs to be cleaned up.
+		sed 's~^--- ../../~--- ~g' \
+			<"${DISTDIR}"/${QMAIL_TLS_F} \
+			>"${T}"/${QMAIL_TLS_F}
+		use ssl        && epatch "${T}"/${QMAIL_TLS_F}
 		use highvolume && epatch "${DISTDIR}"/${QMAIL_BIGTODO_F}
 
 		if use qmail-spp; then
diff --git a/mail-mta/netqmail/netqmail-1.06-r2.ebuild b/mail-mta/netqmail/netqmail-1.06-r2.ebuild
new file mode 100644
index 000000000000..1ea9b1749d5d
--- /dev/null
+++ b/mail-mta/netqmail/netqmail-1.06-r2.ebuild
@@ -0,0 +1,169 @@
+# Copyright 1999-2013 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/mail-mta/netqmail/netqmail-1.06-r2.ebuild,v 1.1 2013/05/27 00:45:52 robbat2 Exp $
+
+EAPI=5
+
+GENQMAIL_PV=20080406
+QMAIL_SPP_PV=0.42
+
+QMAIL_TLS_PV=20070417
+QMAIL_TLS_F=${PN}-1.05-tls-smtpauth-${QMAIL_TLS_PV}.patch
+QMAIL_TLS_CVE=vu555316.patch
+
+QMAIL_BIGTODO_PV=103
+QMAIL_BIGTODO_F=big-todo.${QMAIL_BIGTODO_PV}.patch
+
+QMAIL_LARGE_DNS='qmail-103.patch'
+
+inherit eutils qmail
+
+DESCRIPTION="qmail -- a secure, reliable, efficient, simple message transfer agent"
+HOMEPAGE="
+	http://netqmail.org
+	http://cr.yp.to/qmail.html
+	http://qmail.org
+"
+SRC_URI="mirror://qmail/${P}.tar.gz
+	http://dev.gentoo.org/~hollow/distfiles/${GENQMAIL_F}
+	http://www.ckdhr.com/ckd/${QMAIL_LARGE_DNS}
+	http://inoa.net/qmail-tls/${QMAIL_TLS_CVE}
+	!vanilla? (
+		highvolume? ( mirror://qmail/${QMAIL_BIGTODO_F} )
+		qmail-spp? ( mirror://sourceforge/qmail-spp/${QMAIL_SPP_F} )
+		ssl? ( http://shupp.org/patches/${QMAIL_TLS_F} )
+	)
+"
+
+LICENSE="public-domain"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86"
+IUSE="authcram gencertdaily highvolume qmail-spp ssl vanilla"
+REQUIRED_USE='vanilla? ( !ssl !qmail-spp !highvolume )'
+RESTRICT="test"
+
+DEPEND="
+	!mail-mta/qmail
+	net-mail/queue-repair
+	ssl? ( dev-libs/openssl )
+	sys-apps/groff
+"
+RDEPEND="
+	!mail-mta/courier
+	!mail-mta/esmtp
+	!mail-mta/exim
+	!mail-mta/mini-qmail
+	!mail-mta/msmtp[mta]
+	!mail-mta/nullmailer
+	!mail-mta/postfix
+	!mail-mta/qmail-ldap
+	!mail-mta/sendmail
+	!<mail-mta/ssmtp-2.64-r2
+	!>=mail-mta/ssmtp-2.64-r2[mta]
+	>=sys-apps/ucspi-tcp-0.88-r17
+	ssl? ( >=sys-apps/ucspi-ssl-0.70-r1 )
+	virtual/daemontools
+	>=net-mail/dot-forward-0.71-r3
+	virtual/checkpassword
+	authcram? ( >=net-mail/cmd5checkpw-0.30 )
+	${DEPEND}
+"
+
+pkg_setup() {
+	if [[ -n "${QMAIL_PATCH_DIR}" ]]; then
+		eerror
+		eerror "The QMAIL_PATCH_DIR variable for custom patches"
+		eerror "has been removed from ${PN}. If you need custom patches"
+		eerror "you should create a copy of this ebuild in an overlay."
+		eerror
+		die "QMAIL_PATCH_DIR is not supported anymore"
+	fi
+
+	qmail_create_users
+}
+
+src_unpack() {
+	genqmail_src_unpack
+	use qmail-spp && qmail_spp_src_unpack
+
+	unpack ${P}.tar.gz
+}
+
+src_prepare() {
+	epatch "${FILESDIR}"/${PV}-exit.patch
+	epatch "${FILESDIR}"/${PV}-readwrite.patch
+	epatch "${DISTDIR}"/${QMAIL_LARGE_DNS}
+
+	ht_fix_file Makefile*
+
+	if ! use vanilla; then
+		# This patch contains relative paths and needs to be cleaned up.
+		sed 's~^--- ../../~--- ~g' \
+			<"${DISTDIR}"/${QMAIL_TLS_F} \
+			>"${T}"/${QMAIL_TLS_F}
+		use ssl        && epatch "${T}"/${QMAIL_TLS_F}
+		use ssl        && epatch "${DISTDIR}"/${QMAIL_TLS_CVE}
+		use highvolume && epatch "${DISTDIR}"/${QMAIL_BIGTODO_F}
+
+		if use qmail-spp; then
+			if use ssl; then
+				epatch "${QMAIL_SPP_S}"/qmail-spp-smtpauth-tls-20060105.diff
+			else
+				epatch "${QMAIL_SPP_S}"/netqmail-spp.diff
+			fi
+			cd "${WORKDIR}"
+			epatch "${FILESDIR}"/genqmail-20080406-ldflags.patch
+			cd -
+		fi
+	fi
+
+	qmail_src_postunpack
+
+	# Fix bug #33818 but for netqmail (Bug 137015)
+	if ! use authcram; then
+		einfo "Disabled CRAM_MD5 support"
+		sed -e 's,^#define CRAM_MD5$,/*&*/,' -i "${S}"/qmail-smtpd.c
+	else
+		einfo "Enabled CRAM_MD5 support"
+	fi
+}
+
+src_compile() {
+	qmail_src_compile
+	use qmail-spp && qmail_spp_src_compile
+}
+
+src_install() {
+	qmail_src_install
+}
+
+pkg_postinst() {
+	qmail_queue_setup
+	qmail_rootmail_fixup
+	qmail_tcprules_build
+
+	qmail_config_notice
+	qmail_supervise_config_notice
+	elog
+	elog "If you are looking for documentation, check those links:"
+	elog "http://www.gentoo.org/doc/en/qmail-howto.xml"
+	elog "  -- qmail/vpopmail Virtual Mail Hosting System Guide"
+	elog "http://www.lifewithqmail.com/"
+	elog "  -- Life with qmail"
+	elog
+}
+
+pkg_preinst() {
+	qmail_tcprules_fixup
+}
+
+pkg_config() {
+	# avoid some weird locale problems
+	export LC_ALL=C
+
+	qmail_config_fast
+	qmail_tcprules_config
+	qmail_tcprules_build
+
+	use ssl && qmail_ssl_generate
+}