From 2736cf77113b65b2fe34eea70347e923b9c02af5 Mon Sep 17 00:00:00 2001 From: eaglegai Date: Fri, 15 Jan 2021 16:30:34 +0800 Subject: [PATCH] remove libdb dependency --- sendmail-8.15.2-format-security.patch | 92 ++++++++++++ sendmail-8.15.2-openssl-1.1.0-fix.patch | 183 ++++++++++++++++++++++++ sendmail.spec | 20 ++- 3 files changed, 289 insertions(+), 6 deletions(-) create mode 100644 sendmail-8.15.2-format-security.patch create mode 100644 sendmail-8.15.2-openssl-1.1.0-fix.patch diff --git a/sendmail-8.15.2-format-security.patch b/sendmail-8.15.2-format-security.patch new file mode 100644 index 0000000..d4ff443 --- /dev/null +++ b/sendmail-8.15.2-format-security.patch @@ -0,0 +1,92 @@ +diff --git a/sendmail/srvrsmtp.c b/sendmail/srvrsmtp.c +index ba636a8..46c5356 100644 +--- a/sendmail/srvrsmtp.c ++++ b/sendmail/srvrsmtp.c +@@ -159,6 +159,26 @@ + #define SKIP_SPACE(s) while (SM_ISSPACE(*s)) \ + (s)++ + ++static inline void ++message1(fmt) ++ char *fmt; ++{ ++ if (strchr(fmt, '%') == NULL) ++ message(fmt, NULL); ++ else ++ message("%s", fmt); ++} ++ ++static inline void ++usrerr1(fmt) ++ char *fmt; ++{ ++ if (strchr(fmt, '%') == NULL) ++ usrerr(fmt, NULL); ++ else ++ usrerr("%s", fmt); ++} ++ + #if _FFR_EAI + /* + ** ADDR_IS_ASCII -- check whether an address is 100% printable ASCII +@@ -638,13 +658,13 @@ + bool tsave = QuickAbort; \ + \ + QuickAbort = false; \ +- usrerr(response); \ ++ usrerr1(response); \ + QuickAbort = tsave; \ + e->e_sendqueue = NULL; \ + goto doquit; \ + } \ + else \ +- usrerr(response); \ ++ usrerr1(response); \ + break; \ + \ + case SMFIR_REJECT: \ +@@ -1011,7 +1031,7 @@ + else if (strncmp(nullserver, "421 ", 4) == 0) + { + /* Can't use ("%s", ...) due to message() requirements */ +- message(nullserver); ++ message1(nullserver); + goto doquit; + } + +@@ -1953,7 +1973,7 @@ + if (ISSMTPREPLY(nullserver)) + { + /* Can't use ("%s", ...) due to usrerr() requirements */ +- usrerr(nullserver); ++ usrerr1(nullserver); + } + else + { +@@ -2561,7 +2581,7 @@ + if (response != NULL) + { + /* Can't use ("%s", ...) due to usrerr() requirements */ +- usrerr(response); ++ usrerr1(response); + } + else + { +@@ -3800,7 +3820,7 @@ + #endif + + /* Can't use ("%s", ...) due to usrerr() requirements */ +- usrerr(response); ++ usrerr1(response); + if (strncmp(response, "421 ", 4) == 0 + || strncmp(response, "421-", 4) == 0) + { +@@ -3922,7 +3942,7 @@ + (void) extenhsc(response + 4, ' ', e->e_enhsc); + #endif + /* Can't use ("%s", ...) due to usrerr() requirements */ +- usrerr(response); ++ usrerr1(response); + if (strncmp(response, "421 ", 4) == 0 + || strncmp(response, "421-", 4) == 0) + rv = false; diff --git a/sendmail-8.15.2-openssl-1.1.0-fix.patch b/sendmail-8.15.2-openssl-1.1.0-fix.patch new file mode 100644 index 0000000..c0023b1 --- /dev/null +++ b/sendmail-8.15.2-openssl-1.1.0-fix.patch @@ -0,0 +1,183 @@ +--- sendmail-8.15.2.orig/sendmail/tls.c 2016-12-01 15:20:59.953546417 +0100 ++++ sendmail-8.15.2.orig/sendmail/tls.c 2016-12-01 17:26:43.868521378 +0100 +@@ -79,7 +79,8 @@ + static DH * + get_dh512() + { +- DH *dh = NULL; ++ DH *dh; ++ BIGNUM *p, *g; + # if MTA_HAVE_DH_set0_pqg + BIGNUM *dhp_bn, *dhg_bn; + # endif +@@ -96,13 +97,23 @@ + return NULL; + } + # else +- dh->p = BN_bin2bn(dh512_p, sizeof(dh512_p), NULL); +- dh->g = BN_bin2bn(dh512_g, sizeof(dh512_g), NULL); +- if ((dh->p == NULL) || (dh->g == NULL)) ++ p = BN_bin2bn(dh512_p, sizeof(dh512_p), NULL); ++ g = BN_bin2bn(dh512_g, sizeof(dh512_g), NULL); ++ if (p == NULL || g == NULL) + { ++ BN_free(p); ++ BN_free(g); + DH_free(dh); + return NULL; + } ++ ++#if OPENSSL_VERSION_NUMBER >= 0x10100005L ++ DH_set0_pqg(dh, p, NULL, g); ++#else ++ dh->p = p; ++ dh->g = g; ++#endif ++ + # endif + return dh; + } +@@ -150,6 +161,8 @@ + }; + static unsigned char dh2048_g[]={ 0x02, }; + DH *dh; ++ BIGNUM *p, *g; ++ + # if MTA_HAVE_DH_set0_pqg + BIGNUM *dhp_bn, *dhg_bn; + # endif +@@ -166,13 +179,23 @@ + return NULL; + } + # else +- dh->p=BN_bin2bn(dh2048_p,sizeof(dh2048_p),NULL); +- dh->g=BN_bin2bn(dh2048_g,sizeof(dh2048_g),NULL); +- if ((dh->p == NULL) || (dh->g == NULL)) ++ p=BN_bin2bn(dh2048_p,sizeof(dh2048_p),NULL); ++ g=BN_bin2bn(dh2048_g,sizeof(dh2048_g),NULL); ++ if (p == NULL || g == NULL) + { ++ BN_free(p); ++ BN_free(g); + DH_free(dh); +- return(NULL); ++ return NULL; + } ++ ++#if OPENSSL_VERSION_NUMBER >= 0x10100005L ++ DH_set0_pqg(dh, p, NULL, g); ++#else ++ dh->p = p; ++ dh->g = g; ++#endif ++ + # endif + return(dh); + } +@@ -929,6 +952,54 @@ + # define SM_SSL_OP_TLS_BLOCK_PADDING_BUG 0 + # endif + ++static RSA * ++generate_rsa_key(bits, e) ++ int bits; ++ unsigned long e; ++{ ++#if OPENSSL_VERSION_NUMBER < 0x00908000L ++ return RSA_generate_key(bits, e, NULL, NULL); ++#else ++ BIGNUM *bne; ++ RSA *rsa = NULL; ++ ++ bne = BN_new(); ++ if (bne && BN_set_word(bne, e) != 1) ++ rsa = RSA_new(); ++ if (rsa && RSA_generate_key_ex(rsa, bits, bne, NULL) != 1) ++ { ++ RSA_free(rsa); ++ rsa = NULL; ++ } ++ BN_free(bne); ++ return rsa; ++#endif ++} ++ ++static DSA * ++generate_dsa_parameters(bits, seed, seed_len, counter_ret, h_ret) ++ int bits; ++ unsigned char *seed; ++ int seed_len; ++ int *counter_ret; ++ unsigned long *h_ret; ++{ ++#if OPENSSL_VERSION_NUMBER < 0x00908000L ++ return DSA_generate_parameters(bits, seed, seed_len, counter_ret, ++ h_ret, NULL, NULL); ++#else ++ DSA *dsa = DSA_new(); ++ ++ if (dsa && DSA_generate_parameters_ex(dsa, bits, seed, seed_len, ++ counter_ret, h_ret, NULL) != 1) ++ { ++ DSA_free(dsa); ++ dsa = NULL; ++ } ++ return dsa; ++#endif ++} ++ + bool + inittls(ctx, req, options, srv, certfile, keyfile, cacertpath, cacertfile, dhparam) + SSL_CTX **ctx; +@@ -1183,8 +1254,7 @@ + if (bitset(TLS_I_RSA_TMP, req) + # if SM_CONF_SHM + && ShmId != SM_SHM_NO_ID && +- (rsa_tmp = RSA_generate_key(RSA_KEYLENGTH, RSA_F4, NULL, +- NULL)) == NULL ++ (rsa_tmp = generate_rsa_key(RSA_KEYLENGTH, RSA_F4)) == NULL + # else /* SM_CONF_SHM */ + && 0 /* no shared memory: no need to generate key now */ + # endif /* SM_CONF_SHM */ +@@ -1391,8 +1461,8 @@ + } + # else + /* this takes a while! */ +- dsa = DSA_generate_parameters(bits, NULL, 0, NULL, +- NULL, 0, NULL); ++ dsa = generate_dsa_parameters(bits, NULL, 0, NULL, ++ NULL); + dh = DSA_dup_DH(dsa); + # endif + DSA_free(dsa); +@@ -2081,7 +2151,7 @@ + + if (rsa_tmp != NULL) + RSA_free(rsa_tmp); +- rsa_tmp = RSA_generate_key(RSA_KEYLENGTH, RSA_F4, NULL, NULL); ++ rsa_tmp = generate_rsa_key(RSA_KEYLENGTH, RSA_F4); + if (rsa_tmp == NULL) + { + if (LogLevel > 0) +@@ -2526,12 +2596,21 @@ + SM_GETTLSI; + if (LogLevel > 13) + tls_verify_log(ok, ctx, "X509"); ++#if OPENSSL_VERSION_NUMBER >= 0x10100005L ++ if (X509_STORE_CTX_get_error(ctx) == ++ X509_V_ERR_UNABLE_TO_GET_CRL) ++ { ++ X509_STORE_CTX_set_error(ctx, 0); ++ return 1; /* override it */ ++ } ++#else + if (X509_STORE_CTX_get_error(ctx) == X509_V_ERR_UNABLE_TO_GET_CRL && + !SM_TLSI_IS(tlsi_ctx, TLSI_FL_CRLREQ)) + { + X509_STORE_CTX_set_error(ctx, 0); + return 1; /* override it */ + } ++#endif + return ok; + } + diff --git a/sendmail.spec b/sendmail.spec index eb15495..273cca2 100644 --- a/sendmail.spec +++ b/sendmail.spec @@ -1,6 +1,6 @@ Name: sendmail Version: 8.16.1 -Release: 2 +Release: 3 Summary: A classic mail transfer agent from the Unix world License: Sendmail URL: http://www.sendmail.org/ @@ -21,7 +21,7 @@ Source13: sendmail-etc-mail-local-host-names Source14: sendmail-etc-mail-mailertable Source15: sendmail-etc-mail-trusted-users -BuildRequires: openssl-devel openldap-devel libdb-devel libnsl2-devel +BuildRequires: openssl-devel openldap-devel libnsl2-devel BuildRequires: cyrus-sasl-devel groff ghostscript m4 systemd setup >= 2.5.31-1 Requires: bash >= 2.0 setup >= 2.5.31-1 %{_sbindir}/saslauthd Requires(pre): shadow-utils @@ -46,6 +46,8 @@ Patch9: sendmail-8.15.2-switchfile.patch Patch10: sendmail-8.14.8-sasl2-in-etc.patch Patch11: sendmail-8.16.1-qos.patch Patch12: sendmail-8.15.2-libmilter-socket-activation.patch +Patch13: sendmail-8.15.2-openssl-1.1.0-fix.patch +Patch14: sendmail-8.15.2-format-security.patch %description Sendmail is a general purpose internetwork email routing facility that @@ -94,21 +96,21 @@ cp devtools/M4/UNIX/library.m4 devtools/M4/UNIX/sharedlibrary.m4 export CFLAGS="${RPM_OPT_FLAGS}" cat << EOF > config.m4 -define(\`confMAPDEF', \`-DNEWDB -DNIS -DMAP_REGEX -DSOCKETMAP -DNAMED_BIND=1') +define(\`confMAPDEF', \`-DNIS -DMAP_REGEX -DSOCKETMAP -DNAMED_BIND=1') define(\`confOPTIMIZE', \`\`\`\`${RPM_OPT_FLAGS}'''') -define(\`confLIBS', \`-lnsl -lcrypt -ldb -lresolv') +define(\`confLIBS', \`-lnsl -lcrypt -lresolv') define(\`confSTDIR', \`%{_localstatedir}/log/mail') define(\`confLDOPTS', \`-Xlinker -z -Xlinker relro -Xlinker -z -Xlinker now') define(\`confMANOWN', \`root') define(\`confMANGRP', \`root') -define(\`confENVDEF', \`-I%{_includedir}/libdb -I/usr/kerberos/include -Wall -DXDEBUG=0') +define(\`confENVDEF', \`-I/usr/kerberos/include -Wall -DXDEBUG=0') define(\`confLIBDIRS', \`-L/usr/kerberos/%{_lib}') define(\`confMANMODE', \`644') define(\`confMAN1SRC', \`1') define(\`confMAN5SRC', \`5') define(\`confMAN8SRC', \`8') define(\`STATUS_FILE', \`%{_localstatedir}/log/mail/statistics') -define(\`confLIBSEARCH', \`db resolv 44bsd') +define(\`confLIBSEARCH', \`resolv 44bsd') EOF #' -- 2.23.0