From 8cfa5131f89b8d454b65d152d98dfb863e00295a Mon Sep 17 00:00:00 2001
From: Ryan Kavanagh <rak@debian.org>
Date: Tue, 28 Jan 2020 18:03:58 -0500
Subject: [PATCH 2/2] Fix privilege escalation vulnerability,
 019_smtpd_exec.patch.sig

An incorrect check allows an attacker to trick mbox delivery into
executing arbitrary commands as root and lmtp delivery into executing
arbitrary commands as an unprivileged user.
---
 debian/patches/019_smtpd_exec.patch.sig | 53 +++++++++++++++++++++++++
 debian/patches/series                   |  1 +
 2 files changed, 54 insertions(+)
 create mode 100644 debian/patches/019_smtpd_exec.patch.sig

diff --git a/debian/patches/019_smtpd_exec.patch.sig b/debian/patches/019_smtpd_exec.patch.sig
new file mode 100644
index 00000000..ca85a4a5
--- /dev/null
+++ b/debian/patches/019_smtpd_exec.patch.sig
@@ -0,0 +1,53 @@
+Description: fix privilege escalation bug
+ OpenBSD 6.6 errata 019, January 30, 2020:
+ .
+ An incorrect check allows an attacker to trick mbox delivery into executing
+ arbitrary commands as root and lmtp delivery into executing arbitrary commands
+ as an unprivileged user.
+Origin: https://ftp.openbsd.org/pub/OpenBSD/patches/6.6/common/019_smtpd_exec.patch.sig
+Bug-Debian: https://bugs.debian.org/950121
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+Index: opensmtpd/smtpd/smtp_session.c
+===================================================================
+--- opensmtpd.orig/smtpd/smtp_session.c	2020-01-28 17:56:24.026693606 -0500
++++ opensmtpd/smtpd/smtp_session.c	2020-01-28 17:56:24.022693963 -0500
+@@ -2006,25 +2006,23 @@
+ 		memmove(maddr->user, p, strlen(p) + 1);
+ 	}
+ 
+-	if (!valid_localpart(maddr->user) ||
+-	    !valid_domainpart(maddr->domain)) {
+-		/* accept empty return-path in MAIL FROM, required for bounces */
+-		if (mailfrom && maddr->user[0] == '\0' && maddr->domain[0] == '\0')
+-			return (1);
++	/* accept empty return-path in MAIL FROM, required for bounces */
++	if (mailfrom && maddr->user[0] == '\0' && maddr->domain[0] == '\0')
++		return (1);
+ 
+-		/* no user-part, reject */
+-		if (maddr->user[0] == '\0')
+-			return (0);
+-
+-		/* no domain, local user */
+-		if (maddr->domain[0] == '\0') {
+-			(void)strlcpy(maddr->domain, domain,
+-			    sizeof(maddr->domain));
+-			return (1);
+-		}
++	/* no or invalid user-part, reject */
++	if (maddr->user[0] == '\0' || !valid_localpart(maddr->user))
+ 		return (0);
++
++	/* no domain part, local user */
++	if (maddr->domain[0] == '\0') {
++		(void)strlcpy(maddr->domain, domain,
++			sizeof(maddr->domain));
+ 	}
+ 
++	if (!valid_domainpart(maddr->domain))
++		return (0);
++
+ 	return (1);
+ }
+ 
diff --git a/debian/patches/series b/debian/patches/series
index dbf2b325..a7e0fff5 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -2,3 +2,4 @@
 10_smtpd.conf.diff
 11_ssl_1.1.diff
 018_smtpd_tls.patch.sig
+019_smtpd_exec.patch.sig
-- 
2.25.0