From df637ccdfcb6f06a908ab906103a6f3910867237 Mon Sep 17 00:00:00 2001
From: rea <rea@FreeBSD.org>
Date: Sun, 9 Jan 2011 11:19:24 +0000
Subject: mail/exim: update to 4.73

Most notably, this version fixes local exim -> root escalation,
CVE-2010-4345.

Port had also gained configurable knob for disabling -D option
and make variables TRUSTED_CONFIG_LIST and WHITELIST_D_MACROS
to fine tune the behaviour of options -C and -D.

New items are documented at
  ftp://exim.inode.at/exim/ChangeLogs/NewStuff-4.73
Changelog is available at
  ftp://exim.inode.at/exim/ChangeLogs/ChangeLog-4.73

Security: e4fcf020-0447-11e0-becc-0022156e8794 / CVE-2010-4345
PR: 152963 [1], 153711 [2]
Submitted by: Alexander Wittig <alexander@wittig.name> [1]
Approved by: garga (mentor)
---
 mail/exim/Makefile | 27 +++++++++++++++++++++++++--
 1 file changed, 25 insertions(+), 2 deletions(-)

(limited to 'mail/exim/Makefile')

diff --git a/mail/exim/Makefile b/mail/exim/Makefile
index 2a83b8ec3d36..95109ff76d38 100644
--- a/mail/exim/Makefile
+++ b/mail/exim/Makefile
@@ -27,7 +27,7 @@ MAKE_JOBS_UNSAFE=	yes
 
 .include <bsd.port.pre.mk>
 
-.if defined(WITH_SA_EXIM) 
+.if defined(WITH_SA_EXIM)
 .if defined(WITH_KAS)
 IGNORE=		You cannot select both SA_EXIM and KAS options
 .endif
@@ -58,7 +58,7 @@ PLIST_SUB+=	SO_1024=""
 PLIST_SUB+=	SO_1024="@comment "
 .endif
 
-EXIM_VERSION=	4.72
+EXIM_VERSION=	4.73
 SA_EXIM_VERSION=4.2
 SO_1024_VERSION=3.2
 
@@ -449,9 +449,32 @@ PLIST_SUB+=	DAEMON="@comment "
 SEDLIST+=	-e 's,^\# (HAVE_IPV6=),\1,'
 .endif
 
+.if defined(WITH_DISABLE_D_OPT)
+SEDLIST+=	-e 's,^\# (DISABLE_D_OPTION=),\1,'
+.else
+.if defined(WHITELIST_D_MACROS)
+SEDLIST+=	-e 's,^\# (WHITELIST_D_MACROS=).*$$,\1=${WHITELIST_D_MACROS:S/,/\\,/g},'
+.endif
+.endif
+
+.if defined(TRUSTED_CONFIG_LIST)
+SEDLIST+=	-e 's,^\# (TRUSTED_CONFIG_LIST=).*$$,\1=${TRUSTED_CONFIG_LIST:S/,/\\,/g},'
+.endif
+
 DUMMY_LDFLAGS!=	${ECHO_CMD} ${LDFLAGS} | ${SED} -e 's|-Wl,-rpath|-Wl,-DUMMYrpath|g; s|-rpath|-Wl,-rpath|g; s|-DUMMYrpath|-rpath|g'
 
 pre-everything::
+	@${ECHO} 'Exim now drops privileges when alternate configuration'
+	@${ECHO} 'files are used.  You can set make variable TRUSTED_CONFIG_LIST'
+	@${ECHO} 'to specify the list of configuration files for which'
+	@${ECHO} 'root privileges will be retained.'
+	@${ECHO} ''
+	@${ECHO} 'You can whitelist some macros using the make variable'
+	@${ECHO} 'WHITELIST_D_MACROS.  This is useful if you are running'
+	@${ECHO} 'with DISABLE_D_OPT set, but macros whitelisting will be'
+	@${ECHO} 'removed in some future Exim release, so it is better'
+	@${ECHO} 'to use TRUSTED_CONFIG_LIST to set the list of trusted'
+	@${ECHO} 'configuration files.'
 .if empty(.MAKEFLAGS:M-s) && defined(WITH_WISHLIST)
 	@${ECHO} ''
 	@${ECHO} 'Included extra patches:'
-- 
cgit