mail/opensmtpd: update to 6.6.4p1 security releaase

SECURITY RELEASE An out of bounds read in smtpd allows an attacker to inject arbitrary commands into the envelope file which are then executed as root. Separately, missing privilege revocation in smtpctl allows arbitrary commands to be run with the _smtpq group. MFH: 2020Q1
svn path=/head/; revision=527012
2024-10-19 19:59:43 +00:00 · 2020-02-24 18:36:49 +00:00 · 2020-02-24 18:36:49 +00:00 · 35c76eef93 · 2021-03-31 03:12:20 +00:00
commit 35c76eef93
parent 8cc580615a
3 changed files with 9 additions and 6 deletions
--- a/mail/opensmtpd/Makefile
+++ b/mail/opensmtpd/Makefile
@ -2,7 +2,7 @@
 # $FreeBSD$

 PORTNAME=	opensmtpd
-PORTVERSION=	6.6.3
+PORTVERSION=	6.6.4
 DISTVERSIONSUFFIX=	p1
 PORTEPOCH=	1
 PORTREVISION=	0
@ -52,7 +52,10 @@ TABLE_DB_CONFIGURE_WITH=	table-db

 CONFIGURE_ARGS+=	--with-libasr=${LOCALBASE} \
 			--with-libevent=${LOCALBASE} \
-			--sysconfdir=${PREFIX}/etc/mail/
+			--sysconfdir=${PREFIX}/etc/mail/ \
+			--with-user-smtpd=_smtpd \
+			--with-user-queue=_smtpq \
+			--with-group-queue=_smtpq

 .include <bsd.port.pre.mk>

--- a/mail/opensmtpd/distinfo
+++ b/mail/opensmtpd/distinfo
@ -1,3 +1,3 @@
-TIMESTAMP = 1581434283
-SHA256 (opensmtpd-6.6.3p1.tar.gz) = 9ef7c0eb7ffc5c84dca7651cec69bd7b180014cd5227f6dbc7a303eaa9d41eb7
-SIZE (opensmtpd-6.6.3p1.tar.gz) = 787196
+TIMESTAMP = 1582566329
+SHA256 (opensmtpd-6.6.4p1.tar.gz) = e2f9962a6b99b3cc1572b63a10db648fdca4ad2b58079b680b4202cc7c82d7cf
+SIZE (opensmtpd-6.6.4p1.tar.gz) = 790754
--- a/mail/opensmtpd/pkg-plist
+++ b/mail/opensmtpd/pkg-plist
@ -8,7 +8,7 @@ libexec/opensmtpd/mail.maildir
 libexec/opensmtpd/mail.mboxfile
 libexec/opensmtpd/mail.mda
 %%TABLE_DB%%libexec/opensmtpd/makemap
-@(,,2555) sbin/smtpctl
+@(,_smtpq,2555) sbin/smtpctl
 sbin/smtpd
 man/man1/smtp.1.gz
 man/man5/aliases.5.gz