--- libspf2-1.2.5.dfsg.orig/debian/control +++ libspf2-1.2.5.dfsg/debian/control @@ -0,0 +1,51 @@ +Source: libspf2 +Priority: optional +Section: libs +Maintainer: Magnus Holmgren +Build-Depends: debhelper (>> 5), cdbs, dpatch, autotools-dev +Standards-Version: 3.7.3 +Vcs-Svn: svn://svn.kibibyte.se/libspf2/trunk +Vcs-Browser: http://svn.kibibyte.se/libspf2 +Homepage: http://www.libspf2.org/ + +Package: libspf2-dev +Section: libdevel +Architecture: any +Depends: libspf2-2 (= ${binary:Version}) +Description: Header and development libraries for libspf2 + libspf2 implements the Sender Policy Framework, a part of the SPF/SRS + protocol pair. libspf2 is a library which allows email systems such + as Sendmail, Postfix, Exim, Zmailer and MS Exchange to check SPF + records and make sure that the email is authorized by the domain name + that it is coming from. This prevents email forgery, commonly used by + spammers, scammers and email viruses/worms. + +Package: libspf2-2 +Section: libs +Architecture: any +Conflicts: libspf2-0 +Replaces: libspf2-0 +Depends: ${shlibs:Depends} +Description: library for validating mail senders with SPF + libspf2 implements the Sender Policy Framework, a part of the SPF/SRS + protocol pair. libspf2 is a library which allows email systems such + as Sendmail, Postfix, Exim, Zmailer and MS Exchange to check SPF + records and make sure that the email is authorized by the domain name + that it is coming from. This prevents email forgery, commonly used by + spammers, scammers and email viruses/worms. + +Package: spfquery +Section: mail +Architecture: any +Depends: ${shlibs:Depends} +Conflicts: libmail-spf-query-perl (<< 1:1.999.1-3) +Description: query SPF (Sender Policy Framework) to validate mail senders + The Sender Policy Framework (SPF) is one part of the SPF/SRS protocol + pair. SPF allows email systems such as Sendmail, Postfix, Exim, + Zmailer and MS Exchange to check SPF records and make sure that the + email is authorized by the domain name that it is coming from. This + prevents email forgery, commonly used by spammers, scammers and email + viruses/worms. + . + This package contains simple utilities that use libspf2 to test and + query SPF records. --- libspf2-1.2.5.dfsg.orig/debian/rules +++ libspf2-1.2.5.dfsg/debian/rules @@ -0,0 +1,17 @@ +#!/usr/bin/make -f + +SOURCE_PACKAGE = libspf2 + +include /usr/share/cdbs/1/class/autotools.mk +include /usr/share/cdbs/1/rules/debhelper.mk +include /usr/share/cdbs/1/rules/dpatch.mk + +DEB_DH_MAKESHLIBS_ARGS_libspf2-2 = -V 'libspf2-2 (>= 1.2.5)' + +binary-install/spfquery:: +# Rename the `spfquery` tool for the alternatives system: + mv debian/spfquery/usr/bin/spfquery debian/spfquery/usr/bin/spfquery.$(SOURCE_PACKAGE) + mv debian/spfquery/usr/sbin/spfd debian/spfquery/usr/sbin/spfd.$(SOURCE_PACKAGE) + +get-orig-source: + wget http://www.libspf2.org/spf/libspf2-1.2.5.tar.gz --- libspf2-1.2.5.dfsg.orig/debian/watch +++ libspf2-1.2.5.dfsg/debian/watch @@ -0,0 +1,3 @@ +version=3 + +opts=dversionmangle=s/\.dfsg$// http://www.libspf2.org/download.html spf/libspf2-(.+)\.tar\.gz --- libspf2-1.2.5.dfsg.orig/debian/libspf2-dev.README.Debian +++ libspf2-1.2.5.dfsg/debian/libspf2-dev.README.Debian @@ -0,0 +1,8 @@ +libspf2 for Debian +------------------ + +Information and more recent versions of libspf2 are available from + + http://www.libspf2.org/ + + -- Eric Dorland , Sun Jul 4 19:02:07 2004 --- libspf2-1.2.5.dfsg.orig/debian/libspf2-2.install +++ libspf2-1.2.5.dfsg/debian/libspf2-2.install @@ -0,0 +1 @@ +debian/tmp/usr/lib/*.so.* usr/lib --- libspf2-1.2.5.dfsg.orig/debian/changelog +++ libspf2-1.2.5.dfsg/debian/changelog @@ -0,0 +1,181 @@ +libspf2 (1.2.5.dfsg-5+lenny1~bpo40+1) etch-backports; urgency=medium + + * Security rebuild for etch-backports to fix CVE-2008-2469 (buffer overflows + in DNS response parsing) + + -- Gerfried Fuchs Wed, 22 Oct 2008 11:02:43 +0200 + +libspf2 (1.2.5.dfsg-5+lenny1) testing-security; urgency=high + + * [CVE-2008-2469] 50_dns_resolv_bufoverflow.dpatch: Fix buffer overflows + in DNS response parsing. + + -- Magnus Holmgren Sun, 19 Oct 2008 22:14:18 +0200 + +libspf2 (1.2.5.dfsg-5) unstable; urgency=low + + * 43_new_explanation_url.dpatch: Bring default explanation up to date by + referring to www.openspf.org instead of spf.pobox.com. + * Add spfquery(1) manpage. + * Fix format of copyright notice in debian/copyright. + * Move upstream homepage URL to the new Homepage control field, rename + VCS control fields, and update Standards-Version. + * A few cosmetic adjustments including fixing the indentation of the + 1.2.5.dfsg-3 entry below (Closes: #465466). + * New maintainer email address. + + -- Magnus Holmgren Fri, 18 Apr 2008 17:51:28 +0200 + +libspf2 (1.2.5.dfsg-4) unstable; urgency=low + + * Added 23_spfquery_ipv6.dpatch: Make spfquery accept IPv6 addresses + (Closes: #440147). Thanks to Matthias Cramer. + * 35_untabify_help.dpatch: Make --help output of utilities less ugly by + converting tabs to spaces. + + -- Magnus Holmgren Wed, 05 Sep 2007 15:39:22 +0200 + +libspf2 (1.2.5.dfsg-3) unstable; urgency=low + + * 22_spfquery_fallback_segfault.dpatch: Fix fallback-related segfault in + spfquery (Closes: #430414). Thanks to Robert Millan. + * Correct debian/copyright (Closes: #433047). Thanks to Julian Mehnle. + * A second patch from Robert split into three: + * 40_permanent_include_errors.dpatch: Make permanent errors in + processing an include: directive cause the parent evaluation to return + a permanent error as well (Closes: #435139). + * 41_none_not_neutral.dpatch: Use a diffent explanation for + SPF_RESULT_NONE than the one for SPF_RESULT_NEUTRAL (Closes: #435140). + * 42_empty_sender.dpatch: Use the HELO identity in MAIL FROM checks if + the sender address has been set to the empty string (Closes: #431239). + * debian/control: Add XS-Vcs-* fields. + + -- Magnus Holmgren Wed, 22 Aug 2007 17:13:27 +0200 + +libspf2 (1.2.5.dfsg-2) unstable; urgency=low + + * 21_spfquery_infininte_loop.dpatch: Fix infinite loop when giving + unimplemented options to spfquery. + * 20_printf_types.dpatch: Revert to using standard conversion specifiers + without z modifiers. + * debian/watch: mangle away .dfsg from package version. + * Lower spfquery and spfd alternatives priorities to 25. + * Skip applying 01_line-endings.dpatch; it's meaningless. + + -- Magnus Holmgren Wed, 06 Jun 2007 19:31:01 +0200 + +libspf2 (1.2.5.dfsg-1) unstable; urgency=low + + * New maintainer (Closes: #372629). + * Repacked .orig.tar.gz without non-free IETF Internet Draft (Closes: + #393390). + * Merge updates from Ubuntu: + - Add debian/compat and Build-depend on debhelper >= 5. + - Add alternatives handling for /usr/bin/spfquery (Closes: #306875). + - Conflict on libmail-spf-query-perl << 1:1.999.1-3. + - Add postinst and prerm scripts. + - debian/copyright: update author address. + - debian/control: add final newline. + * debian/control: + * Change description of spfquery (Closes: #410592). + * Add homepage to package descriptions. + * Reduce Debian diff by changing line endings with sed instead. + * Further reduce Debian diff by eliminating config.sub and config.guess + from there. Build-depend on autotools-dev to ensure up-to-date + versions instead. + * The autogenerated spf_lib_version.h was put in the wrong directory, + while there was a static spf_lib_version.h in the right directory. + Fix that with some rules in debian/rules. + * Use dpatch to manage patches. + * Apply 20_64bit_types.dpatch to hopefully prevent segfaults on 64-bit + architectures (Closes: #392793). Thanks to Thomas Jacob, Carsten + Koch-Mauthe and Herbert Straub. + * 20_printf_types.dpatch: Change format strings to use the z flag, + meaning size_t, among other things. + * 30_spfd_check_unlink_failure.dpatch: Fix a typo in spfd (patch from + Thomas Jacob). + * debian/watch: added. + * Update Standards-Version to 3.7.2 without changes. + * Apply 20_spf_dns_include_std_headers.dpatch: Include arpa/nameser.h and + netdb.h from spf_dns.h instead of defining the constants needed unless + certain HAVE_ macros are defined (Closes: #405885). + * Apply 25_maxvals.dpatch, which brings certain processing limits (meant + to mitigate DoS attacks) in line with RFC 4408. Thanks to Scott + Kitterman. + * debian/control: Change libspf2-dev dependency to ${binary:Version} so + that binNMUs will work. + * Ship spfd in the spfquery package (Closes: #258360). + + -- Magnus Holmgren Sat, 24 Mar 2007 14:51:23 +0100 + +libspf2 (1.2.5-4) unstable; urgency=low + + * Orphan. + + -- Eric Dorland Mon, 20 Nov 2006 02:16:20 -0500 + +libspf2 (1.2.5-3) unstable; urgency=low + + * src/include/spf_server.h: Remove useless include to + spf_dns_internal.h. (Closes: #312145) + * debian/control: Have spfquery against libmail-spf-query-perl to work + around #306875, hopefully temporarily. + + -- Eric Dorland Sat, 30 Jul 2005 01:25:24 -0400 + +libspf2 (1.2.5-2) unstable; urgency=low + + * The "Doh, missed a soname change" release. + * debian/libspf2-0.install: Rename to libspf2-2.install. + * debian/control: + - Change libspf2-0 to libspf2-2 to reflect soname change. + (Closes: #306205) + - Add spfquery package, don't package spfd for now, can't figure + out how to make it work. This partially addresses #258360. + * debian/spfquery.install: New file. + + -- Eric Dorland Mon, 25 Apr 2005 20:07:48 -0400 + +libspf2 (1.2.5-1) unstable; urgency=low + + * New upstream release. + + -- Eric Dorland Sun, 17 Apr 2005 23:37:27 -0400 + +libspf2 (1.0.4-4) unstable; urgency=medium + + * configure, aclocal.m4: Run aclocal and autoconf to get the right code + for the libtool test to use the pass_all method on arm. (Closes: + #276516) + * Urgency medium to get this bloody thing fixed already. + + -- Eric Dorland Fri, 26 Nov 2004 00:15:04 -0500 + +libspf2 (1.0.4-3) unstable; urgency=low + + * config/ltmain.sh: Re-libtoolize again, hopefully this will fix arm + building. + + -- Eric Dorland Wed, 17 Nov 2004 13:50:50 -0500 + +libspf2 (1.0.4-2) unstable; urgency=low + + * config/ltmain.sh: Re-libtoolize. (Closes: #269936) + * configure.ac: Apply patch from Kurt Roeckx to fix build on + amd64. (Closes: #262687) + * Rerun autoconf to apply the changes. + + -- Eric Dorland Mon, 6 Sep 2004 19:36:20 -0400 + +libspf2 (1.0.4-1) unstable; urgency=low + + * New upstream release. (Closes: #261709) + + -- Eric Dorland Mon, 9 Aug 2004 00:57:49 -0400 + +libspf2 (1.0.3-1) unstable; urgency=low + + * Initial release. (Closes: #257644) + + -- Eric Dorland Fri, 2 Jul 2004 00:00:19 -0400 + --- libspf2-1.2.5.dfsg.orig/debian/spfquery.libspf2.1 +++ libspf2-1.2.5.dfsg/debian/spfquery.libspf2.1 @@ -0,0 +1,199 @@ +.\" Title: SPFQUERY +.\" Author: Magnus Holmgren +.\" Date: 2007-09-06 +.\" Manual: libspf2 manuals for Debian +.\" Source: libspf2 1.2.5 +.\" +.TH "SPFQUERY" "1" "2007-09-06" "libspf2 1.2.5" "libspf2 manuals for Debian" +.\" disable hyphenation +.nh +.SH NAME +spfquery, spfquery.libspf2 \- checks if an IP address is an SPF-authorized SMTP sender for a domain. +.SH SYNOPSIS +.ad l +.HP 9 +.B spfquery +.RB { \-i | \-\-ip } +.I ip\-address +.RB { -s | \-\-sender } +.RI [ local-part \fB@\fP] domain +.RB [{ \-h | \-\-helo } +.IR domain-name ] +.RB [ \-\-rcpt\-to +.IR email-address(es) ] +.RI [ CONTROL-OPTIONS ] +.HP 9 +.B spfquery +.RB { \-f | \-\-file } +.IR datafile " [" CONTROL-OPTIONS ] +.HP 9 +.B spfquery +.RB { \-\-help | \-v | \-\-version } +.ad b +.SH DESCRIPTION +This manual page documents briefly the +\fBspfquery\fR +command. It was written for the +Debian\*[R] distribution because the original program does not have a manual page. +.PP +\fBspfquery\fR performs Sender Policy Framework (SPF) authorization +checks based on the command-line arguments or data given in a file or +on standard input. For information on SPF see http://www.openspf.org. +. +.SH OPTIONS +Options are divided into two groups: Data options, which must be +given, though just enough of them to specify a query; and control +options, which are optional and control the local policy, behaviour +and output format of spfquery. +.PP +This programs follows the GNU \fBgetopt_long_only\fR(3) command line +syntax: Long options can be given with one or two dashes and can be +abbreviated to a prefix long enough to be non-ambiguous. If an option +starting with a single dash doesn't match a long option, it is taken +as a short option with a following parameter, if applicable. An equals +sign between the option name and the parameter is optional for both +short and long options. +.SS Data options +The +\fB\-\-file\fR option conflicts with all the other data options. The +\fB\-\-helo\fR and \fB\-\-rcpt\-to\fR are optional. +.TP +\fB\-f\fR, \fB\-\-file\fR \fIfilename\fR +Read SPF data from \fIfilename\fR. Specify \(lq-\(rq to read from standard input. +.sp +The file should consist of one line per query, each query line consisting of the IP address, sender adress, and optional HELO string, separated by spaces. +.sp +\fBNote\fP +Local parts containing spaces are currently not supported. +.TP +\fB\-i\fP, \fB\-\-ip\fP \fIip-address\fP +Specify the IP address of the remote host that is delivering the mail. +.TP +\fB\-s\fP, \fB\-\-sender\fP [\fIlocal-part\fP\fB@\fP]\fIdomain\fP +Specify the email address that was used as the envelope sender. If no +username (local part) is given, \(lqpostmaster\(rq will be assumed. +.TP +\fB\-h\fP, \fB\-\-helo\fP \fIdomain-name\fP +Specify that \fIdomain-name\fP was provided in the SMTP HELO (or EHLO) command. +.TP +\fB\-r\fP, \fB\-\-rcpt-to\fP \fIrcpt-address\fP[,\fIrcpt-address\fP,...] +Specify the recipients as comma-separated list. Any secondary mail exchangers of all +recipient domains are automatically authorized. +. +.SS Control options +.TP +\fB\-d\fP, \fB\-\-debug\fP[\fB=\fP\fIlevel\fP] +Turn on debugging output. +.TP +\fB\-l\fP, \fB\-\-local\fP \fIspf\-terms\fP +Test against \fIspf\-terms\fR before the final (implicit or explicit) +\(lqall\(rq in an SPF record. This can be used to implement a local policy for whitelisting. +.TP +\fB\-t, \fB\-\-trusted\fR [\fB1\fR] +Check the sender domain with trusted\-forwarder.org. +\fBThis is a non\-standard feature.\fR +.TP +\fB\-t\fP \fB0\fP, \fB\-\-trusted\fR \fB0\fP +Do not check the sender domain with trusted\-forwarder.org. This is the default. +.TP +\fB\-g\fP, \fB\-\-guess\fP \fIspf-mechanisms\fP +Test the sender domain against \fIspf\-mechanisms\fP if the domain has no SPF record. +.TP +\fB\-e\fP, \fB\-\-default\-explanation\fP \fIstring\fP +Default explanation string to use if the SPF record does not specify an expla\%nation string itself. +.TP +\fB\-m\fP, \fB\-\-max\-lookup\fP \fInumber\fP +Maximum number of DNS lookups to allow. +.TP +\fB\-c\fP, \fB\-\-sanitize\fP [\fB0\fP|\fB1\fP] +Do [not] sanitize the output by condensing conse\%cutive white\%space +into a single space and replacing non-printable characters with +question marks. Enabled by default. +.TP +\fB\-n\fP, \fB\-\-name\fP \fIhostname\fP +Use +\fIhostname\fP +as the name of the local system instead of +\(lqspfquery\(rq +(the name is used in the output). +.TP +\fB\-k\fP, \fB\-\-keep\-comments\fP +Print comments found when reading from a file. +.TP +\fB\-a\fP, \fB\-\-override\fP \fI...\fP +.TP +\fB\-z\fP, \fB\-\-fallback\fP \fI...\fP +Provide override and fallback SPF records for certain domains. +\fBNot implemented yet.\fP +\fBspfquery\fP +would act as if the speci\%fied records were present before and after any existing record, respectively, of those domains. +.TP +\fB\-\-help\fP +Show summary of options. +.TP +\fB\-v\fP, \fB\-\-version\fP +Show version of program. +.SH DIAGNOSTICS +The output ordinarily consists of four lines: +.IP 1. 4 +the \fIresult code\fP; +.IP 2. 4 +the \fIexplanation\fP, suitable for use in an SMTP response message, empty +except when a rejection (permanent or temporary) makes sense; +.IP 3. 4 +the header comment on its own; +.IP 4. 4 +the Received\-SPF header field as defined in RFC 4408 section 7, +incorporating the header comment. +.PP +If errors (including no SPF record found!) occur during processing, +one or more error blocks will be prepended. +These start with \(lqStartError\(lq and end with \(lqEndError\(lq. +.PP +The result codes and their corresponding exit codes are as follows: +.TP +.B 1 \(en neutral +The sender domain explicitly makes no assertion about the \fIip-address\fP. +This result must be interpreted exactly as if no SPF record at all existed. +.TP +.B 2 \(en pass +The \fIip-address\fP is authorized to send mail for the sender domain. +.TP +.B 3 \(en fail +The \fIip-address\fP is \fBunauthorized\fP to send mail for the sender domain. +.TP +.B 4 \(en softfail +The \fIip-address\fP is not authorized to send mail for the sender domain, but +the sender domain cannot or does not wish to make a strong assertion that no such mail can +ever come from it. +.TP +.B 5 \(en none +No SPF record was found. +.TP +.BR "6 \(en error" " (temporary)" +A transient error occurred (e.g. failure to reach a DNS server), preventing a +result from being reached. +.TP +.BR "7 \(en unknown" " (permanent error)" +One or more SPF records could not be interpreted. +.SH EXAMPLES +.nf +spfquery \-ip=11.22.33.44 \-sender=user@aol.com \-helo=spammer.tld +spfquery \-f test_data +echo "127.0.0.1 myname@mydomain.com helohost.com" | spfquery \-f \- +.fi +.SH SEE ALSO +\fBspftest\fR(1), \fBspfd\fR(8) +.SH AUTHOR +\fBspfquery\fP was written by Wayne Schlitt. +.PP +This manual page was written by Magnus Holmgren for the Debian\*[R] +system (but may be used by others). Heavily inspired by the spfquery manpage of +libmail\-spf\-query\-perl (\fBspfquery.mail\-spf\-query\-perl\fR(1)) by Julian Mehnle. +Also based on the command\-line help of spfquery. +.SH COPYRIGHT +Copyright \(co 2007 Magnus Holmgren. Permission is granted to copy, +distribute and/or modify this document under the terms of the BSD +License. +.PP +On Debian systems, the complete text of the BSD License can be found in /usr/share/common\-licenses/BSD. --- libspf2-1.2.5.dfsg.orig/debian/spfquery.install +++ libspf2-1.2.5.dfsg/debian/spfquery.install @@ -0,0 +1,4 @@ +debian/tmp/usr/bin/spfquery usr/bin +debian/tmp/usr/bin/spftest usr/bin +debian/tmp/usr/bin/spf_example usr/bin +debian/tmp/usr/bin/spfd usr/sbin --- libspf2-1.2.5.dfsg.orig/debian/spfquery.prerm +++ libspf2-1.2.5.dfsg/debian/spfquery.prerm @@ -0,0 +1,14 @@ +#!/bin/sh -e + +mode=$1 + +source_package=libspf2 + +case "$mode" in + remove ) + update-alternatives --remove spfquery /usr/bin/spfquery.$source_package + update-alternatives --remove spfd /usr/sbin/spfd.$source_package + ;; +esac + +#DEBHELPER# --- libspf2-1.2.5.dfsg.orig/debian/compat +++ libspf2-1.2.5.dfsg/debian/compat @@ -0,0 +1 @@ +5 --- libspf2-1.2.5.dfsg.orig/debian/README.Debian +++ libspf2-1.2.5.dfsg/debian/README.Debian @@ -0,0 +1,22 @@ +libspf2 for Debian +================== + +Debian's version of libspf2 does a couple of things slightly +differently compared to the upstream version (usually meaning: more +RFC-compliantly). You can always see all applied patches by +downloading the source package and looking in the debian/patches +subdirectory. All patches should also be mentioned in the Debian +changelog. Some deserve further comment, though: + +* 42_empty_sender.dpatch changes SPF_request_set_env_sender() so that + if called with an empty envelope sender, the envelope sender in the + SPF_request_struct structure will be set to the HELO identity + instead ("postmaster@" + the HELO domain), provided that + SPF_request_set_helo_dom() has been called beforehand. This should + improve behaviour of applications that (incorrectly) call + SPF_request_set_env_sender() with an empty envelope sender address. + However, applications SHOULD NOT RELY ON THIS, but should check if + the envelope sender address is empty, and in that case pass the HELO + identity instead, or use the result of an earlier HELO check. + + -- Magnus Holmgren , Wed, 22 Aug 2007 17:10:07 +0200 --- libspf2-1.2.5.dfsg.orig/debian/spfquery.postinst +++ libspf2-1.2.5.dfsg/debian/spfquery.postinst @@ -0,0 +1,17 @@ +#!/bin/sh -e + +mode=$1 + +source_package=libspf2 + +case "$mode" in + configure ) + prev_version=$2 + + update-alternatives --install /usr/bin/spfquery spfquery /usr/bin/spfquery.$source_package 25 \ + --slave /usr/share/man/man1/spfquery.1.gz spfquery.1.gz /usr/share/man/man1/spfquery.$source_package.1.gz + update-alternatives --install /usr/sbin/spfd spfd /usr/sbin/spfd.$source_package 25 + ;; +esac + +#DEBHELPER# --- libspf2-1.2.5.dfsg.orig/debian/spfquery.manpages +++ libspf2-1.2.5.dfsg/debian/spfquery.manpages @@ -0,0 +1 @@ +debian/spfquery.libspf2.1 --- libspf2-1.2.5.dfsg.orig/debian/copyright +++ libspf2-1.2.5.dfsg/debian/copyright @@ -0,0 +1,20 @@ +This package was debianized by Eric Dorland on +Sun, 04 Jul 2004 19:00:36 -0400 + +The current maintainer is Magnus Holmgren . + +It was downloaded from http://www.libspf2.org/ + +Upstream Author: Wayne Schlitt + +Copyright: + +Software copyright © 2004-2005 Wayne Schlitt and +Shevek + +You are free to distribute this software under the terms of the GNU Lesser +General Public License version 2.1 or the BSD license, at your choice. + +On Debian systems, the complete text of the GNU Lesser General Public +License can be found in the file `/usr/share/common-licenses/LGPL-2.1' and +the BSD license can be found in the file `/usr/share/common-licenses/BSD'. --- libspf2-1.2.5.dfsg.orig/debian/README.Debian-source +++ libspf2-1.2.5.dfsg/debian/README.Debian-source @@ -0,0 +1,16 @@ +The upstream tarball has been repackaged because it contained non-free +material in the form of an (obsolete) IETF Internet Draft +(draft-mengwong-spf-00.txt in the docs subdirectory). As far as I can +see It's non-free because it doesn't contain any copyright information +at all, thereby defaulting to "all right reserved" in most +jurisdictions. + +Current SPF specifications can be found at +. + +To download the original tarball use `debian/rules get-orig-source' or +go to (beware that running +debian/rules outside the package directory can have unwanted side +effects due to CDBS). + + -- Magnus Holmgren Fri, 23 Mar 2007 16:44:20 +0100 --- libspf2-1.2.5.dfsg.orig/debian/libspf2-dev.install +++ libspf2-1.2.5.dfsg/debian/libspf2-dev.install @@ -0,0 +1,4 @@ +debian/tmp/usr/lib/*.so usr/lib +debian/tmp/usr/lib/*.a usr/lib +debian/tmp/usr/lib/*.la usr/lib +debian/tmp/usr/include/* usr/include --- libspf2-1.2.5.dfsg.orig/debian/patches/21_spfquery_infininte_loop.dpatch +++ libspf2-1.2.5.dfsg/debian/patches/21_spfquery_infininte_loop.dpatch @@ -0,0 +1,21 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 21_spfquery_infininte_loop.dpatch by Magnus Holmgren +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: Fix infinite loop in spfquery.c:unimplemented(). + +@DPATCH@ +diff -urNad libspf2-1.2.5.dfsg~/src/spfquery/spfquery.c libspf2-1.2.5.dfsg/src/spfquery/spfquery.c +--- libspf2-1.2.5.dfsg~/src/spfquery/spfquery.c 2005-02-22 03:36:55.000000000 +0100 ++++ libspf2-1.2.5.dfsg/src/spfquery/spfquery.c 2007-03-24 22:28:15.000000000 +0100 +@@ -174,9 +174,7 @@ + struct option *opt; + int i; + +- i = 0; +- opt = &long_options[i]; +- while (opt->name) { ++ for (i = 0; (opt = &long_options[i])->name; i++) { + if (flag == opt->val) { + fprintf(stderr, "Unimplemented option: -%s or -%c\n", + opt->name, flag); --- libspf2-1.2.5.dfsg.orig/debian/patches/30_spfd_check_unlink_failure.dpatch +++ libspf2-1.2.5.dfsg/debian/patches/30_spfd_check_unlink_failure.dpatch @@ -0,0 +1,20 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 30_spfd_check_unlink_failure.dpatch by Thomas Jacob +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: Fix a call to unlink() in spfd.c. It passed 'path < 0' as the argument +## DP: instead of checking whether the return value < 0. + +@DPATCH@ + +--- libspf2-1.2.5/src/spfd/spfd.c 2005-02-19 03:40:35.000000000 +0100 ++++ libspf2-1.2.5-amd64/src/spfd/spfd.c 2007-03-08 21:17:09.000000000 +0100 +@@ -640,7 +640,7 @@ + memset(&addr, 0, sizeof(addr)); + addr.sun_family = AF_UNIX; + strcpy(addr.sun_path, spfd_config.path); +- if (unlink(spfd_config.path < 0)) { ++ if (unlink(spfd_config.path) < 0) { + if (errno != ENOENT) { + perror("unlink"); + DIE("Failed to unlink socket"); --- libspf2-1.2.5.dfsg.orig/debian/patches/22_spfquery_fallback_segfault.dpatch +++ libspf2-1.2.5.dfsg/debian/patches/22_spfquery_fallback_segfault.dpatch @@ -0,0 +1,45 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 22_spfquery_fallback_segfault.dpatch by Robert Millan +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: Fix segfault with malformed -guess argument + +@DPATCH@ + +diff -ur libspf2-1.2.5.dfsg.old/src/spfquery/spfquery.c libspf2-1.2.5.dfsg/src/spfquery/spfquery.c +--- libspf2-1.2.5.dfsg.old/src/spfquery/spfquery.c 2005-02-22 03:36:55.000000000 +0100 ++++ libspf2-1.2.5.dfsg/src/spfquery/spfquery.c 2007-06-24 13:17:34.000000000 +0200 +@@ -341,6 +341,7 @@ + SPF_request_t *spf_request = NULL; + SPF_response_t *spf_response = NULL; + SPF_response_t *spf_response_2mx = NULL; ++ SPF_response_t *spf_response_fallback = NULL; + SPF_errcode_t err; + + char *opt_file = NULL; +@@ -670,20 +671,20 @@ + /* We now have an option to call SPF_request_query_fallback */ + if (opts->fallback) { + err = SPF_request_query_fallback(spf_request, +- &spf_response, opts->fallback); ++ &spf_response_fallback, opts->fallback); + if (opts->debug) +- response_print("fallback query", spf_response_2mx); ++ response_print("fallback query", spf_response_fallback); + if (err) { + response_print_errors("Failed to query best-guess", +- spf_response, err); ++ spf_response_fallback, err); + CONTINUE_ERROR; + } + + /* append the result */ +- APPEND_RESULT(SPF_response_result(spf_response_2mx)); ++ APPEND_RESULT(SPF_response_result(spf_response_fallback)); + + spf_response = SPF_response_combine(spf_response, +- spf_response_2mx); ++ spf_response_fallback); + } + + printf( "%s\n%s\n%s\n%s\n", --- libspf2-1.2.5.dfsg.orig/debian/patches/23_spfquery_ipv6.dpatch +++ libspf2-1.2.5.dfsg/debian/patches/23_spfquery_ipv6.dpatch @@ -0,0 +1,20 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 23_spfquery_ipv6.dpatch by Matthias Cramer +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: Make spfquery accept IPv6 addresses + +@DPATCH@ + +--- libspf2-1.2.5.orig/src/spfquery/spfquery.c 2005-02-22 03:36:55.000000000 +0100 ++++ libspf2-1.2.5.dfsg/src/spfquery/spfquery.c 2007-08-30 09:39:32.000000000 +0200 +@@ -604,7 +602,8 @@ + + spf_request = SPF_request_new(spf_server); + +- if (SPF_request_set_ipv4_str(spf_request, req->ip)) { ++ if (SPF_request_set_ipv4_str(spf_request, req->ip) ++ && SPF_request_set_ipv6_str(spf_request, req->ip)) { + printf( "Invalid IP address.\n" ); + CONTINUE_ERROR; + --- libspf2-1.2.5.dfsg.orig/debian/patches/50_dns_resolv_bufoverflow.dpatch +++ libspf2-1.2.5.dfsg/debian/patches/50_dns_resolv_bufoverflow.dpatch @@ -0,0 +1,325 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 50_permanent_include_errors.dpatch by Shevek , edited by Magnus Holmgren +## +## DP: Fix CVE-2008-2469 - buffer overflows handling DNS responses. + +@DPATCH@ + +--- libspf2/src/libspf2/spf_dns_resolv.c.orig 2008-09-20 19:36:57.000000000 +0200 ++++ libspf2/src/libspf2/spf_dns_resolv.c 2008-09-20 19:39:08.000000000 +0200 +@@ -110,7 +110,8 @@ + int nrec; + int cnt; + +- u_char response[2048]; ++ u_char *responsebuf; ++ size_t responselen; + + int dns_len; + +@@ -127,11 +128,13 @@ + char name_buf[ NS_MAXDNAME ]; + int prio; + +- int rdlen; +- const u_char *rdata, *rdata_end; ++ size_t rdlen; ++ const u_char *rdata; + ++#if HAVE_DECL_RES_NINIT + void *res_spec; + struct __res_state *res_state; ++#endif + + SPF_ASSERT_NOTNULL(spf_dns_server); + +@@ -140,10 +143,12 @@ + SPF_ASSERT_NOTNULL(spfhook); + #endif + ++#if HAVE_DECL_RES_NINIT + res_spec = pthread_getspecific(res_state_key); + if (res_spec == NULL) { + res_state = (struct __res_state *) + malloc(sizeof(struct __res_state)); ++ memset(res_state, 0, sizeof(struct __res_state)); + if (res_ninit(res_state) != 0) { + SPF_error("Failed to call res_ninit()"); + } +@@ -152,20 +157,45 @@ + else { + res_state = (struct __res_state *)res_spec; + } ++#endif ++ ++ responselen = 2048; ++ responsebuf = (u_char *)malloc(responselen); ++ memset(responsebuf, 0, responselen); ++ ++ /* ++ * Retry the lookup until our response buffer is big enough. ++ * ++ * This loop repeats until either we fail a lookup or we succeed. ++ * The size of the response buffer is monotonic increasing, so eventually we ++ * must either succeed, or we try to malloc more RAM than we can. ++ * ++ * The Linux man pages do not describe res_nquery adequately. Solaris says: ++ * ++ * The res_nquery() and res_query() routines return a length that may be bigger ++ * than anslen. In that case, retry the query with a larger buf. The answer to the ++ * second query may be larger still], so it is recommended that you supply a buf ++ * larger than the answer returned by the previous query. answer must be large ++ * enough to receive a maximum UDP response from the server or parts of the answer ++ * will be silently discarded. The default maximum UDP response size is 512 bytes. ++ */ ++ for (;;) { + + /* + * try resolving the name + */ + #if HAVE_DECL_RES_NINIT + dns_len = res_nquery(res_state, domain, ns_c_in, rr_type, +- response, sizeof(response)); ++ responsebuf, responselen); + #else + dns_len = res_query(domain, ns_c_in, rr_type, +- response, sizeof(response)); ++ responsebuf, responselen); + #endif + + if ( dns_len < 0 ) { ++ /* We failed to perform a lookup. */ + /* This block returns unconditionally. */ ++ free(responsebuf); + if ( spf_dns_server->debug ) + SPF_debugf( "query failed: err = %d %s (%d): %s", + dns_len, hstrerror( SPF_h_errno ), SPF_h_errno, +@@ -178,6 +208,25 @@ + return SPF_dns_rr_new_init(spf_dns_server, + domain, rr_type, 0, SPF_h_errno); + } ++ else if (dns_len > responselen) { ++ /* We managed a lookup but our buffer was too small. */ ++ responselen = dns_len + (dns_len >> 1); ++#if 0 ++ /* Sanity-trap - we should never hit this. */ ++ if (responselen > 1048576) { /* One megabyte. */ ++ free(responsebuf); ++ return SPF_dns_rr_new_init(spf_dns_server, ++ domain, rr_type, 0, SPF_h_errno); ++ } ++#endif ++ responsebuf = realloc(responsebuf, responselen); ++ } ++ else { ++ /* We managed a lookup, and our buffer was large enough. */ ++ responselen = dns_len; ++ break; ++ } ++ } + + /* + * initialize stuff +@@ -185,12 +234,13 @@ + spfrr = SPF_dns_rr_new_init(spf_dns_server, + domain, rr_type, 0, NETDB_SUCCESS); + +- err = ns_initparse( response, dns_len, &ns_handle ); ++ err = ns_initparse(responsebuf, responselen, &ns_handle); + + if ( err < 0 ) { /* 0 or -1 */ + if ( spf_dns_server->debug ) + SPF_debugf( "ns_initparse failed: err = %d %s (%d)", + err, strerror( errno ), errno ); ++ free(responsebuf); + return spfrr; + } + +@@ -226,6 +276,7 @@ + if ( spf_dns_server->debug > 1 ) + SPF_debugf( "ns_parserr failed: err = %d %s (%d)", + err, strerror( errno ), errno ); ++ free(responsebuf); + return spfrr; + } + +@@ -257,8 +308,8 @@ + break; + + case ns_t_ns: +- err = ns_name_uncompress( response, +- response + sizeof( response ), ++ err = ns_name_uncompress( responsebuf, ++ responsebuf + responselen, + rdata, + name_buf, sizeof( name_buf ) ); + if ( err < 0 ) /* 0 or -1 */ +@@ -271,8 +322,8 @@ + break; + + case ns_t_cname: +- err = ns_name_uncompress( response, +- response + sizeof( response ), ++ err = ns_name_uncompress( responsebuf, ++ responsebuf + responselen, + rdata, + name_buf, sizeof( name_buf ) ); + if ( err < 0 ) /* 0 or -1 */ +@@ -286,8 +337,8 @@ + + case ns_t_mx: + prio = ns_get16( rdata ); +- err = ns_name_uncompress( response, +- response + sizeof( response ), ++ err = ns_name_uncompress( responsebuf, ++ responsebuf + sizeof( responselen ), + rdata + NS_INT16SZ, + name_buf, sizeof( name_buf ) ); + if ( err < 0 ) /* 0 or -1 */ +@@ -300,14 +351,13 @@ + break; + + case ns_t_txt: +- rdata_end = rdata + rdlen; + SPF_debugf( "TXT: (%d) \"%.*s\"", + rdlen, rdlen-1, rdata+1 ); + break; + + case ns_t_ptr: +- err = ns_name_uncompress( response, +- response + sizeof( response ), ++ err = ns_name_uncompress( responsebuf, ++ responsebuf + responselen, + rdata, + name_buf, sizeof( name_buf ) ); + if ( err < 0 ) /* 0 or -1 */ +@@ -341,18 +391,21 @@ + { + case ns_t_a: + if ( SPF_dns_rr_buf_realloc( spfrr, cnt, +- sizeof( spfrr->rr[cnt]->a ) ) != SPF_E_SUCCESS ) ++ sizeof(spfrr->rr[cnt]->a)) != SPF_E_SUCCESS) { ++ free(responsebuf); + return spfrr; +- memmove( &spfrr->rr[cnt]->a, rdata, sizeof( spfrr->rr[cnt]->a ) ); ++ } ++ memcpy(&spfrr->rr[cnt]->a, rdata, sizeof(spfrr->rr[cnt]->a)); + cnt++; + break; + + case ns_t_aaaa: + if ( SPF_dns_rr_buf_realloc( spfrr, cnt, +- sizeof( spfrr->rr[cnt]->aaaa ) ) != SPF_E_SUCCESS ) ++ sizeof(spfrr->rr[cnt]->aaaa)) != SPF_E_SUCCESS) { ++ free(responsebuf); + return spfrr; +- memmove( &spfrr->rr[cnt]->aaaa, rdata, sizeof( spfrr->rr[cnt]->aaaa ) ); +- ++ } ++ memcpy(&spfrr->rr[cnt]->aaaa, rdata, sizeof(spfrr->rr[cnt]->aaaa)); + cnt++; + break; + +@@ -364,8 +417,8 @@ + break; + + case ns_t_mx: +- err = ns_name_uncompress( response, +- response + sizeof( response ), ++ err = ns_name_uncompress(responsebuf, ++ responsebuf + responselen, + rdata + NS_INT16SZ, + name_buf, sizeof( name_buf ) ); + if ( err < 0 ) /* 0 or -1 */ +@@ -373,12 +426,15 @@ + if ( spf_dns_server->debug > 1 ) + SPF_debugf( "ns_name_uncompress failed: err = %d %s (%d)", + err, strerror( errno ), errno ); ++ free(responsebuf); + return spfrr; + } + + if ( SPF_dns_rr_buf_realloc( spfrr, cnt, +- strlen( name_buf ) + 1 ) != SPF_E_SUCCESS ) ++ strlen(name_buf) + 1 ) != SPF_E_SUCCESS) { ++ free(responsebuf); + return spfrr; ++ } + strcpy( spfrr->rr[cnt]->mx, name_buf ); + + cnt++; +@@ -390,8 +446,12 @@ + u_char *src, *dst; + size_t len; + +- if ( SPF_dns_rr_buf_realloc( spfrr, cnt, rdlen ) != SPF_E_SUCCESS ) ++ /* Just rdlen is enough because there is at least one ++ * length byte. */ ++ if (SPF_dns_rr_buf_realloc(spfrr, cnt, rdlen) != SPF_E_SUCCESS) { ++ free(responsebuf); + return spfrr; ++ } + + dst = (u_char *)(spfrr->rr[cnt]->txt); + len = 0; +@@ -400,15 +460,22 @@ + { + len = *src; + src++; ++ rdlen--; ++ ++ /* Avoid buffer overrun if len is junk. */ ++ if (len > rdlen) ++ len = rdlen; + memcpy( dst, src, len ); + dst += len; + src += len; +- rdlen -= len + 1; ++ rdlen -= len; + } + *dst = '\0'; + } else { +- if ( SPF_dns_rr_buf_realloc( spfrr, cnt, 1 ) != SPF_E_SUCCESS ) ++ if (SPF_dns_rr_buf_realloc(spfrr, cnt, 1) != SPF_E_SUCCESS) { ++ free(responsebuf); + return spfrr; ++ } + spfrr->rr[cnt]->txt[0] = '\0'; + } + +@@ -416,8 +483,8 @@ + break; + + case ns_t_ptr: +- err = ns_name_uncompress( response, +- response + sizeof( response ), ++ err = ns_name_uncompress(responsebuf, ++ responsebuf + responselen, + rdata, + name_buf, sizeof( name_buf ) ); + if ( err < 0 ) /* 0 or -1 */ +@@ -425,12 +492,15 @@ + if ( spf_dns_server->debug > 1 ) + SPF_debugf( "ns_name_uncompress failed: err = %d %s (%d)", + err, strerror( errno ), errno ); ++ free(responsebuf); + return spfrr; + } + + if ( SPF_dns_rr_buf_realloc( spfrr, cnt, +- strlen( name_buf ) + 1 ) != SPF_E_SUCCESS ) ++ strlen(name_buf) + 1) != SPF_E_SUCCESS) { ++ free(responsebuf); + return spfrr; ++ } + strcpy( spfrr->rr[cnt]->ptr, name_buf ); + + cnt++; +@@ -447,6 +517,7 @@ + if ( spfrr->num_rr == 0 ) + spfrr->herrno = NO_DATA; + ++ free(responsebuf); + return spfrr; + } + --- libspf2-1.2.5.dfsg.orig/debian/patches/41_none_not_neutral.dpatch +++ libspf2-1.2.5.dfsg/debian/patches/41_none_not_neutral.dpatch @@ -0,0 +1,48 @@ +#!/bin/sh /usr/share/dpatch/dpatch-run +## 41_none_not_neutral.dpatch by Robert Millan , edited by Magnus Holmgren +## +## DP: Differentiate between SPF_RESULT_NONE and +## DP: SPF_RESULT_NEUTRAL in the header comment. + +@DPATCH@ + +diff -ur libspf2-1.2.5.dfsg.old/src/libspf2/spf_interpret.c libspf2-1.2.5.dfsg/src/libspf2/spf_interpret.c +--- libspf2-1.2.5.dfsg.old/src/libspf2/spf_interpret.c 2005-02-22 04:41:27.000000000 +0100 ++++ libspf2-1.2.5.dfsg/src/libspf2/spf_interpret.c 2007-07-01 01:03:17.000000000 +0200 +@@ -214,11 +226,15 @@ + break; + + case SPF_RESULT_NEUTRAL: +- case SPF_RESULT_NONE: + snprintf( p, p_end - p, "%s is neither permitted nor denied by %s", + ip, spf_source ); + break; + ++ case SPF_RESULT_NONE: ++ snprintf( p, p_end - p, "%s does not provide an SPF record", ++ spf_source ); ++ break; ++ + case SPF_RESULT_TEMPERROR: + snprintf( p, p_end - p, "encountered temporary error during SPF processing of %s", + spf_source ); +diff -ur libspf2-1.2.5.dfsg.old/src/libspf2/spf_result.c libspf2-1.2.5.dfsg/src/libspf2/spf_result.c +--- libspf2-1.2.5.dfsg.old/src/libspf2/spf_result.c 2004-08-10 15:04:02.000000000 +0200 ++++ libspf2-1.2.5.dfsg/src/libspf2/spf_result.c 2007-07-01 01:03:29.000000000 +0200 +@@ -187,11 +197,15 @@ + break; + + case SPF_RESULT_NEUTRAL: +- case SPF_RESULT_NONE: + snprintf( p, p_end - p, "%s is neither permitted nor denied by %s", + ip, spf_source ); + break; + ++ case SPF_RESULT_NONE: ++ snprintf( p, p_end - p, "%s does not provide an SPF record", ++ spf_source ); ++ break; ++ + case SPF_RESULT_ERROR: + snprintf( p, p_end - p, "encountered temporary error during SPF processing of %s", + spf_source ); --- libspf2-1.2.5.dfsg.orig/debian/patches/25_maxvals.dpatch +++ libspf2-1.2.5.dfsg/debian/patches/25_maxvals.dpatch @@ -0,0 +1,61 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 25_maxvals.dpatch by Thomas Jacob +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: Bring certain processing limits (meant to mitigate DoS attacks) in line +## DP: with RFC 4408. + +@DPATCH@ + +diff -ruN libspf2-1.2.5/src/include/spf.h libspf2-1.2.5.patched/src/include/spf.h +--- libspf2-1.2.5/src/include/spf.h 2005-02-17 01:56:55.000000000 +0100 ++++ libspf2-1.2.5.patched/src/include/spf.h 2007-03-14 16:58:21.000000000 +0100 +@@ -52,8 +52,8 @@ + + /* FYI only -- defaults can't be changed without recompiling the library */ + #define SPF_DEFAULT_MAX_DNS_MECH 10 /* DoS limit on SPF mechanisms */ +-#define SPF_DEFAULT_MAX_DNS_PTR 5 /* DoS limit on PTR records */ +-#define SPF_DEFAULT_MAX_DNS_MX 5 /* DoS limit on MX records */ ++#define SPF_DEFAULT_MAX_DNS_PTR 10 /* DoS limit on PTR records */ ++#define SPF_DEFAULT_MAX_DNS_MX 10 /* DoS limit on MX records */ + #define SPF_DEFAULT_SANITIZE 1 + #define SPF_DEFAULT_WHITELIST "include:spf.trusted-forwarder.org" + #define SPF_EXP_MOD_NAME "exp-text" +diff -ruN libspf2-1.2.5/src/include/spf_internal.h libspf2-1.2.5.patched/src/include/spf_internal.h +--- libspf2-1.2.5/src/include/spf_internal.h 2005-02-24 05:10:49.000000000 +0100 ++++ libspf2-1.2.5.patched/src/include/spf_internal.h 2007-03-14 16:58:04.000000000 +0100 +@@ -57,13 +57,13 @@ + /* It is a bad idea to change this for the same reasons as mentioned + * above for SPF_MAX_DNS_MECH + */ +-#define SPF_MAX_DNS_PTR 5 ++#define SPF_MAX_DNS_PTR 10 + #endif + #ifndef SPF_MAX_DNS_MX + /* It is a bad idea to change this for the same reasons as mentioned + * above for SPF_MAX_DNS_MECH + */ +-#define SPF_MAX_DNS_MX 5 ++#define SPF_MAX_DNS_MX 10 + #endif + + #if 1 +diff -ruN libspf2-1.2.5/src/include/spf_server.h libspf2-1.2.5.patched/src/include/spf_server.h +--- libspf2-1.2.5/src/include/spf_server.h 2004-09-29 12:33:09.000000000 +0200 ++++ libspf2-1.2.5.patched/src/include/spf_server.h 2007-03-14 16:58:54.000000000 +0100 +@@ -44,13 +44,13 @@ + /* It is a bad idea to change this for the same reasons as mentioned + * above for SPF_MAX_DNS_MECH + */ +-#define SPF_MAX_DNS_PTR 5 ++#define SPF_MAX_DNS_PTR 10 + #endif + #ifndef SPF_MAX_DNS_MX + /* It is a bad idea to change this for the same reasons as mentioned + * above for SPF_MAX_DNS_MECH + */ +-#define SPF_MAX_DNS_MX 5 ++#define SPF_MAX_DNS_MX 10 + #endif + + struct SPF_server_struct { --- libspf2-1.2.5.dfsg.orig/debian/patches/20_spf_server_unnecessary_include.dpatch +++ libspf2-1.2.5.dfsg/debian/patches/20_spf_server_unnecessary_include.dpatch @@ -0,0 +1,18 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 20_spf_server_unnecessary_include.dpatch by Magnus Holmgren +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: src/include/spf_server.h: Remove useless include of spf_dns_internal.h. + +@DPATCH@ + +--- libspf2-1.2.5.dfsg.orig/src/include/spf_server.h ++++ libspf2-1.2.5.dfsg/src/include/spf_server.h +@@ -20,7 +20,6 @@ + + #include "spf_record.h" + #include "spf_dns.h" +-#include "spf_dns_internal.h" + + #ifndef SPF_MAX_DNS_MECH + /* It is a bad idea to change this for two reasons. --- libspf2-1.2.5.dfsg.orig/debian/patches/00list +++ libspf2-1.2.5.dfsg/debian/patches/00list @@ -0,0 +1,17 @@ +#01_line-endings +02_wrong_lib_version_h +20_64bit_types +20_printf_types +20_spf_dns_include_std_headers +20_spf_server_unnecessary_include +21_spfquery_infininte_loop +22_spfquery_fallback_segfault +23_spfquery_ipv6 +25_maxvals +30_spfd_check_unlink_failure +35_untabify_help +40_permanent_include_errors +41_none_not_neutral +42_empty_sender +43_new_explanation_url +50_dns_resolv_bufoverflow --- libspf2-1.2.5.dfsg.orig/debian/patches/43_new_explanation_url.dpatch +++ libspf2-1.2.5.dfsg/debian/patches/43_new_explanation_url.dpatch @@ -0,0 +1,20 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 43_new_explanation_url.dpatch by +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: Bring default explanation up to date by referring to +## DP: www.openspf.org instead of spf.pobox.com. + +@DPATCH@ +diff -urNad trunk~/src/include/spf.h trunk/src/include/spf.h +--- trunk~/src/include/spf.h 2007-09-06 13:57:32.000000000 +0200 ++++ trunk/src/include/spf.h 2007-09-06 13:58:59.000000000 +0200 +@@ -57,7 +57,7 @@ + #define SPF_DEFAULT_SANITIZE 1 + #define SPF_DEFAULT_WHITELIST "include:spf.trusted-forwarder.org" + #define SPF_EXP_MOD_NAME "exp-text" +-#define SPF_DEFAULT_EXP "Please see http://spf.pobox.com/why.html?sender=%{S}&ip=%{C}&receiver=%{R}" ++#define SPF_DEFAULT_EXP "Please see http://www.openspf.org/Why?id=%{S}&ip=%{C}&receiver=%{R}" + + + --- libspf2-1.2.5.dfsg.orig/debian/patches/35_untabify_help.dpatch +++ libspf2-1.2.5.dfsg/debian/patches/35_untabify_help.dpatch @@ -0,0 +1,25 @@ +#!/bin/sh +## 35_untabify_help.dpatch by Magnus Holmgren +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: Tidy up --help messages by converting tabs to four spaces (" "). + +FILES_TO_PROCESS="src/spfquery/spfquery.c + src/spftest/spftest.c + src/spf_example/spf_example.c" + +dpatch_patch() { + # Change line endings to LF in files with CRLF + perl -pi -e 's/("[^"]*?)\t/$1 / and redo;' $FILES_TO_PROCESS +} + +dpatch_unpatch() { + # Change line endings back to CRLF in files that had it in the tarball + # Unfortunately there are exceptions ... have to watch out for changes + # in future upstream versions (or simply make backups instead). + perl -pi -e 's/("[^"]*?) /$1\t/ and redo;' $FILES_TO_PROCESS +} + +DPATCH_LIB_NO_DEFAULT=1 + +. /usr/share/dpatch/dpatch.lib.sh --- libspf2-1.2.5.dfsg.orig/debian/patches/20_spf_dns_include_std_headers.dpatch +++ libspf2-1.2.5.dfsg/debian/patches/20_spf_dns_include_std_headers.dpatch @@ -0,0 +1,60 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 20_spf_dns_include_std_headers.dpatch by Magnus Holmgren +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: Include arpa/nameser.h and netdb.h from spf_dns.h instead of defining +## DP: the constants needed unless certain HAVE_ macros are defined. + +@DPATCH@ + +diff -Nur libspf2-1.2.5.dfsg/src/include/spf_dns.h libspf2-1.2.5.dfsg.new/src/include/spf_dns.h +--- libspf2-1.2.5.dfsg/src/include/spf_dns.h 2004-08-29 16:59:33.000000000 +0200 ++++ libspf2-1.2.5.dfsg.new/src/include/spf_dns.h 2007-03-23 18:04:17.000000000 +0100 +@@ -61,43 +61,12 @@ + * + */ + +- +-/* +- * For those who don't have ++/* The following two header files might not exist on all platforms, ++ * but at least they exist on Debian with libc6. + */ ++#include ++#include + +-#if !defined( HAVE_NS_TYPE ) +- +-#define ns_t_invalid 0 +-#define ns_t_a 1 +-#define ns_t_ns 2 +-#define ns_t_cname 5 +-#define ns_t_ptr 12 +-#define ns_t_mx 15 +-#define ns_t_txt 16 +-#define ns_t_aaaa 28 +-/* #define ns_t_a6 38 */ +-#define ns_t_any 255 /* Wildcard match. */ +- +-typedef int ns_type; +-#endif +- +-#ifndef ns_t_invalid +-#define ns_t_invalid 0 +-#endif +- +- +-/* +- * For those who don't have +- */ +- +-#if !defined(HAVE_NETDB_H) && !defined(_WIN32) +-#define NETDB_SUCCESS 0 +-#define HOST_NOT_FOUND 1 /* NXDOMAIN (authoritative answer)*/ +-#define TRY_AGAIN 2 /* SERVFAIL (no authoritative answer)*/ +-#define NO_RECOVERY 3 /* invalid/unimplmeneted query */ +-#define NO_DATA 4 /* host found, but no RR of req type*/ +-#endif + typedef int SPF_dns_stat_t; + + typedef struct SPF_dns_server_struct SPF_dns_server_t; --- libspf2-1.2.5.dfsg.orig/debian/patches/20_printf_types.dpatch +++ libspf2-1.2.5.dfsg/debian/patches/20_printf_types.dpatch @@ -0,0 +1,64 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 20_printf_types.dpatch by Magnus Holmgren +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: Change the format strings of various calls to printf-style functions to +## DP: match the arguments. + +@DPATCH@ +diff -urNad libspf2-1.2.5.dfsg~/src/libspf2/spf_compile.c libspf2-1.2.5.dfsg/src/libspf2/spf_compile.c +--- libspf2-1.2.5.dfsg~/src/libspf2/spf_compile.c 2007-03-27 14:28:00.931960929 +0200 ++++ libspf2-1.2.5.dfsg/src/libspf2/spf_compile.c 2007-03-27 14:30:04.000000000 +0200 +@@ -470,7 +470,7 @@ + len = end - p; + if (spf_server->debug) + SPF_debugf("Adding string literal (%d): '%*.*s'", +- len, len, len, p); ++ (int)len, (int)len, (int)len, p); + memcpy( dst, p, len ); + ds_len += len; + dst += len; +diff -urNad libspf2-1.2.5.dfsg~/src/libspf2/spf_id2str.c libspf2-1.2.5.dfsg/src/libspf2/spf_id2str.c +--- libspf2-1.2.5.dfsg~/src/libspf2/spf_id2str.c 2007-03-27 14:27:58.171600935 +0200 ++++ libspf2-1.2.5.dfsg/src/libspf2/spf_id2str.c 2007-03-27 14:30:51.000000000 +0200 +@@ -309,7 +309,7 @@ + p_end = *bufp + *buflenp; + + if (debug) +- SPF_debugf("stringify: Buffer length is %d\n", *buflenp); ++ SPF_debugf("stringify: Buffer length is %u\n", (unsigned int)*buflenp); + + + /* +diff -urNad libspf2-1.2.5.dfsg~/src/libspf2/spf_print.c libspf2-1.2.5.dfsg/src/libspf2/spf_print.c +--- libspf2-1.2.5.dfsg~/src/libspf2/spf_print.c 2007-03-27 14:27:58.231608763 +0200 ++++ libspf2-1.2.5.dfsg/src/libspf2/spf_print.c 2007-03-27 14:47:39.000000000 +0200 +@@ -54,12 +54,12 @@ + return SPF_E_SUCCESS; + } + +- SPF_infof( "SPF header: version: %d mech %d/%d mod %d/%d len=%d", ++ SPF_infof( "SPF header: version: %d mech %d/%u mod %d/%u len=%u", + spf_record->version, +- spf_record->num_mech, spf_record->mech_len, +- spf_record->num_mod, spf_record->mod_len, +- sizeof(SPF_record_t) + spf_record->mech_len +- + spf_record->mod_len); ++ (int)spf_record->num_mech, (unsigned int)spf_record->mech_len, ++ (int)spf_record->num_mod, (unsigned int)spf_record->mod_len, ++ (unsigned int)(sizeof(SPF_record_t) + spf_record->mech_len ++ + spf_record->mod_len)); + + err = SPF_record_stringify(spf_record, &prt_buf, &prt_len); + if ( err == SPF_E_RESULT_UNKNOWN ) +@@ -81,7 +81,7 @@ + void SPF_print_sizeof(void) + { + // SPF_infof( "sizeof(SPF_rec_header_t)=%u", sizeof(SPF_rec_header_t)); +- SPF_infof( "sizeof(SPF_mech_t)=%u", sizeof(SPF_mech_t)); +- SPF_infof( "sizeof(SPF_data_t)=%u", sizeof(SPF_data_t)); +- SPF_infof( "sizeof(SPF_mod_t)=%u", sizeof(SPF_mod_t)); ++ SPF_infof( "sizeof(SPF_mech_t)=%u", (unsigned int)sizeof(SPF_mech_t)); ++ SPF_infof( "sizeof(SPF_data_t)=%u", (unsigned int)sizeof(SPF_data_t)); ++ SPF_infof( "sizeof(SPF_mod_t)=%u", (unsigned int)sizeof(SPF_mod_t)); + } --- libspf2-1.2.5.dfsg.orig/debian/patches/40_permanent_include_errors.dpatch +++ libspf2-1.2.5.dfsg/debian/patches/40_permanent_include_errors.dpatch @@ -0,0 +1,23 @@ +#!/bin/sh /usr/share/dpatch/dpatch-run +## 40_permanent_include_errors.dpatch by Robert Millan , edited by Magnus Holmgren +## +## DP: Permanent error when processing an include: directive should in turn +## DP: produce permanent error (see the table in RFC 4408 / section 5.2). + +@DPATCH@ + +diff -ur libspf2-1.2.5.dfsg.old/src/libspf2/spf_interpret.c libspf2-1.2.5.dfsg/src/libspf2/spf_interpret.c +--- libspf2-1.2.5.dfsg.old/src/libspf2/spf_interpret.c 2005-02-22 04:41:27.000000000 +0100 ++++ libspf2-1.2.5.dfsg/src/libspf2/spf_interpret.c 2007-07-01 01:03:17.000000000 +0200 +@@ -1022,7 +1042,10 @@ + if (spf_record_subr) + SPF_record_free(spf_record_subr); + SPF_FREE_LOOKUP_DATA(); +- return DONE_TEMPERR( err ); ++ if (err == SPF_E_DNS_ERROR) ++ return DONE_TEMPERR( err ); ++ else ++ return DONE_PERMERR( err ); + } + + /* --- libspf2-1.2.5.dfsg.orig/debian/patches/02_wrong_lib_version_h.dpatch +++ libspf2-1.2.5.dfsg/debian/patches/02_wrong_lib_version_h.dpatch @@ -0,0 +1,30 @@ +#!/bin/sh +## 02_wrong_lib_version_h.dpatch by Magnus Holmgren +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: Move static spf_lib_version.h out of the way and patch configure to put +## DP: the autogenerated one in the right place. + +set -e + +lib_version_h=src/include/spf_lib_version.h + +dpatch_patch() { + # Update configure script so that it writes to the right .h file + test -e configure.old || \ + sed -ri.old -e 's%src/libspf2/spf_lib_version%src/include/spf_lib_version%' configure + # Move the bad .h file out of the way + test -e $lib_version_h.old || mv -f $lib_version_h $lib_version_h.old +} + +dpatch_unpatch() { + # Move the bad .h file back to its position + if test -e $lib_version_h.old; then mv -f $lib_version_h.old $lib_version_h; fi + # Move the original configure script back + if test -e configure.old; then mv -f configure.old configure; fi +} + + +DPATCH_LIB_NO_DEFAULT=1 + +. /usr/share/dpatch/dpatch.lib.sh --- libspf2-1.2.5.dfsg.orig/debian/patches/20_64bit_types.dpatch +++ libspf2-1.2.5.dfsg/debian/patches/20_64bit_types.dpatch @@ -0,0 +1,105 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 20_64bit_types.dpatch by Magnus Holmgren +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: Change various ints to size_t etc, to avoid crashes on 64-bit +## DP: architectures. + +@DPATCH@ + +diff -Nur libspf2-1.2.5.dfsg/src/include/spf_internal.h libspf2-1.2.5.dfsg.new/src/include/spf_internal.h +--- libspf2-1.2.5.dfsg/src/include/spf_internal.h 2007-03-23 22:37:26.000000000 +0100 ++++ libspf2-1.2.5.dfsg.new/src/include/spf_internal.h 2007-03-23 23:08:54.000000000 +0100 +@@ -71,7 +71,7 @@ + static inline size_t _align_sz(size_t s) + { return (s + (_ALIGN_SZ - 1 - (((s - 1) & (_ALIGN_SZ - 1))))); } + static inline char * _align_ptr(char *s) +- { return (s + (_ALIGN_SZ - 1 - ((((unsigned int)s - 1) & (_ALIGN_SZ - 1))))); } ++ { return (s + (_ALIGN_SZ - 1 - ((((size_t)s - 1) & (_ALIGN_SZ - 1))))); } + #else + static inline size_t _align_sz(size_t s) { return s; } + static inline char * _align_ptr(char *s) { return s; } +diff -Nur libspf2-1.2.5.dfsg/src/include/spf_record.h libspf2-1.2.5.dfsg.new/src/include/spf_record.h +--- libspf2-1.2.5.dfsg/src/include/spf_record.h 2007-03-23 22:37:26.000000000 +0100 ++++ libspf2-1.2.5.dfsg.new/src/include/spf_record.h 2007-03-23 23:08:54.000000000 +0100 +@@ -224,7 +224,7 @@ + + struct SPF_macro_struct + { +- unsigned int macro_len; /* bytes of data */ ++ size_t macro_len; /* bytes of data */ + /* data: (SPF_data_t[] = char[macro_len]) follows */ + }; + +diff -Nur libspf2-1.2.5.dfsg/src/libspf2/spf_compile.c libspf2-1.2.5.dfsg.new/src/libspf2/spf_compile.c +--- libspf2-1.2.5.dfsg/src/libspf2/spf_compile.c 2007-03-23 22:37:26.000000000 +0100 ++++ libspf2-1.2.5.dfsg.new/src/libspf2/spf_compile.c 2007-03-23 23:18:41.000000000 +0100 +@@ -98,7 +98,7 @@ + } + + static void +-SPF_c_ensure_capacity(void **datap, int *sizep, int length) ++SPF_c_ensure_capacity(void **datap, size_t *sizep, int length) + { + int size = *sizep; + if (length > size) +@@ -435,7 +435,7 @@ + static SPF_errcode_t + SPF_c_parse_macro(SPF_server_t *spf_server, + SPF_response_t *spf_response, +- SPF_data_t *data, int *data_len, ++ SPF_data_t *data, size_t *data_len, + const char **startp, const char **endp, + size_t max_len, SPF_errcode_t big_err, + int is_mod) +@@ -551,10 +551,10 @@ + static SPF_errcode_t + SPF_c_parse_domainspec(SPF_server_t *spf_server, + SPF_response_t *spf_response, +- SPF_data_t *data, int *data_len, ++ SPF_data_t *data, size_t *data_len, + const char **startp, const char **endp, + size_t max_len, SPF_errcode_t big_err, +- int cidr_ok, int is_mod) ++ SPF_cidr_t cidr_ok, int is_mod) + { + SPF_errcode_t err; + /* Generic parsing iterators and boundaries */ +diff -Nur libspf2-1.2.5.dfsg/src/libspf2/spf_dns_resolv.c libspf2-1.2.5.dfsg.new/src/libspf2/spf_dns_resolv.c +--- libspf2-1.2.5.dfsg/src/libspf2/spf_dns_resolv.c 2007-03-23 22:37:26.000000000 +0100 ++++ libspf2-1.2.5.dfsg.new/src/libspf2/spf_dns_resolv.c 2007-03-23 23:08:54.000000000 +0100 +@@ -393,7 +393,7 @@ + if ( SPF_dns_rr_buf_realloc( spfrr, cnt, rdlen ) != SPF_E_SUCCESS ) + return spfrr; + +- dst = spfrr->rr[cnt]->txt; ++ dst = (u_char *)(spfrr->rr[cnt]->txt); + len = 0; + src = (u_char *)rdata; + while ( rdlen > 0 ) +diff -Nur libspf2-1.2.5.dfsg/src/libspf2/spf_interpret.c libspf2-1.2.5.dfsg.new/src/libspf2/spf_interpret.c +--- libspf2-1.2.5.dfsg/src/libspf2/spf_interpret.c 2007-03-23 22:37:26.000000000 +0100 ++++ libspf2-1.2.5.dfsg.new/src/libspf2/spf_interpret.c 2007-03-23 23:20:30.000000000 +0100 +@@ -49,8 +49,8 @@ + SPF_record_t *spf_record; + SPF_errcode_t err; + char *buf; +- int buflen; +- int len; ++ size_t buflen; ++ size_t len; + + SPF_ASSERT_NOTNULL(spf_response); + spf_request = spf_response->spf_request; +diff -Nur libspf2-1.2.5.dfsg/src/spfd/spfd.c libspf2-1.2.5.dfsg.new/src/spfd/spfd.c +--- libspf2-1.2.5.dfsg/src/spfd/spfd.c 2007-03-23 22:37:26.000000000 +0100 ++++ libspf2-1.2.5.dfsg.new/src/spfd/spfd.c 2007-03-23 23:08:54.000000000 +0100 +@@ -168,7 +168,7 @@ + struct sockaddr_in in; + struct sockaddr_un un; + } addr; +- int addrlen; ++ socklen_t addrlen; + char *data; + int datalen; + --- libspf2-1.2.5.dfsg.orig/debian/patches/42_empty_sender.dpatch +++ libspf2-1.2.5.dfsg/debian/patches/42_empty_sender.dpatch @@ -0,0 +1,33 @@ +#!/bin/sh /usr/share/dpatch/dpatch-run +## 42_empty_sender.dpatch by Magnus Holmgren +## +## DP: If SPF_request_set_env_from() is called with from set to the empty +## DP: string (i.e. a DSN), use the HELO identity. Also fix incorrect +## DP: handling when the local part is empty (but the "@" is present). + +@DPATCH@ +diff -urNad trunk~/src/libspf2/spf_request.c trunk/src/libspf2/spf_request.c +--- trunk~/src/libspf2/spf_request.c 2005-02-22 03:38:57.000000000 +0100 ++++ trunk/src/libspf2/spf_request.c 2007-07-30 21:58:48.000000000 +0200 +@@ -142,14 +142,19 @@ + SPF_FREE(sr->env_from_lp); + SPF_FREE(sr->env_from_dp); + ++ if (*from == '\0' && sr->helo_dom != NULL) { ++ from = sr->helo_dom; ++ } + cp = strrchr(from, '@'); + if (cp && (cp != from)) { + sr->env_from = strdup(from); +- sr->env_from_lp = strdup(from); /* Too long, but simple */ +- sr->env_from_lp[(cp - from)] = '\0'; ++ *cp = '\0'; ++ sr->env_from_lp = strdup(from); + sr->env_from_dp = strdup(cp + 1); ++ *cp = '@'; + } + else { ++ if (cp == from) from++; /* "@domain.example" */ + len = sizeof("postmaster@") + strlen(from); + sr->env_from = malloc(len + 1); /* sizeof("") == 1? */ + sprintf(sr->env_from, "postmaster@%s", from); --- libspf2-1.2.5.dfsg.orig/debian/patches/01_line-endings.dpatch +++ libspf2-1.2.5.dfsg/debian/patches/01_line-endings.dpatch @@ -0,0 +1,30 @@ +#!/bin/sh +## 01_line-endings.dpatch by Magnus Holmgren +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: Convert CRLF line endings to LF in certain Windows-related files + +FILES_WITH_CRLF="src/libspf2/spf_dns_windns.c + src/libspf2/spf_win32.c + src/libreplace/win32_config.h + src/include/spf_dns_windns.h + src/include/spf_win32.h" + +set -e + +dpatch_patch() { + if [ ! -f debian/patched/patched-line-endings.tar.gz ]; then + tar -czf debian/patched/patched-line-endings.tar.gz $FILES_WITH_CRLF + # Change line endings to LF in files with CRLF + sed -ri -e 's/\r$//' $FILES_WITH_CRLF + fi +} + +dpatch_unpatch() { + # Change line endings back to CRLF in files that had it in the tarball + tar -xzf debian/patched/patched-line-endings.tar.gz +} + +DPATCH_LIB_NO_DEFAULT=1 + +. /usr/share/dpatch/dpatch.lib.sh