git: 99c5dc1049a2 - main - mail/exim: update to 4.95 release (+)
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Tue, 28 Dec 2021 19:32:55 UTC
The branch main has been updated by fluffy:
URL: https://cgit.FreeBSD.org/ports/commit/?id=99c5dc1049a23570016dcb5ac44882e408800622
commit 99c5dc1049a23570016dcb5ac44882e408800622
Author: Dima Panov <fluffy@FreeBSD.org>
AuthorDate: 2021-12-28 19:23:16 +0000
Commit: Dima Panov <fluffy@FreeBSD.org>
CommitDate: 2021-12-28 19:23:16 +0000
mail/exim: update to 4.95 release (+)
Finally, Exim will be pushed to 4.95 release.
Long wait was caused by some criticals errors in vanilla release,
upstream fixes got a some time to come.
* Apply sendfile patch, fixes SIGSEGV using clamd via TCP [1]
* Convert select() to poll(), fixes crashes (SIGSEV) on FreeBSD 12.2 [2]
PR: 258848 [1], 259822 [2]
Sponsored by: Netzkommune GmbH
---
mail/exim/Makefile | 35 +-
mail/exim/distinfo | 6 +-
...ain-config-option-allow_insecure_tainted_.patch | 230 -----
mail/exim/files/debian/75_02-search.patch | 39 -
mail/exim/files/debian/75_03-dbstuff.patch | 30 -
mail/exim/files/debian/75_04-acl.patch | 67 --
mail/exim/files/debian/75_05-parse.patch | 30 -
mail/exim/files/debian/75_06-rda.patch | 28 -
mail/exim/files/debian/75_07-appendfile.patch | 34 -
mail/exim/files/debian/75_08-autoreply.patch | 70 --
mail/exim/files/debian/75_09-pipe.patch | 36 -
mail/exim/files/debian/75_10-deliver.patch | 49 --
mail/exim/files/debian/75_11-directory.patch | 26 -
mail/exim/files/debian/75_12-expand.patch | 34 -
mail/exim/files/debian/75_13-lf_sqlperform.patch | 49 --
.../exim/files/debian/75_14-rf_get_transport.patch | 28 -
mail/exim/files/debian/75_15-deliver.patch | 31 -
mail/exim/files/debian/75_16-smtp_out.patch | 38 -
mail/exim/files/debian/75_17-smtp.patch | 29 -
mail/exim/files/debian/75_18-update-doc.patch | 154 ----
...g_name-and-rejectlog_name-unconditionally.patch | 42 -
mail/exim/files/debian/75_21-tidy-log.c.patch | 124 ---
.../exim/files/debian/75_22-Silence-compiler.patch | 222 -----
...e-the-main-_log-if-we-do-not-see-a-chance.patch | 166 ----
.../files/debian/75_24-Silence-the-compiler.patch | 57 --
...ntchecks-for-mkdir-this-isn-t-part-of-4.9.patch | 27 -
...ng-gettimeofday-select-per-char-for-cmdli.patch | 616 ++++++++++++++
...vert-all-uses-of-select-to-poll.-Bug-2831.patch | 931 +++++++++++++++++++++
...-Fix-basic-memory-use-for-SPARC.-Bug-2838.patch | 140 ++++
mail/exim/files/patch-OS_os.c-FreeBSD | 15 +
mail/exim/files/patch-OS_os.h-FreeBSD | 17 -
mail/exim/files/patch-src__EDITME | 46 +-
mail/exim/options | 1 -
33 files changed, 1736 insertions(+), 1711 deletions(-)
diff --git a/mail/exim/Makefile b/mail/exim/Makefile
index 874f352e5ae3..efb374f816e3 100644
--- a/mail/exim/Makefile
+++ b/mail/exim/Makefile
@@ -2,7 +2,7 @@
PORTNAME= exim
PORTVERSION?= ${EXIM_VERSION}
-PORTREVISION?= 2
+PORTREVISION?= 0
CATEGORIES= mail
MASTER_SITES= EXIM:exim
MASTER_SITE_SUBDIR= /exim4/:exim \
@@ -65,32 +65,11 @@ SPF_LIB_DEPENDS= libspf2.so:mail/libspf2
SQLITE_LIB_DEPENDS= libicudata.so:devel/icu
SQLITE_USES= pkgconfig sqlite
-TAINTWARN_PATCHES_PREFIX= ${FILESDIR}/debian/75
-TAINTWARN_EXTRA_PATCHES= \
- ${TAINTWARN_PATCHES_PREFIX}_01-Introduce-main-config-option-allow_insecure_tainted_.patch:-p1 \
- ${TAINTWARN_PATCHES_PREFIX}_02-search.patch:-p1 \
- ${TAINTWARN_PATCHES_PREFIX}_03-dbstuff.patch:-p1 \
- ${TAINTWARN_PATCHES_PREFIX}_04-acl.patch:-p1 \
- ${TAINTWARN_PATCHES_PREFIX}_05-parse.patch:-p1 \
- ${TAINTWARN_PATCHES_PREFIX}_06-rda.patch:-p1 \
- ${TAINTWARN_PATCHES_PREFIX}_07-appendfile.patch:-p1 \
- ${TAINTWARN_PATCHES_PREFIX}_08-autoreply.patch:-p1 \
- ${TAINTWARN_PATCHES_PREFIX}_09-pipe.patch:-p1 \
- ${TAINTWARN_PATCHES_PREFIX}_10-deliver.patch:-p1 \
- ${TAINTWARN_PATCHES_PREFIX}_11-directory.patch:-p1 \
- ${TAINTWARN_PATCHES_PREFIX}_12-expand.patch:-p1 \
- ${TAINTWARN_PATCHES_PREFIX}_13-lf_sqlperform.patch:-p1 \
- ${TAINTWARN_PATCHES_PREFIX}_14-rf_get_transport.patch:-p1 \
- ${TAINTWARN_PATCHES_PREFIX}_15-deliver.patch:-p1 \
- ${TAINTWARN_PATCHES_PREFIX}_16-smtp_out.patch:-p1 \
- ${TAINTWARN_PATCHES_PREFIX}_17-smtp.patch:-p1 \
- ${TAINTWARN_PATCHES_PREFIX}_18-update-doc.patch:-p1 \
- ${TAINTWARN_PATCHES_PREFIX}_20-Set-mainlog_name-and-rejectlog_name-unconditionally.patch:-p1 \
- ${TAINTWARN_PATCHES_PREFIX}_21-tidy-log.c.patch:-p1 \
- ${TAINTWARN_PATCHES_PREFIX}_22-Silence-compiler.patch:-p1 \
- ${TAINTWARN_PATCHES_PREFIX}_23-Do-not-close-the-main-_log-if-we-do-not-see-a-chance.patch:-p1 \
- ${TAINTWARN_PATCHES_PREFIX}_24-Silence-the-compiler.patch:-p1 \
- ${TAINTWARN_PATCHES_PREFIX}_26-Disable-taintchecks-for-mkdir-this-isn-t-part-of-4.9.patch:-p1
+DEBIAN_PATCHES_PREFIX= ${FILESDIR}/debian/75
+EXTRA_PATCHES= \
+ ${DEBIAN_PATCHES_PREFIX}_30-Avoid-calling-gettimeofday-select-per-char-for-cmdli.patch:-p1 \
+ ${DEBIAN_PATCHES_PREFIX}_38-Convert-all-uses-of-select-to-poll.-Bug-2831.patch:-p1 \
+ ${DEBIAN_PATCHES_PREFIX}_40-Fix-basic-memory-use-for-SPARC.-Bug-2838.patch:-p1
.include <bsd.port.options.mk>
@@ -131,7 +110,7 @@ EXTRA_PATCHES+= ${FILESDIR}/extra-patch-Local-sa-exim.c
EXTRA_PATCHES+= ${FILESDIR}/extra-patch-Local-sa-exim.conf
.endif
-EXIM_VERSION= 4.94.2
+EXIM_VERSION= 4.95
SA_EXIM_VERSION=4.2.1
EXIM_INSTALL_ARG+= "-no_chown" "-no_symlink"
EXTRA_PATCHES+= `${FIND} ${PATCHDIR} -name '74_*.patch'|${SORT} -h`
diff --git a/mail/exim/distinfo b/mail/exim/distinfo
index cf1ae320eaa8..c007834ea4bb 100644
--- a/mail/exim/distinfo
+++ b/mail/exim/distinfo
@@ -1,5 +1,5 @@
-TIMESTAMP = 1620141511
-SHA256 (exim/exim-4.94.2.tar.bz2) = 902e611486400608691dff31e1d8725eb9e23602399ad75670ec18878643bc4f
-SIZE (exim/exim-4.94.2.tar.bz2) = 2007178
+TIMESTAMP = 1632918983
+SHA256 (exim/exim-4.95.tar.bz2) = 7f4716cc1b3fee66930d83b249f1c7b119fa1957f6f46e3f4372805cbc97ea63
+SIZE (exim/exim-4.95.tar.bz2) = 2035738
SHA256 (exim/sa-exim-4.2.1.tar.gz) = 24d4bf7b0fdddaea11f132981cebb6a86a4ab20ef54111a8ebd481b421c6e2c1
SIZE (exim/sa-exim-4.2.1.tar.gz) = 68933
diff --git a/mail/exim/files/debian/75_01-Introduce-main-config-option-allow_insecure_tainted_.patch b/mail/exim/files/debian/75_01-Introduce-main-config-option-allow_insecure_tainted_.patch
deleted file mode 100644
index 0295ec18fa6e..000000000000
--- a/mail/exim/files/debian/75_01-Introduce-main-config-option-allow_insecure_tainted_.patch
+++ /dev/null
@@ -1,230 +0,0 @@
-From ec06d64532e4952fc36429f73e0222d26997ef7c Mon Sep 17 00:00:00 2001
-From: "Heiko Schlittermann (HS12-RIPE)" <hs@schlittermann.de>
-Date: Thu, 1 Apr 2021 22:44:31 +0200
-Subject: [PATCH 01/23] Introduce main config option
- allow_insecure_tainted_data
-
-This option is deprecated already now.
----
- src/EDITME | 7 +++++
- src/config.h.defaults | 2 ++
- src/functions.h | 54 ++++++++++++++++++++++++++++++---------
- src/globals.c | 10 ++++++++
- src/globals.h | 4 +++
- src/macros.h | 3 +++
- src/readconf.c | 3 +++
- 7 files changed, 71 insertions(+), 12 deletions(-)
-
-diff --git a/src/EDITME b/src/EDITME
-index 8da36a353..cebb8e2ec 100644
---- a/src/EDITME
-+++ b/src/EDITME
-@@ -749,6 +749,13 @@ FIXED_NEVER_USERS=root
-
- # WHITELIST_D_MACROS=TLS:SPOOL
-
-+# The next setting enables a main config option
-+# "allow_insecure_tainted_data" to turn taint failures into warnings.
-+# Though this option is new, it is deprecated already now, and will be
-+# ignored in future releases of Exim. It is meant as mitigation for
-+# upgrading old (possibly insecure) configurations to more secure ones.
-+ALLOW_INSECURE_TAINTED_DATA=yes
-+
- #------------------------------------------------------------------------------
- # Exim has support for the AUTH (authentication) extension of the SMTP
- # protocol, as defined by RFC 2554. If you don't know what SMTP authentication
-diff --git a/src/config.h.defaults b/src/config.h.defaults
-index e17f015f9..4e8b18904 100644
---- a/src/config.h.defaults
-+++ b/src/config.h.defaults
-@@ -17,6 +17,8 @@ Do not put spaces between # and the 'define'.
- #define ALT_CONFIG_PREFIX
- #define TRUSTED_CONFIG_LIST
-
-+#define ALLOW_INSECURE_TAINTED_DATA
-+
- #define APPENDFILE_MODE 0600
- #define APPENDFILE_DIRECTORY_MODE 0700
- #define APPENDFILE_LOCKFILE_MODE 0600
-diff --git a/src/functions.h b/src/functions.h
-index 51bb17a09..1e8083673 100644
---- a/src/functions.h
-+++ b/src/functions.h
-@@ -1083,36 +1083,66 @@ if (f.running_in_test_harness && f.testsuite_delays) millisleep(millisec);
-
- /******************************************************************************/
- /* Taint-checked file opens */
-+static inline uschar *
-+is_tainted2(const void *p, int lflags, const uschar* fmt, ...)
-+{
-+va_list ap;
-+uschar *msg;
-+rmark mark;
-+
-+if (!is_tainted(p))
-+ return NULL;
-+
-+mark = store_mark();
-+va_start(ap, fmt);
-+msg = string_from_gstring(string_vformat(NULL, SVFMT_TAINT_NOCHK|SVFMT_EXTEND, fmt, ap));
-+va_end(ap);
-+
-+#ifdef ALLOW_INSECURE_TAINTED_DATA
-+if (allow_insecure_tainted_data)
-+ {
-+ if LOGGING(tainted) log_write(0, LOG_MAIN, "Warning: %s", msg);
-+ store_reset(mark);
-+ return NULL;
-+ }
-+#endif
-+
-+if (lflags) log_write(0, lflags, "%s", msg);
-+return msg; /* no store_reset(), as the message might be used afterwards and Exim
-+ is expected to exit anyway, so we do not care about the leaked
-+ storage */
-+}
-
- static inline int
- exim_open2(const char *pathname, int flags)
- {
--if (!is_tainted(pathname)) return open(pathname, flags);
--log_write(0, LOG_MAIN|LOG_PANIC, "Tainted filename '%s'", pathname);
-+if (!is_tainted2(pathname, LOG_MAIN|LOG_PANIC, "Tainted filename '%s'", pathname))
-+ return open(pathname, flags);
- errno = EACCES;
- return -1;
- }
-+
- static inline int
- exim_open(const char *pathname, int flags, mode_t mode)
- {
--if (!is_tainted(pathname)) return open(pathname, flags, mode);
--log_write(0, LOG_MAIN|LOG_PANIC, "Tainted filename '%s'", pathname);
-+if (!is_tainted2(pathname, LOG_MAIN|LOG_PANIC, "Tainted filename '%s'", pathname))
-+ return open(pathname, flags, mode);
- errno = EACCES;
- return -1;
- }
- static inline int
- exim_openat(int dirfd, const char *pathname, int flags)
- {
--if (!is_tainted(pathname)) return openat(dirfd, pathname, flags);
--log_write(0, LOG_MAIN|LOG_PANIC, "Tainted filename '%s'", pathname);
-+if (!is_tainted2(pathname, LOG_MAIN|LOG_PANIC, "Tainted filename '%s'", pathname))
-+ return openat(dirfd, pathname, flags);
- errno = EACCES;
- return -1;
- }
- static inline int
- exim_openat4(int dirfd, const char *pathname, int flags, mode_t mode)
- {
--if (!is_tainted(pathname)) return openat(dirfd, pathname, flags, mode);
--log_write(0, LOG_MAIN|LOG_PANIC, "Tainted filename '%s'", pathname);
-+if (!is_tainted2(pathname, LOG_MAIN|LOG_PANIC, "Tainted filename '%s'", pathname))
-+ return openat(dirfd, pathname, flags, mode);
- errno = EACCES;
- return -1;
- }
-@@ -1120,8 +1150,8 @@ return -1;
- static inline FILE *
- exim_fopen(const char *pathname, const char *mode)
- {
--if (!is_tainted(pathname)) return fopen(pathname, mode);
--log_write(0, LOG_MAIN|LOG_PANIC, "Tainted filename '%s'", pathname);
-+if (!is_tainted2(pathname, LOG_MAIN|LOG_PANIC, "Tainted filename '%s'", pathname))
-+ return fopen(pathname, mode);
- errno = EACCES;
- return NULL;
- }
-@@ -1129,8 +1159,8 @@ return NULL;
- static inline DIR *
- exim_opendir(const uschar * name)
- {
--if (!is_tainted(name)) return opendir(CCS name);
--log_write(0, LOG_MAIN|LOG_PANIC, "Tainted dirname '%s'", name);
-+if (!is_tainted2(name, LOG_MAIN|LOG_PANIC, "Tainted dirname '%s'", name))
-+ return opendir(CCS name);
- errno = EACCES;
- return NULL;
- }
-diff --git a/src/globals.c b/src/globals.c
-index c34ac9ddd..ff660c352 100644
---- a/src/globals.c
-+++ b/src/globals.c
-@@ -98,6 +98,10 @@ int sqlite_lock_timeout = 5;
- BOOL move_frozen_messages = FALSE;
- #endif
-
-+#ifdef ALLOW_INSECURE_TAINTED_DATA
-+BOOL allow_insecure_tainted_data = FALSE;
-+#endif
-+
- /* These variables are outside the #ifdef because it keeps the code less
- cluttered in several places (e.g. during logging) if we can always refer to
- them. Also, the tls_ variables are now always visible. Note that these are
-@@ -1033,6 +1037,9 @@ int log_default[] = { /* for initializing log_selector */
- Li_size_reject,
- Li_skip_delivery,
- Li_smtp_confirmation,
-+#ifdef ALLOW_INSECURE_TAINTED_DATA
-+ Li_tainted,
-+#endif
- Li_tls_certificate_verified,
- Li_tls_cipher,
- -1
-@@ -1100,6 +1107,9 @@ bit_table log_options[] = { /* must be in alphabetical order,
- BIT_TABLE(L, smtp_protocol_error),
- BIT_TABLE(L, smtp_syntax_error),
- BIT_TABLE(L, subject),
-+#ifdef ALLOW_INSECURE_TAINTED_DATA
-+ BIT_TABLE(L, tainted),
-+#endif
- BIT_TABLE(L, tls_certificate_verified),
- BIT_TABLE(L, tls_cipher),
- BIT_TABLE(L, tls_peerdn),
-diff --git a/src/globals.h b/src/globals.h
-index a4c1143b7..8d72577e0 100644
---- a/src/globals.h
-+++ b/src/globals.h
-@@ -77,6 +77,10 @@ extern int sqlite_lock_timeout; /* Internal lock waiting timeout */
- extern BOOL move_frozen_messages; /* Get them out of the normal directory */
- #endif
-
-+#ifdef ALLOW_INSECURE_TAINTED_DATA
-+extern BOOL allow_insecure_tainted_data;
-+#endif
-+
- /* These variables are outside the #ifdef because it keeps the code less
- cluttered in several places (e.g. during logging) if we can always refer to
- them. Also, the tls_ variables are now always visible. */
-diff --git a/src/macros.h b/src/macros.h
-index f78ae2e3d..322ddbf56 100644
---- a/src/macros.h
-+++ b/src/macros.h
-@@ -498,6 +498,9 @@ enum logbit {
- Li_smtp_mailauth,
- Li_smtp_no_mail,
- Li_subject,
-+#ifdef ALLOW_INSECURE_TAINTED_DATA
-+ Li_tainted,
-+#endif
- Li_tls_certificate_verified,
- Li_tls_cipher,
- Li_tls_peerdn,
-diff --git a/src/readconf.c b/src/readconf.c
-index 948fa2403..133135f8f 100644
---- a/src/readconf.c
-+++ b/src/readconf.c
-@@ -68,6 +68,9 @@ static optionlist optionlist_config[] = {
- { "add_environment", opt_stringptr, {&add_environment} },
- { "admin_groups", opt_gidlist, {&admin_groups} },
- { "allow_domain_literals", opt_bool, {&allow_domain_literals} },
-+#ifdef ALLOW_INSECURE_TAINTED_DATA
-+ { "allow_insecure_tainted_data", opt_bool, {&allow_insecure_tainted_data} },
-+#endif
- { "allow_mx_to_ip", opt_bool, {&allow_mx_to_ip} },
- { "allow_utf8_domains", opt_bool, {&allow_utf8_domains} },
- { "auth_advertise_hosts", opt_stringptr, {&auth_advertise_hosts} },
---
-2.30.2
-
diff --git a/mail/exim/files/debian/75_02-search.patch b/mail/exim/files/debian/75_02-search.patch
deleted file mode 100644
index 226a350af10d..000000000000
--- a/mail/exim/files/debian/75_02-search.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-From b71d675f695c2cf17357b190476129535d5f446c Mon Sep 17 00:00:00 2001
-From: "Heiko Schlittermann (HS12-RIPE)" <hs@schlittermann.de>
-Date: Thu, 1 Apr 2021 22:45:03 +0200
-Subject: [PATCH 02/23] search
-
----
- src/search.c | 8 ++------
- 1 file changed, 2 insertions(+), 6 deletions(-)
-
-diff --git a/src/search.c b/src/search.c
-index f8aaacb04..f6e4d1f5b 100644
---- a/src/search.c
-+++ b/src/search.c
-@@ -343,12 +343,8 @@ lookup_info *lk = lookup_list[search_type];
- uschar keybuffer[256];
- int old_pool = store_pool;
-
--if (filename && is_tainted(filename))
-- {
-- log_write(0, LOG_MAIN|LOG_PANIC,
-- "Tainted filename for search: '%s'", filename);
-+if (filename && is_tainted2(filename, LOG_MAIN|LOG_PANIC, "Tainted filename for search '%s'", filename))
- return NULL;
-- }
-
- /* Change to the search store pool and remember our reset point */
-
-@@ -639,7 +635,7 @@ DEBUG(D_lookup)
- /* Arrange to put this database at the top of the LRU chain if it is a type
- that opens real files. */
-
--if ( open_top != (tree_node *)handle
-+if ( open_top != (tree_node *)handle
- && lookup_list[t->name[0]-'0']->type == lookup_absfile)
- {
- search_cache *c = (search_cache *)(t->data.ptr);
---
-2.30.2
-
diff --git a/mail/exim/files/debian/75_03-dbstuff.patch b/mail/exim/files/debian/75_03-dbstuff.patch
deleted file mode 100644
index dc9da8e44c54..000000000000
--- a/mail/exim/files/debian/75_03-dbstuff.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-From 35b11dd0e52b5ac176849f807cca8898bcaf0c3d Mon Sep 17 00:00:00 2001
-From: "Heiko Schlittermann (HS12-RIPE)" <hs@schlittermann.de>
-Date: Sun, 28 Mar 2021 10:49:49 +0200
-Subject: [PATCH 03/23] dbstuff
-
----
- src/dbstuff.h | 6 ++----
- 1 file changed, 2 insertions(+), 4 deletions(-)
-
-diff --git a/src/dbstuff.h b/src/dbstuff.h
-index c1fb54346..dcee78696 100644
---- a/src/dbstuff.h
-+++ b/src/dbstuff.h
-@@ -643,11 +643,9 @@ after reading data. */
- : (flags) == O_RDWR ? "O_RDWR" \
- : (flags) == (O_RDWR|O_CREAT) ? "O_RDWR|O_CREAT" \
- : "??"); \
-- if (is_tainted(name) || is_tainted(dirname)) \
-- { \
-- log_write(0, LOG_MAIN|LOG_PANIC, "Tainted name for DB file not permitted"); \
-+ if (is_tainted2(name, LOG_MAIN|LOG_PANIC, "Tainted name '%s' for DB file not permitted", name) \
-+ || is_tainted2(dirname, LOG_MAIN|LOG_PANIC, "Tainted name '%s' for DB directory not permitted", dirname)) \
- *dbpp = NULL; \
-- } \
- else \
- { EXIM_DBOPEN__(name, dirname, flags, mode, dbpp); } \
- DEBUG(D_hints_lookup) debug_printf_indent("returned from EXIM_DBOPEN: %p\n", *dbpp); \
---
-2.30.2
-
diff --git a/mail/exim/files/debian/75_04-acl.patch b/mail/exim/files/debian/75_04-acl.patch
deleted file mode 100644
index 810b2e591675..000000000000
--- a/mail/exim/files/debian/75_04-acl.patch
+++ /dev/null
@@ -1,67 +0,0 @@
-From 44fd80ad8abcd885fc1c8dbb294fc2140e4ef481 Mon Sep 17 00:00:00 2001
-From: "Heiko Schlittermann (HS12-RIPE)" <hs@schlittermann.de>
-Date: Sun, 28 Mar 2021 10:50:14 +0200
-Subject: [PATCH 04/23] acl
-Last-Update: 2021-05-01
-
----
- src/acl.c | 32 ++++++++++++++++----------------
- 1 file changed, 16 insertions(+), 16 deletions(-)
-
---- a/src/acl.c
-+++ b/src/acl.c
-@@ -3596,24 +3596,26 @@
- rc = mime_regex(&arg);
- break;
- #endif
-
- case ACLC_QUEUE:
-- if (is_tainted(arg))
- {
-- *log_msgptr = string_sprintf("Tainted name '%s' for queue not permitted",
-- arg);
-- return ERROR;
-+ uschar *m;
-+ if (m = is_tainted2(arg, 0, "Tainted name '%s' for queue not permitted", arg))
-+ {
-+ *log_msgptr = m;
-+ return ERROR;
-+ }
-+ if (Ustrchr(arg, '/'))
-+ {
-+ *log_msgptr = string_sprintf(
-+ "Directory separator not permitted in queue name: '%s'", arg);
-+ return ERROR;
-+ }
-+ queue_name = string_copy_perm(arg, FALSE);
-+ break;
- }
-- if (Ustrchr(arg, '/'))
-- {
-- *log_msgptr = string_sprintf(
-- "Directory separator not permitted in queue name: '%s'", arg);
-- return ERROR;
-- }
-- queue_name = string_copy_perm(arg, FALSE);
-- break;
-
- case ACLC_RATELIMIT:
- rc = acl_ratelimit(arg, where, log_msgptr);
- break;
-
-@@ -4005,14 +4007,12 @@
- }
-
- else if (*ss == '/')
- {
- struct stat statbuf;
-- if (is_tainted(ss))
-+ if (is_tainted2(ss, LOG_MAIN|LOG_PANIC, "Tainted ACL file name '%s'", ss))
- {
-- log_write(0, LOG_MAIN|LOG_PANIC,
-- "attempt to open tainted ACL file name \"%s\"", ss);
- /* Avoid leaking info to an attacker */
- *log_msgptr = US"internal configuration error";
- return ERROR;
- }
- if ((fd = Uopen(ss, O_RDONLY, 0)) < 0)
diff --git a/mail/exim/files/debian/75_05-parse.patch b/mail/exim/files/debian/75_05-parse.patch
deleted file mode 100644
index f9dab900f88e..000000000000
--- a/mail/exim/files/debian/75_05-parse.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-From 7eeeb6f26af05322814ecc77c87f09c72ab2216a Mon Sep 17 00:00:00 2001
-From: "Heiko Schlittermann (HS12-RIPE)" <hs@schlittermann.de>
-Date: Sun, 28 Mar 2021 10:58:46 +0200
-Subject: [PATCH 05/23] parse
-
----
- src/parse.c | 6 +-----
- 1 file changed, 1 insertion(+), 5 deletions(-)
-
-diff --git a/src/parse.c b/src/parse.c
-index 3ea758ac9..d1bc79039 100644
---- a/src/parse.c
-+++ b/src/parse.c
-@@ -1402,12 +1402,8 @@ for (;;)
- return FF_ERROR;
- }
-
-- if (is_tainted(filename))
-- {
-- *error = string_sprintf("Tainted name '%s' for included file not permitted\n",
-- filename);
-+ if (*error = is_tainted2(filename, 0, "Tainted name '%s' for included file not permitted\n", filename))
- return FF_ERROR;
-- }
-
- /* Check file name if required */
-
---
-2.30.2
-
diff --git a/mail/exim/files/debian/75_06-rda.patch b/mail/exim/files/debian/75_06-rda.patch
deleted file mode 100644
index f4ca2afc13f1..000000000000
--- a/mail/exim/files/debian/75_06-rda.patch
+++ /dev/null
@@ -1,28 +0,0 @@
-From a6da9c67acaee699616516be141d600cc178a633 Mon Sep 17 00:00:00 2001
-From: "Heiko Schlittermann (HS12-RIPE)" <hs@schlittermann.de>
-Date: Sun, 28 Mar 2021 10:59:46 +0200
-Subject: [PATCH 06/23] rda
-
----
- src/rda.c | 4 +---
- 1 file changed, 1 insertion(+), 3 deletions(-)
-
-diff --git a/src/rda.c b/src/rda.c
-index aed8abc24..6ad7dd8bd 100644
---- a/src/rda.c
-+++ b/src/rda.c
-@@ -179,10 +179,8 @@ struct stat statbuf;
- /* Reading a file is a form of expansion; we wish to deny attackers the
- capability to specify the file name. */
-
--if (is_tainted(filename))
-+if (*error = is_tainted2(filename, 0, "Tainted name '%s' for file read not permitted\n", filename))
- {
-- *error = string_sprintf("Tainted name '%s' for file read not permitted\n",
-- filename);
- *yield = FF_ERROR;
- return NULL;
- }
---
-2.30.2
-
diff --git a/mail/exim/files/debian/75_07-appendfile.patch b/mail/exim/files/debian/75_07-appendfile.patch
deleted file mode 100644
index 5a9e37861d7f..000000000000
--- a/mail/exim/files/debian/75_07-appendfile.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From c29b50d2fe17cc108d751175ed4f4113c25c1768 Mon Sep 17 00:00:00 2001
-From: "Heiko Schlittermann (HS12-RIPE)" <hs@schlittermann.de>
-Date: Sun, 28 Mar 2021 11:00:06 +0200
-Subject: [PATCH 07/23] appendfile
-
----
- src/transports/appendfile.c | 8 +++++---
- 1 file changed, 5 insertions(+), 3 deletions(-)
-
-diff --git a/src/transports/appendfile.c b/src/transports/appendfile.c
-index 8ab8b6016..7dbbaa2f9 100644
---- a/src/transports/appendfile.c
-+++ b/src/transports/appendfile.c
-@@ -1286,12 +1286,14 @@ if (!(path = expand_string(fdname)))
- expand_string_message);
- goto ret_panic;
- }
--if (is_tainted(path))
-+{ uschar *m;
-+if (m = is_tainted2(path, 0, "Tainted '%s' (file or directory "
-+ "name for %s transport) not permitted", path, tblock->name))
- {
-- addr->message = string_sprintf("Tainted '%s' (file or directory "
-- "name for %s transport) not permitted", path, tblock->name);
-+ addr->message = m;
- goto ret_panic;
- }
-+}
-
- if (path[0] != '/')
- {
---
-2.30.2
-
diff --git a/mail/exim/files/debian/75_08-autoreply.patch b/mail/exim/files/debian/75_08-autoreply.patch
deleted file mode 100644
index de5eb1dd3c20..000000000000
--- a/mail/exim/files/debian/75_08-autoreply.patch
+++ /dev/null
@@ -1,70 +0,0 @@
-From 26de37d8960da80473866fb59b9dfd10a5761538 Mon Sep 17 00:00:00 2001
-From: "Heiko Schlittermann (HS12-RIPE)" <hs@schlittermann.de>
-Date: Sun, 28 Mar 2021 11:06:27 +0200
-Subject: [PATCH 08/23] autoreply
-
----
- src/transports/autoreply.c | 21 ++++++++++++---------
- 1 file changed, 12 insertions(+), 9 deletions(-)
-
-diff --git a/src/transports/autoreply.c b/src/transports/autoreply.c
-index 865abbf4f..ed99de4c6 100644
---- a/src/transports/autoreply.c
-+++ b/src/transports/autoreply.c
-@@ -404,14 +404,15 @@ recipient cache. */
-
- if (oncelog && *oncelog && to)
- {
-+ uschar *m;
- time_t then = 0;
-
-- if (is_tainted(oncelog))
-+ if (m = is_tainted2(oncelog, 0, "Tainted '%s' (once file for %s transport)"
-+ " not permitted", oncelog, tblock->name))
- {
- addr->transport_return = DEFER;
- addr->basic_errno = EACCES;
-- addr->message = string_sprintf("Tainted '%s' (once file for %s transport)"
-- " not permitted", oncelog, tblock->name);
-+ addr->message = m;
- goto END_OFF;
- }
-
-@@ -515,13 +516,14 @@ if (oncelog && *oncelog && to)
-
- if (then != 0 && (once_repeat_sec <= 0 || now - then < once_repeat_sec))
- {
-+ uschar *m;
- int log_fd;
-- if (is_tainted(logfile))
-+ if (m = is_tainted2(logfile, 0, "Tainted '%s' (logfile for %s transport)"
-+ " not permitted", logfile, tblock->name))
- {
- addr->transport_return = DEFER;
- addr->basic_errno = EACCES;
-- addr->message = string_sprintf("Tainted '%s' (logfile for %s transport)"
-- " not permitted", logfile, tblock->name);
-+ addr->message = m;
- goto END_OFF;
- }
-
-@@ -548,12 +550,13 @@ if (oncelog && *oncelog && to)
- /* We are going to send a message. Ensure any requested file is available. */
- if (file)
- {
-- if (is_tainted(file))
-+ uschar *m;
-+ if (m = is_tainted2(file, 0, "Tainted '%s' (file for %s transport)"
-+ " not permitted", file, tblock->name))
- {
- addr->transport_return = DEFER;
- addr->basic_errno = EACCES;
-- addr->message = string_sprintf("Tainted '%s' (file for %s transport)"
-- " not permitted", file, tblock->name);
-+ addr->message = m;
- return FALSE;
- }
- if (!(ff = Ufopen(file, "rb")) && !ob->file_optional)
---
-2.30.2
-
diff --git a/mail/exim/files/debian/75_09-pipe.patch b/mail/exim/files/debian/75_09-pipe.patch
deleted file mode 100644
index 0ec9bcfaed19..000000000000
--- a/mail/exim/files/debian/75_09-pipe.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-From f9628406706112be459adb3f121db8e6cf282c2d Mon Sep 17 00:00:00 2001
-From: "Heiko Schlittermann (HS12-RIPE)" <hs@schlittermann.de>
-Date: Fri, 2 Apr 2021 17:30:27 +0200
-Subject: [PATCH 09/23] pipe
-
----
- src/transports/pipe.c | 9 ++++++---
- 1 file changed, 6 insertions(+), 3 deletions(-)
-
-diff --git a/src/transports/pipe.c b/src/transports/pipe.c
-index 27422bd42..4c9e68beb 100644
---- a/src/transports/pipe.c
-+++ b/src/transports/pipe.c
-@@ -599,13 +599,16 @@ if (!cmd || !*cmd)
- tblock->name);
- return FALSE;
- }
--if (is_tainted(cmd))
-+
-+{ uschar *m;
-+if (m = is_tainted2(cmd, 0, "Tainted '%s' (command "
-+ "for %s transport) not permitted", cmd, tblock->name))
- {
-- addr->message = string_sprintf("Tainted '%s' (command "
-- "for %s transport) not permitted", cmd, tblock->name);
- addr->transport_return = PANIC;
-+ addr->message = m;
- return FALSE;
- }
-+}
-
- /* When a pipe is set up by a filter file, there may be values for $thisaddress
- and numerical the variables in existence. These are passed in
---
-2.30.2
-
diff --git a/mail/exim/files/debian/75_10-deliver.patch b/mail/exim/files/debian/75_10-deliver.patch
deleted file mode 100644
index ea4a54239e31..000000000000
--- a/mail/exim/files/debian/75_10-deliver.patch
+++ /dev/null
@@ -1,49 +0,0 @@
-From 2fee91ae42e974c21202e0b5e17185f6a87bf8af Mon Sep 17 00:00:00 2001
-From: "Heiko Schlittermann (HS12-RIPE)" <hs@schlittermann.de>
-Date: Wed, 31 Mar 2021 23:12:44 +0200
-Subject: [PATCH 10/23] deliver
-
----
- src/deliver.c | 16 +++++++++-------
- 1 file changed, 9 insertions(+), 7 deletions(-)
-
-diff --git a/src/deliver.c b/src/deliver.c
-index d85edd70e..8b7998f37 100644
---- a/src/deliver.c
-+++ b/src/deliver.c
-@@ -5538,10 +5538,11 @@ FILE * fp = NULL;
- if (!s || !*s)
- log_write(0, LOG_MAIN|LOG_PANIC,
- "Failed to expand %s: '%s'\n", varname, filename);
--else if (*s != '/' || is_tainted(s))
-- log_write(0, LOG_MAIN|LOG_PANIC,
-- "%s is not %s after expansion: '%s'\n",
-- varname, *s == '/' ? "untainted" : "absolute", s);
-+else if (*s != '/')
-+ log_write(0, LOG_MAIN|LOG_PANIC, "%s is not absolute after expansion: '%s'\n",
-+ varname, s);
-+else if (is_tainted2(s, LOG_MAIN|LOG_PANIC, "Tainted %s after expansion: '%s'\n", varname, s))
-+ ;
- else if (!(fp = Ufopen(s, "rb")))
- log_write(0, LOG_MAIN|LOG_PANIC, "Failed to open %s for %s "
- "message texts: %s", s, reason, strerror(errno));
-@@ -6148,12 +6149,13 @@ else if (system_filter && process_recipients != RECIP_FAIL_TIMEOUT)
- {
- uschar *tmp = expand_string(tpname);
- address_file = address_pipe = NULL;
-+ uschar *m;
- if (!tmp)
- p->message = string_sprintf("failed to expand \"%s\" as a "
- "system filter transport name", tpname);
-- if (is_tainted(tmp))
-- p->message = string_sprintf("attempt to used tainted value '%s' for"
-- "transport '%s' as a system filter", tmp, tpname);
-+ if (is_tainted2(tmp, 0, m = string_sprintf("Tainted values '%s' "
-+ "for transport '%s' as a system filter", tmp, tpname)))
-+ p->message = m;
- tpname = tmp;
- }
- else
---
-2.30.2
-
diff --git a/mail/exim/files/debian/75_11-directory.patch b/mail/exim/files/debian/75_11-directory.patch
deleted file mode 100644
index 4c3a68418c0b..000000000000
--- a/mail/exim/files/debian/75_11-directory.patch
+++ /dev/null
@@ -1,26 +0,0 @@
-From 5f41e800ce9cc7ad154047298914df955e905bf4 Mon Sep 17 00:00:00 2001
-From: "Heiko Schlittermann (HS12-RIPE)" <hs@schlittermann.de>
-Date: Thu, 1 Apr 2021 21:28:59 +0200
-Subject: [PATCH 11/23] directory
-
----
- src/directory.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/src/directory.c b/src/directory.c
-index 2d4d565f4..9f88f4141 100644
---- a/src/directory.c
-+++ b/src/directory.c
-@@ -44,6 +44,9 @@ uschar c = 1;
- struct stat statbuf;
- uschar * path;
-
-+if (is_tainted2(name, LOG_MAIN|LOG_PANIC, "Tainted path '%s' for new directory", name))
-+ { p = US"create"; path = US name; errno = EACCES; goto bad; }
-+
- if (parent)
- {
- path = string_sprintf("%s%s%s", parent, US"/", name);
---
-2.30.2
-
diff --git a/mail/exim/files/debian/75_12-expand.patch b/mail/exim/files/debian/75_12-expand.patch
deleted file mode 100644
index ebb099d284f2..000000000000
--- a/mail/exim/files/debian/75_12-expand.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From c02ea85f525ff256d78e084d6f76fe3032fd52e1 Mon Sep 17 00:00:00 2001
-From: "Heiko Schlittermann (HS12-RIPE)" <hs@schlittermann.de>
-Date: Thu, 1 Apr 2021 21:33:50 +0200
-Subject: [PATCH 12/23] expand
-
----
- src/expand.c | 8 ++++----
- 1 file changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/src/expand.c b/src/expand.c
-index 05de94c49..21b86ebf5 100644
---- a/src/expand.c
-+++ b/src/expand.c
-@@ -4383,13 +4383,13 @@ DEBUG(D_expand)
- f.expand_string_forcedfail = FALSE;
- expand_string_message = US"";
-
--if (is_tainted(string))
-+{ uschar *m;
-+if (m = is_tainted2(string, LOG_MAIN|LOG_PANIC, "Tainted string '%s' in expansion", s))
- {
-- expand_string_message =
-- string_sprintf("attempt to expand tainted string '%s'", s);
-- log_write(0, LOG_MAIN|LOG_PANIC, "%s", expand_string_message);
-+ expand_string_message = m;
- goto EXPAND_FAILED;
- }
-+}
-
- while (*s != 0)
- {
---
-2.30.2
-
diff --git a/mail/exim/files/debian/75_13-lf_sqlperform.patch b/mail/exim/files/debian/75_13-lf_sqlperform.patch
deleted file mode 100644
index 67283a02676e..000000000000
--- a/mail/exim/files/debian/75_13-lf_sqlperform.patch
+++ /dev/null
@@ -1,49 +0,0 @@
-From 9810dfc25d8b9687b46e57963a3ac30bf5c9b2c9 Mon Sep 17 00:00:00 2001
-From: "Heiko Schlittermann (HS12-RIPE)" <hs@schlittermann.de>
-Date: Thu, 1 Apr 2021 21:36:12 +0200
-Subject: [PATCH 13/23] lf_sqlperform
-
----
- src/lookups/lf_sqlperform.c | 14 +++++++++-----
- 1 file changed, 9 insertions(+), 5 deletions(-)
-
-diff --git a/src/lookups/lf_sqlperform.c b/src/lookups/lf_sqlperform.c
-index ad1df29d1..eda3089e2 100644
---- a/src/lookups/lf_sqlperform.c
-+++ b/src/lookups/lf_sqlperform.c
-@@ -102,11 +102,13 @@ if (Ustrncmp(query, "servers", 7) == 0)
- }
- }
-
-- if (is_tainted(server))
-- {
-- *errmsg = string_sprintf("%s server \"%s\" is tainted", name, server);
-+ { uschar *m;
-+ if (m = is_tainted2(server, 0, "Tainted %s server '%s'", name, server))
-+ {
-+ *errmsg = m;
- return DEFER;
- }
-+ }
-
- rc = (*fn)(ss+1, server, result, errmsg, &defer_break, do_cache, opts);
- if (rc != DEFER || defer_break) return rc;
-@@ -158,11 +160,13 @@ else
- server = ele;
- }
-
-- if (is_tainted(server))
-+ { uschar *m;
-+ if (is_tainted2(server, 0, "Tainted %s server '%s'", name, server))
- {
-- *errmsg = string_sprintf("%s server \"%s\" is tainted", name, server);
-+ *errmsg = m;
- return DEFER;
- }
-+ }
-
- rc = (*fn)(query, server, result, errmsg, &defer_break, do_cache, opts);
- if (rc != DEFER || defer_break) return rc;
---
-2.30.2
-
diff --git a/mail/exim/files/debian/75_14-rf_get_transport.patch b/mail/exim/files/debian/75_14-rf_get_transport.patch
deleted file mode 100644
index 9e8b69d3ad6a..000000000000
--- a/mail/exim/files/debian/75_14-rf_get_transport.patch
+++ /dev/null
@@ -1,28 +0,0 @@
-From 015fff57c854184f8bce61476c46a2830a97daf8 Mon Sep 17 00:00:00 2001
-From: "Heiko Schlittermann (HS12-RIPE)" <hs@schlittermann.de>
-Date: Fri, 2 Apr 2021 08:36:24 +0200
-Subject: [PATCH 14/23] rf_get_transport
-
----
- src/routers/rf_get_transport.c | 4 +---
- 1 file changed, 1 insertion(+), 3 deletions(-)
-
-diff --git a/src/routers/rf_get_transport.c b/src/routers/rf_get_transport.c
-index 4a43818ff..32bde9ec3 100644
---- a/src/routers/rf_get_transport.c
-+++ b/src/routers/rf_get_transport.c
-@@ -66,10 +66,8 @@ if (expandable)
- "\"%s\" in %s router: %s", tpname, router_name, expand_string_message);
- return FALSE;
- }
-- if (is_tainted(ss))
-+ if (is_tainted2(ss, LOG_MAIN|LOG_PANIC, "Tainted tainted value '%s' from '%s' for transport", ss, tpname))
- {
-- log_write(0, LOG_MAIN|LOG_PANIC,
-- "attempt to use tainted value '%s' from '%s' for transport", ss, tpname);
- addr->basic_errno = ERRNO_BADTRANSPORT;
- /* Avoid leaking info to an attacker */
- addr->message = US"internal configuration error";
---
-2.30.2
-
diff --git a/mail/exim/files/debian/75_15-deliver.patch b/mail/exim/files/debian/75_15-deliver.patch
deleted file mode 100644
index 0c2ca2772d10..000000000000
--- a/mail/exim/files/debian/75_15-deliver.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-From 2bafe3fc82cf62f0c21f939f5891b8d067f3abc7 Mon Sep 17 00:00:00 2001
-From: "Heiko Schlittermann (HS12-RIPE)" <hs@schlittermann.de>
-Date: Sat, 3 Apr 2021 10:54:22 +0200
-Subject: [PATCH 15/23] deliver
-
----
- src/deliver.c | 5 +++--
- test/paniclog/0622 | 2 +-
- test/stderr/0622 | 2 +-
- 3 files changed, 5 insertions(+), 4 deletions(-)
-
-diff --git a/src/deliver.c b/src/deliver.c
-index 8b7998f37..87e944b03 100644
---- a/src/deliver.c
-+++ b/src/deliver.c
-@@ -6153,9 +6153,10 @@ else if (system_filter && process_recipients != RECIP_FAIL_TIMEOUT)
- if (!tmp)
*** 2847 LINES SKIPPED ***