From 6620b5a4f415884d2cfaf1efde6d01af8216d5f6 Mon Sep 17 00:00:00 2001
From: technology208 <technology@208suo.com>
Date: Thu, 11 Jul 2024 14:17:22 +0800
Subject: [PATCH] fix CVE-2022-3559

---
 CVE-2022-3559.patch | 136 ++++++++++++++++++++++++++++++++++++++++++++
 exim.spec           |   6 +-
 2 files changed, 141 insertions(+), 1 deletion(-)
 create mode 100644 CVE-2022-3559.patch

diff --git a/CVE-2022-3559.patch b/CVE-2022-3559.patch
new file mode 100644
index 0000000..67299f9
--- /dev/null
+++ b/CVE-2022-3559.patch
@@ -0,0 +1,136 @@
+From 8bb1858b231ee90a76e21c9af2529044ac9c42e5 Mon Sep 17 00:00:00 2001
+From: Jeremy Harris <jgh146exb@wizmail.org>
+Date: Thu, 11 Jul 2024 14:00:53 +0800
+Subject: [PATCH] Fix $regex<n> use-after-free. Bug 2915
+
+---
+ src/exim.c      |  3 +--
+ src/expand.c    |  2 +-
+ src/functions.h |  2 ++
+ src/globals.c   |  2 +-
+ src/regex.c     | 16 ++++++++++++----
+ src/smtp_in.c   |  3 +++
+ 6 files changed, 20 insertions(+), 8 deletions(-)
+
+diff --git a/src/exim.c b/src/exim.c
+index fd01d13..ac6682f 100644
+--- a/src/exim.c
++++ b/src/exim.c
+@@ -2001,7 +2001,6 @@ regex_whitelisted_macro =
+   regex_must_compile(US"^[A-Za-z0-9_/.-]*$", FALSE, TRUE);
+ #endif
+ 
+-for (i = 0; i < REGEX_VARS; i++) regex_vars[i] = NULL;
+ 
+ /* If the program is called as "mailq" treat it as equivalent to "exim -bp";
+ this seems to be a generally accepted convention, since one finds symbolic
+@@ -6084,7 +6083,7 @@ MORELOOP:
+   deliver_localpart_data = deliver_domain_data =
+   recipient_data = sender_data = NULL;
+   acl_var_m = NULL;
+-  for(int i = 0; i < REGEX_VARS; i++) regex_vars[i] = NULL;
++  regex_vars_clear();
+ 
+   store_reset(reset_point);
+   }
+diff --git a/src/expand.c b/src/expand.c
+index 36c9f42..466733f 100644
+--- a/src/expand.c
++++ b/src/expand.c
+@@ -1873,7 +1873,7 @@ else if (Ustrncmp(name, "r_", 2) == 0)
+   return node ? node->data.ptr : strict_acl_vars ? NULL : US"";
+   }
+ 
+-/* Handle $auth<n> variables. */
++/* Handle $auth<n>, $regex<n> variables. */
+ 
+ if (Ustrncmp(name, "auth", 4) == 0)
+   {
+diff --git a/src/functions.h b/src/functions.h
+index 224666c..b82edcd 100644
+--- a/src/functions.h
++++ b/src/functions.h
+@@ -438,6 +438,8 @@ extern int     regex(const uschar **);
+ extern BOOL    regex_match(const pcre2_code *, const uschar *, int, uschar **);
+ extern BOOL    regex_match_and_setup(const pcre2_code *, const uschar *, int, int);
+ extern const pcre2_code *regex_must_compile(const uschar *, BOOL, BOOL);
++extern void    regex_vars_clear(void);
++
+ extern void    retry_add_item(address_item *, uschar *, int);
+ extern BOOL    retry_check_address(const uschar *, host_item *, uschar *, BOOL,
+                  uschar **, uschar **);
+diff --git a/src/globals.c b/src/globals.c
+index b9dfbbb..f3d9c76 100644
+--- a/src/globals.c
++++ b/src/globals.c
+@@ -1319,7 +1319,7 @@ const pcre2_code *regex_EARLY_PIPE   = NULL;
+ #endif
+ const pcre2_code *regex_ismsgid      = NULL;
+ const pcre2_code *regex_smtp_code    = NULL;
+-const uschar *regex_vars[REGEX_VARS];
++const uschar *regex_vars[REGEX_VARS] = { 0 };
+ #ifdef WHITELIST_D_MACROS
+ const pcre2_code *regex_whitelisted_macro = NULL;
+ #endif
+diff --git a/src/regex.c b/src/regex.c
+index 5c0f7c4..922e365 100644
+--- a/src/regex.c
++++ b/src/regex.c
+@@ -96,6 +96,15 @@ pcre2_match_data_free(md);
+ return FAIL;
+ }
+ 
++/* reset expansion variables */
++void
++regex_vars_clear(void)
++{
++ regex_match_string = NULL;
++ for (int i = 0; i < REGEX_VARS; i++) regex_vars[i] = NULL;
++}
++
++
+ int
+ regex(const uschar **listptr)
+ {
+@@ -103,11 +112,11 @@ unsigned long mbox_size;
+ FILE *mbox_file;
+ pcre_list *re_list_head;
+ uschar *linebuffer;
++
+ long f_pos = 0;
+ int ret = FAIL;
+ 
+-/* reset expansion variable */
+-regex_match_string = NULL;
++regex_vars_clear();
+ 
+ if (!mime_stream)				/* We are in the DATA ACL */
+   {
+@@ -175,8 +184,7 @@ uschar *mime_subject = NULL;
+ int mime_subject_len = 0;
+ int ret;
+ 
+-/* reset expansion variable */
+-regex_match_string = NULL;
++regex_vars_clear();
+ 
+ /* precompile our regexes */
+ if (!(re_list_head = compile(*listptr)))
+diff --git a/src/smtp_in.c b/src/smtp_in.c
+index edb0adf..34e6865 100644
+--- a/src/smtp_in.c
++++ b/src/smtp_in.c
+@@ -2157,7 +2157,10 @@ prdr_requested = FALSE;
+ #ifdef SUPPORT_I18N
+ message_smtputf8 = FALSE;
+ #endif
++regex_vars_clear();
++
+ body_linecount = body_zerocount = 0;
++lookup_value = NULL;                           /* Can be set by ACL */
+ 
+ sender_rate = sender_rate_limit = sender_rate_period = NULL;
+ ratelimiters_mail = NULL;           /* Updated by ratelimit ACL condition */
+-- 
+2.27.0
+
diff --git a/exim.spec b/exim.spec
index 51a3ce2..55bdeec 100644
--- a/exim.spec
+++ b/exim.spec
@@ -4,7 +4,7 @@
 Summary:          The exim mail transfer agent
 Name:             exim
 Version:          4.96
-Release:          2
+Release:          3
 License:          GPLv2+
 Url:              https://www.exim.org/
 
@@ -44,6 +44,7 @@ Patch4:           exim-4.96-opendmarc-1.4-build-fix.patch
 # https://bugs.exim.org/show_bug.cgi?id=2899
 Patch5:           exim-4.96-build-fix.patch
 Patch6:           CVE-2023-51766.patch
+Patch7:           CVE-2022-3559.patch
 
 Requires:         /etc/pki/tls/certs /etc/pki/tls/private
 Requires:         setup
@@ -483,6 +484,9 @@ fi
 %{_sysconfdir}/cron.daily/greylist-tidy.sh
 
 %changelog
+* Thu Jul 11 2024 technology208 <technology@208suo.com> - 4.96-3
+- Fix CVE-2022-3559
+
 * Tue Jul  9 2024 technology208 <technology@208suo.com> - 4.96-2
 - Fix CVE-2023-51766
 
-- 
Gitee