From 85c9f94c97ee4c7081a0df5f1318b39b5811c33b Mon Sep 17 00:00:00 2001
From: Dietmar Maurer <dietmar@proxmox.com>
Date: Fri, 24 Nov 2017 08:18:51 +0100
Subject: [PATCH] add fixes for SA bugs 7226 and 7212

---
 debian/patches/dkim_subdomains          | 64 +++++++++++++++++++++++++
 debian/patches/fix-uninitialized-concat | 25 ++++++++++
 debian/patches/series                   |  2 +
 3 files changed, 91 insertions(+)
 create mode 100644 debian/patches/dkim_subdomains
 create mode 100644 debian/patches/fix-uninitialized-concat

diff --git a/debian/patches/dkim_subdomains b/debian/patches/dkim_subdomains
new file mode 100644
index 0000000..cb2cbdc
--- /dev/null
+++ b/debian/patches/dkim_subdomains
@@ -0,0 +1,64 @@
+Description: Support signer subdomain matching in whitelist_from_dkim
+Origin: upstream, https://svn.apache.org/viewvc?view=revision&revision=1693414
+Bug: https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7226
+Index: spamassassin-3.4.1/lib/Mail/SpamAssassin/Plugin/DKIM.pm
+===================================================================
+--- spamassassin-3.4.1.orig/lib/Mail/SpamAssassin/Plugin/DKIM.pm
++++ spamassassin-3.4.1/lib/Mail/SpamAssassin/Plugin/DKIM.pm
+@@ -178,13 +178,18 @@ sub set_config {
+ 
+ Works similarly to whitelist_from, except that in addition to matching
+ an author address (From) to the pattern in the first parameter, the message
+-must also carry a Domain Keys Identified Mail (DKIM) signature made by a
+-signing domain (SDID, i.e. the d= tag) that is acceptable to us.
++must also carry a valid Domain Keys Identified Mail (DKIM) signature made by
++a signing domain (SDID, i.e. the d= tag) that is acceptable to us.
+ 
+ Only one whitelist entry is allowed per line, as in C<whitelist_from_rcvd>.
+ Multiple C<whitelist_from_dkim> lines are allowed. File-glob style characters
+ are allowed for the From address (the first parameter), just like with
+-C<whitelist_from_rcvd>. The second parameter does not accept wildcards.
++C<whitelist_from_rcvd>.
++
++The second parameter (the signing-domain) does not accept full file-glob style
++wildcards, although a simple '*.' (or just a '.') prefix to a domain name
++is recognized and implies any subdomain of the specified domain (but not
++the domain itself).
+ 
+ If no signing-domain parameter is specified, the only acceptable signature
+ will be an Author Domain Signature (sometimes called first-party signature)
+@@ -205,7 +210,8 @@ Examples of whitelisting based on third-
+   whitelist_from_dkim jane@example.net      example.org
+   whitelist_from_dkim rick@info.example.net example.net
+   whitelist_from_dkim *@info.example.net    example.net
+-  whitelist_from_dkim *@*                   remailer.example.com
++  whitelist_from_dkim *@*                   mail7.remailer.example.com
++  whitelist_from_dkim *@*                   *.remailer.example.com
+ 
+ =item def_whitelist_from_dkim author@example.com [signing-domain]
+ 
+@@ -376,7 +382,8 @@ some valid signature on a message has no
+ associated with a particular domain), regardless of its key size - anyone can
+ prepend its own signature on a copy of some third party mail and re-send it,
+ which makes it no more trustworthy than without such signature. This is also
+-a reason for a rule DKIM_VALID to have a near-zero score.
++a reason for a rule DKIM_VALID to have a near-zero score, i.e. a rule hit
++is only informational.
+ 
+ =cut
+ 
+@@ -1257,8 +1264,12 @@ sub _wlcheck_list {
+         # identity (AUID). Nevertheless, be prepared to accept the full e-mail
+         # address there for compatibility, and just ignore its local-part.
+ 
+-        $acceptable_sdid = $1  if $acceptable_sdid =~ /\@([^\@]*)\z/;
+-        $matches = 1  if $sdid eq lc $acceptable_sdid;
++        $acceptable_sdid = $1  if $acceptable_sdid =~ /\@([^\@]*)\z/s;
++        if ($acceptable_sdid =~ s/^\*?\.//s) {
++          $matches = 1  if $sdid =~ /\.\Q$acceptable_sdid\E\z/si;
++        } else {
++          $matches = 1  if $sdid eq lc $acceptable_sdid;
++        }
+       }
+       if ($matches) {
+         if (would_log("dbg","dkim")) {
diff --git a/debian/patches/fix-uninitialized-concat b/debian/patches/fix-uninitialized-concat
new file mode 100644
index 0000000..1c62c99
--- /dev/null
+++ b/debian/patches/fix-uninitialized-concat
@@ -0,0 +1,25 @@
+Description: Import upstream fix for uninitialized value warning in Mail::SpamAssassin::PerMsgStatus::get_names_of_tests_hit_with_scores()
+Origin: https://svn.apache.org/viewvc?view=revision&revision=1685843
+Bug: https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7212
+Index: spamassassin-3.4.1/lib/Mail/SpamAssassin/PerMsgStatus.pm
+===================================================================
+--- spamassassin-3.4.1.orig/lib/Mail/SpamAssassin/PerMsgStatus.pm
++++ spamassassin-3.4.1/lib/Mail/SpamAssassin/PerMsgStatus.pm
+@@ -738,7 +738,7 @@ test names and individual scores of the
+ sub get_names_of_tests_hit_with_scores_hash {
+   my ($self) = @_;
+ 
+-  my ($line, %testsscores);
++  my (%testsscores);
+ 
+   #BASED ON CODE FOR TESTSSCORES TAG - KAM 2014-04-24
+   foreach my $test (@{$self->{test_names_hit}}) {
+@@ -763,6 +763,8 @@ sub get_names_of_tests_hit_with_scores {
+ 
+   my ($line, %testsscores);
+ 
++  $line = '';
++
+   #BASED ON CODE FOR TESTSSCORES TAG - KAM 2014-04-24
+   foreach my $test (sort @{$self->{test_names_hit}}) {
+     my $score = $self->{conf}->{scores}->{$test};
diff --git a/debian/patches/series b/debian/patches/series
index 8499824..66651c5 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -2,3 +2,5 @@ disable-dkim.patch
 bug_835494_perl_INC
 bug_760277_net_dns_URIDNSBL
 bug_821385_dnsresolver
+dkim_subdomains
+fix-uninitialized-concat