Prereq: "3.11.2" diff -ur --new-file /var/tmp/postfix-3.11.2/src/global/mail_version.h ./src/global/mail_version.h --- /var/tmp/postfix-3.11.2/src/global/mail_version.h 2026-05-01 14:59:09.000000000 -0400 +++ ./src/global/mail_version.h 2026-05-15 14:26:45.000000000 -0400 @@ -20,8 +20,8 @@ * Patches change both the patchlevel and the release date. Snapshots have no * patchlevel; they change the release date only. */ -#define MAIL_RELEASE_DATE "20260501" -#define MAIL_VERSION_NUMBER "3.11.2" +#define MAIL_RELEASE_DATE "20260515" +#define MAIL_VERSION_NUMBER "3.11.3" #ifdef SNAPSHOT #define MAIL_VERSION_DATE "-" MAIL_RELEASE_DATE diff -ur --new-file /var/tmp/postfix-3.11.2/HISTORY ./HISTORY --- /var/tmp/postfix-3.11.2/HISTORY 2026-05-01 19:45:50.000000000 -0400 +++ ./HISTORY 2026-05-15 13:47:50.000000000 -0400 @@ -30661,3 +30661,37 @@ Missing or incomplete guards for ssize_t or int overflow, found by Claude Opus 4.6. Files: util/argv.c, util/netstring.c, util/vbuf_print.c. + +20260507 + + Fix for 'uninitialized value' error. Viktor Dukhovni. File: + auxiliary/collate/collate.pl. + +20260508 + + Claude AI finding: signed integer overshift (util/vstring.h). + Brought to our attention by Robert Sayre. + +20260509 + + Bitrot fixes: deprecation warning with OpenSSL 4.0 + (tls/tls_dane.c); race condition fix in a test script + (tls/tls_dane.sh). Viktor Dukhovni. + +20260513 + + Bitrot: builds with musl libc were using the obsolete + NO_SNPRINTF code path in vbuf_print.c. File: util/sys_defs.h. + +20260514 + + Bitrot: the obsolete NO_SNPRINTF code path in vbuf_print.c + wasn't updated for Claude Code findings. File: util/vbuf_print.c. + +20250515 + + Portability: The __MAXINT__(T) macro, to determine the + maximal signed value for objects of type T, was using + implementation-defined behavior (shift one bit into the + sign position). This works today but may break later. + Reported by Kamil Frankowicz. File: util/sys_defs.h. diff -ur --new-file /var/tmp/postfix-3.11.2/auxiliary/collate/collate.pl ./auxiliary/collate/collate.pl --- /var/tmp/postfix-3.11.2/auxiliary/collate/collate.pl 2022-02-11 16:56:54.000000000 -0500 +++ ./auxiliary/collate/collate.pl 2026-05-15 13:41:33.000000000 -0400 @@ -122,8 +122,7 @@ if (defined($transaction{$qid})) { $transaction{$qid} .= $_; } - $transaction{$newid} = - $_ . $transaction{$newid}; + $transaction{$newid} = $_ . ($transaction{$newid} // ""); $seqno{$newid} = ++$i if (! exists $seqno{$newid}); } next; diff -ur --new-file /var/tmp/postfix-3.11.2/src/tls/tls_dane.c ./src/tls/tls_dane.c --- /var/tmp/postfix-3.11.2/src/tls/tls_dane.c 2025-11-13 16:15:08.000000000 -0500 +++ ./src/tls/tls_dane.c 2026-05-15 13:43:35.000000000 -0400 @@ -1356,7 +1356,7 @@ SSL_dane_set_flags(tctx->con, DANE_FLAG_NO_DANE_EE_NAMECHECKS); SSL_dane_set_flags(tctx->con, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS); for (i = 7; i < argc; ++i) - if (!SSL_add1_host(tctx->con, argv[i])) + if (!TLS_ADD1_HOST(tctx->con, argv[i])) msg_fatal("error adding hostname: %s", argv[i]); load_tlsa_args(tctx->con, argv); SSL_set_connect_state(tctx->con); diff -ur --new-file /var/tmp/postfix-3.11.2/src/tls/tls_dane.sh ./src/tls/tls_dane.sh --- /var/tmp/postfix-3.11.2/src/tls/tls_dane.sh 2025-11-13 16:07:13.000000000 -0500 +++ ./src/tls/tls_dane.sh 2026-05-15 13:43:35.000000000 -0400 @@ -51,6 +51,7 @@ local akid=$1; shift exts=$(printf "%s\n%s\n%s\n" "$skid" "$akid" "basicConstraints = CA:true") + key "$key" req "$key" "$cn" | cert "$cert" "$exts" -signkey "${key}.pem" -set_serial 1 -days 30 } @@ -65,6 +66,7 @@ local cakey=$1; shift exts=$(printf "%s\n%s\n%s\n" "$skid" "$akid" "basicConstraints = CA:true") + key "$key" req "$key" "$cn" | cert "$cert" "$exts" -CA "${ca}.pem" -CAkey "${cakey}.pem" \ -set_serial 2 -days 30 "$@" @@ -83,6 +85,7 @@ "basicConstraints = CA:false" \ "extendedKeyUsage = serverAuth" \ "subjectAltName = @alts" "DNS=${cn}") + key "$key" req "$key" "$cn" | cert "$cert" "$exts" -CA "${ca}.pem" -CAkey "${cakey}.pem" \ -set_serial 2 -days 30 "$@" @@ -99,6 +102,7 @@ "basicConstraints = CA:true" \ "extendedKeyUsage = serverAuth" \ "subjectAltName = @alts" "DNS=${cn}") + key "$key" req "$key" "$cn" | cert "$cert" "$exts" -set_serial 1 -days 30 -signkey "${key}.pem" "$@" } @@ -107,8 +111,9 @@ local key=$1; shift local cert=$1; shift + key "$key" req_nocn "$key" | - cert "$cert" "" -signkey "${key}.pem" -set_serial 1 -days -1 "$@" + cert "$cert" "" -signkey "${key}.pem" -set_serial 1 -days 0 "$@" } runtest() { diff -ur --new-file /var/tmp/postfix-3.11.2/src/util/sys_defs.h ./src/util/sys_defs.h --- /var/tmp/postfix-3.11.2/src/util/sys_defs.h 2026-05-01 14:55:47.000000000 -0400 +++ ./src/util/sys_defs.h 2026-05-15 13:31:55.000000000 -0400 @@ -797,8 +797,6 @@ #if HAVE_GLIBC_API_VERSION_SUPPORT(2, 1) #define SOCKADDR_SIZE socklen_t #define SOCKOPT_SIZE socklen_t -#else -#define NO_SNPRINTF #endif #ifndef NO_IPV6 #define HAS_IPV6 @@ -1709,13 +1707,15 @@ /* * Bit banging!! There is no official constant that defines the INT_MAX - * equivalent for off_t, ssize_t, etc. Wietse came up with the following - * macro that works as long as off_t, ssize_t, etc. use one's or two's - * complement logic (that is, the maximum value is binary 01...1). Don't use - * right-shift for signed types: the result is implementation-defined. + * equivalent for off_t, ssize_t, etc. Decades ago, Wietse came up with a + * macro that worked on one's or two's complement logic (that is, the + * maximum value is binary 01...1). As Kamil Frankowicz pointed out, that + * code relied on shifting into the sign bit, which is not defined in the + * language standard. The current version still works on one's and two's + * complement logic, but avoids the undefined behavior. */ #include -#define __MAXINT__(T) ((T) ~(((T) 1) << ((sizeof(T) * CHAR_BIT) - 1))) +#define __MAXINT__(T) ((((T) 1 << (sizeof(T) * CHAR_BIT - 2)) - 1) * 2 + 1) #ifndef OFF_T_MAX #define OFF_T_MAX __MAXINT__(off_t) #endif diff -ur --new-file /var/tmp/postfix-3.11.2/src/util/vbuf_print.c ./src/util/vbuf_print.c --- /var/tmp/postfix-3.11.2/src/util/vbuf_print.c 2026-05-01 14:53:40.000000000 -0400 +++ ./src/util/vbuf_print.c 2026-05-15 13:31:55.000000000 -0400 @@ -129,8 +129,11 @@ VBUF_SKIP(bp); \ } while (0) #else -#define VBUF_SNPRINTF(bp, sz, fmt, arg) do { \ - if (VBUF_SPACE((bp), (sz)) != 0) \ +#define VBUF_SNPRINTF(bp, width_or_prec, type_space, fmt, arg) do { \ + if ((width_or_prec) > INT_MAX - (type_space)) \ + msg_panic("vbuf_print: field width (%d + %lu) > INT_MAX", \ + (width_or_prec), (unsigned long) (type_space)); \ + if (VBUF_SPACE((bp), (width_or_prec) + (type_space)) != 0) \ return (bp); \ sprintf((char *) (bp)->ptr, (fmt), (arg)); \ VBUF_SKIP(bp); \ diff -ur --new-file /var/tmp/postfix-3.11.2/src/util/vstring.h ./src/util/vstring.h --- /var/tmp/postfix-3.11.2/src/util/vstring.h 2020-09-25 16:41:00.000000000 -0400 +++ ./src/util/vstring.h 2026-05-15 13:34:48.000000000 -0400 @@ -62,7 +62,7 @@ /* Flags 24..31 are reserved for VSTRING. */ #define VSTRING_FLAG_EXACT (1<<24) /* exact allocation for tests */ -#define VSTRING_FLAG_MASK (255 << 24) +#define VSTRING_FLAG_MASK (255U << 24) /* * Macros. Unsafe macros have UPPERCASE names.