Hi all,

We noticed the branch "hs/qualys-2020" and reviewed the patches. We just
have three comments and one question:

========================================================================
commit 4f0ac4ad70d38a13fb3f248c3ae2b66b0e1fe7d3

    Safeguard against relative names for msglog files.

Is there a reason for the extra "&& (p == filename || *(p-1) == '/')"?

Because of this extra condition, our exploit against CVE-2019-15846 for
example would work despite this patch: we overwrite the message id (the
argument for deliver_message()) with "/../../../../../../../etc/passwd"
but depending on the alignment of our memory corruption, the beginning
of id can be "./../../" (for example) and:

- (p = Ustrstr(filename, US"/../")) is true;

- (p == filename) is false, because filename always starts with
  spool_directory, an absolute path;

- (*(p-1) == '/') is false, because the character before the first
  "/../" is '.';

as a result, log_write(LOG_PANIC_DIE) is not called and we can modify
/etc/passwd.

========================================================================
commit e5cb5e615a63a4c97d3e2e88903eaaadfb254bcb

    Check overrun rcpt_count integer

      if (rcpt_count+1 < 0

Actually, such a signed integer overflow is undefined behavior in C and
an optimizing compiler may therefore remove this check completely (some
do). The check should be made against INT_MAX (before the int overflow)
and should be made earlier, when rcpt_count is incremented (at the very
beginning of the case RCPT_CMD): otherwise, rcpt_count can be increased
without going through the recipients_max check (e.g., via the breaks in
"if (sender_address == NULL)" and "if (!recipient_domain)").

========================================================================
commit 54895bc3ffdf5ecebcbafb2e6041fa52d6f5e5fb

    smtp_out: Leave a clean input buffer, even in case of read error

+      inblock->ptr = ptr;
       return -1;

There is another return -1 in this function, should it also get fixed?
Or maybe a common error codepath should be added instead?

========================================================================

We saw 20-patches2.txt.gpg in cve-2020-qualys/ and just in case: did you
also receive/read patches1.txt?

========================================================================

Thank you very much for all your work on Exim! We are at your disposal
for questions, comments, and further discussions.

With best regards,

-- 
the Qualys Security Advisory team