Your message dated Sun, 31 Jan 2021 19:02:07 +0000 with message-id <e1l6hz5-000fno...@fasolo.debian.org> and subject line Bug#977782: fixed in postsrsd 1.5-2+deb10u1 has caused the Debian Bug report #977782, regarding buster-pu: package postsrsd/1.5-2 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 977782: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=977782 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: release.debian.org Severity: normal Tags: buster User: release.debian....@packages.debian.org Usertags: pu Upstream recently discovered a potential remote denial-of-service attack in postsrsd (CVE-2020-35573) [1]. Fortunately, this issue is currently not exploitable in Debian due to gcc optimizing the problematic loop away. Thus, the security has decided not to issue a DSA [2], but instead suggested to fix it through a stable update. This issue is already fixed in postsrsd/1.10-1 in unstable and testing. I've prepared a backport of the one-line fix to stable, and attached the source debdiff. I've verified that this doesn't break anything and the package still works properly. Cheers, Oxan [1] https://github.com/roehling/postsrsd/commit/4733fb11f6bec6524bb8518c5e1a699288c26bac [2] https://security-tracker.debian.org/tracker/CVE-2020-35573 diff -Nru postsrsd-1.5/debian/changelog postsrsd-1.5/debian/changelog --- postsrsd-1.5/debian/changelog 2019-02-23 14:27:44.000000000 +0100 +++ postsrsd-1.5/debian/changelog 2020-12-19 01:36:37.000000000 +0100 @@ -1,3 +1,11 @@ +postsrsd (1.5-2+deb10u1) buster; urgency=medium + + * CVE-2020-35573: Ensure timestamp tags aren't too long before trying to + decode them, to protect against a potential denial-of-service attack + (backported from upstream commit 4733fb1). + + -- Oxan van Leeuwen <o...@oxanvanleeuwen.nl> Sat, 19 Dec 2020 01:36:37 +0100 + postsrsd (1.5-2) unstable; urgency=medium * Increase hashlength for unit tests (cherry-picked from upstream db9ed58) diff -Nru postsrsd-1.5/debian/patches/0004-SECURITY-Fix-potential-denial-of-service-attack-agai.patch postsrsd-1.5/debian/patches/0004-SECURITY-Fix-potential-denial-of-service-attack-agai.patch --- postsrsd-1.5/debian/patches/0004-SECURITY-Fix-potential-denial-of-service-attack-agai.patch 1970-01-01 01:00:00.000000000 +0100 +++ postsrsd-1.5/debian/patches/0004-SECURITY-Fix-potential-denial-of-service-attack-agai.patch 2020-12-19 01:36:37.000000000 +0100 @@ -0,0 +1,29 @@ +From: =?utf-8?q?Timo_R=C3=B6hling?= <t...@gaussglocke.de> +Date: Sat, 12 Dec 2020 10:42:28 +0100 +Subject: SECURITY: Fix potential denial of service attack against PostSRSd + +I discovered that PostSRSd could be tricked into consuming a lot of CPU +time with an SRS address that has an excessively long time stamp tag, +e.g. + +SRS0=HHHH=TTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTT=0...@example.com + +(cherry picked from commit 4733fb11f6bec6524bb8518c5e1a699288c26bac) + +Fixes CVE-2020-35573. +--- + srs2.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/srs2.c b/srs2.c +index b07a664..6a2eebb 100644 +--- a/srs2.c ++++ b/srs2.c +@@ -230,6 +230,7 @@ srs_timestamp_check(srs_t *srs, const char *stamp) + time_t now; + time_t then; + ++ if (strlen(stamp) != 2) return SRS_ETIMESTAMPOUTOFDATE; + /* We had better go around this loop exactly twice! */ + then = 0; + for (sp = stamp; *sp; sp++) { diff -Nru postsrsd-1.5/debian/patches/series postsrsd-1.5/debian/patches/series --- postsrsd-1.5/debian/patches/series 2019-02-23 14:27:44.000000000 +0100 +++ postsrsd-1.5/debian/patches/series 2020-12-19 01:36:37.000000000 +0100 @@ -1,3 +1,4 @@ 0001-Adapt-init-scripts-for-Debian-practices.patch 0002-Increase-hash-length-for-unit-tests.patch 0003-Hook-up-endianness-sizeof-long-detection-code-in-SHA.patch +0004-SECURITY-Fix-potential-denial-of-service-attack-agai.patch
--- End Message ---
--- Begin Message ---Source: postsrsd Source-Version: 1.5-2+deb10u1 Done: Oxan van Leeuwen <o...@oxanvanleeuwen.nl> We believe that the bug you reported is fixed in the latest version of postsrsd, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 977...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Oxan van Leeuwen <o...@oxanvanleeuwen.nl> (supplier of updated postsrsd package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 31 Jan 2021 12:57:24 +0100 Source: postsrsd Binary: postsrsd postsrsd-dbgsym Architecture: source amd64 Version: 1.5-2+deb10u1 Distribution: buster Urgency: medium Maintainer: Oxan van Leeuwen <o...@oxanvanleeuwen.nl> Changed-By: Oxan van Leeuwen <o...@oxanvanleeuwen.nl> Description: postsrsd - Sender Rewriting Scheme (SRS) lookup table for Postfix Closes: 977782 Changes: postsrsd (1.5-2+deb10u1) buster; urgency=medium . * CVE-2020-35573: Ensure timestamp tags aren't too long before trying to decode them, to protect against a potential denial-of-service attack (backported from upstream commit 4733fb1, Closes: #977782). Checksums-Sha1: 05ef8bb26a36d9d9a4278156058ffc7eab1c5196 1906 postsrsd_1.5-2+deb10u1.dsc 4558584fae2603e6210d003614c7a5d33b4b61fc 32019 postsrsd_1.5.orig.tar.gz c36c2bf197b51ece5c0993ed48c689871cff6d35 12032 postsrsd_1.5-2+deb10u1.debian.tar.xz a111d4be2a703dfb34bb4ae70907e8d3671892dc 38064 postsrsd-dbgsym_1.5-2+deb10u1_amd64.deb fe35ba6ca87e7eb102b6ed393d31e6deaca791e1 6840 postsrsd_1.5-2+deb10u1_amd64.buildinfo f43cf8c79c9dd41cad819eaa17ef6613e3b4181d 29932 postsrsd_1.5-2+deb10u1_amd64.deb Checksums-Sha256: a1caf5fa058ddb5d5d744eef5755f31c6f3630c0ff4e5f919bc1a80c91ee87c1 1906 postsrsd_1.5-2+deb10u1.dsc 418e2d239cc4c70e4877f6c63ded7edb3e89a52147e59c702f49b6cb96c45b07 32019 postsrsd_1.5.orig.tar.gz d447125faf2e2230739935d2e1e60bfd79620ace86477bb4835528122598c64b 12032 postsrsd_1.5-2+deb10u1.debian.tar.xz a2085abe12d2f1f7203342f36b11d5054f4a10189cf0a58532b4326e1294cb9d 38064 postsrsd-dbgsym_1.5-2+deb10u1_amd64.deb ff179a34b3b8328d902b0f1e563589593ecfb9e2ad4bab8fc275cf5e22781a59 6840 postsrsd_1.5-2+deb10u1_amd64.buildinfo 6abd2caf84ac6b00a4b61f395dc97a27584cda6eeaafadd22092f325731305c8 29932 postsrsd_1.5-2+deb10u1_amd64.deb Files: 45f4df84e7fc62bff43e5b64dbbbe567 1906 mail optional postsrsd_1.5-2+deb10u1.dsc e33826a7d1055080854ff7db71641fb8 32019 mail optional postsrsd_1.5.orig.tar.gz beacbb9cd8fdd461ef349b16a59475a7 12032 mail optional postsrsd_1.5-2+deb10u1.debian.tar.xz a1c4946d8a580192cebe1e93c3f75100 38064 debug optional postsrsd-dbgsym_1.5-2+deb10u1_amd64.deb ad968a41f0df0c7c4d41ca73aa553089 6840 mail optional postsrsd_1.5-2+deb10u1_amd64.buildinfo e2ea2c7fe2da471398b6fd925492d714 29932 mail optional postsrsd_1.5-2+deb10u1_amd64.deb -----BEGIN PGP SIGNATURE----- iQJGBAEBCgAwFiEEzmRl4OZ9N8ZVV+eKAK40x+rZ6zgFAmAWnC0SHHRvbWFzekBk ZWJpYW4ub3JnAAoJEACuNMfq2es4fRkP/iVFl6X3yBEXM//MpzjHscu30T8640jo NjCIy3XKiYUwwNinyj+lrFXSVbUkkmAp06o3/j6LLPq9ALhklrG+OEhYB+l1+yEM BuCFwoHPxcxSL8U797h4H3zWjecjuYmDP1eGH9yzmNFGLy/Xcmkp1oImHxNAt4H/ pIzPdcAU186Rj6VQ2nuo1ysI2vQ7QLKkI+nDm79m4vVVJ9aq2mFdDBBX/aryJvo7 5A9bf+6qmHDiUT4OVY52fz6yQt9aGc//xHC+0z8UjyXMCdGkeuPU8kEpGS1zm697 /zLz8MYBK6/rUWeVaMy76yMeFpBrdm2rZwSsbRDEY32Ex42eX3uuVxZ8+F/CjpC8 7QoAljF+0Jp/+FjR9hq9pyUmkalvr0X4cfvWCiNmGwJn4/C+8X9taQQaY2YdYmFl CnWe3oLJd4ZhSW44ibgnirq944N4jcvEKQMJFFyNoq//qECl7m2JqvjZyeJIIvgg 6x0G/094hDqWQ4J6aA/w8I1cFjjlbh7yuI399PDQ31JGlbOv/QfHq7WtT0ukamB2 3RttSji3cysL34HAyoRP3w4RNkguyeMrj5HrN5XgVswUR2KsY1Yw2jiGQYpLNqcD 1rF6gHoff0BUcKb8JuN/tlVaOF4dm2Rdmta+jWXm5SL0ESL9erTWZaikRYTS9lbk rKfsjWeUMVu2 =5k5a -----END PGP SIGNATURE-----
--- End Message ---
