Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: [email protected]
Control: affects -1 + src:postfix
User: [email protected]
Usertags: pu

[ Reason ]
There's a new upstream stable/bugfix release, 3.10.11, which
fixes 5 more low-impact security ussuses.

[ Tests ]
This release is running in production on our sites for quite
some time already, with no issues.

[ Risks ]
As usual, postfix stable releases (and actually all postfix
releases) are of excellent quality, have very low risk of
breakage.  The changes are all small and focused too.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
See below for the debdiff, including d/changelog and upstream
HISTORY changes.

[ Other info ]
The debdiff is against the previous trixie-pu version of
postfix, 3.10.10-0+deb13u1.

I'm uploading this release to the archive, to - hopefully -
save a round-trip in this bug report and to save you some
time.

Thanks,

/mjt

diff -Nru postfix-3.10.10/HISTORY postfix-3.10.11/HISTORY
--- postfix-3.10.10/HISTORY     2026-05-15 22:54:47.000000000 +0300
+++ postfix-3.10.11/HISTORY     2026-06-17 20:06:59.000000000 +0300
@@ -29356,3 +29356,173 @@
        implementation-defined behavior (shift one bit into the
        sign position). This works today but may break later.
        Reported by Kamil Frankowicz. File: util/sys_defs.h.
+
+20260524
+
+       Bugfix (defect introduced: Postfix 3.1, date 20150607):
+       null pointer read and heap data overread in the Postfix
+       SMTP client's smtp_dns_reply_filter. Problem reported by
+       TristanInSec, found with ASAN. Also reported by other people.
+       Reproduction and real-world impact researched by Wietse.
+       File: dns/dns_strrecord.c.
+
+       This is a different problem than the one that was introduced
+       later in Postfix 3.6.
+
+       The root cause is a missing 'break' statement after the
+       code that converts a TLSA record to string.
+
+       Reproduction:
+       =============
+
+       The problem happens when smtp_dns_reply_filter is configured
+       (this is disabled by default); the Postfix SMTP client is
+       configured to use opportunistic or mandatory DANE authentication
+       (this is disabled by default); the destination domain
+       publishes a TLSA record that is empty or shorter than 20
+       bytes; and the OS is configured to use a resolver that
+       passes such a TLSA record. For example, a zero-length TLSA
+       record is blocked by BIND, Google DNS, OpenDNS, and by
+       configurations that use systemd-resolved (the default on
+       many LINUX systems); it is passed by Cloudflare, Quad9 DNS,
+       and unbound, as long as these resolvers are used without
+       systemd-resolved.
+
+       Impact statement:
+       =================
+
+       SMTP client termination with a null pointer read crash when
+       the TLSA record length is zero; or an SMTP client data
+       overread (or rarely, SMTP client termination with a read
+       segfault crash) when 0 < record length < 20 bytes. The
+       overread content is not disclosed.
+
+       The impact of SMTP client crashes is easily overstated.
+       That said, crashes must be eliminated regardless of their
+       impact.
+
+       On systems that deliver fewer than one message per minute,
+       an SMTP client crash can result in a delay of up to one
+       minute for email delivery to other destination domains.  On
+       systems with a larger traffic volume, the impact of a null
+       pointer or other segfault crash on deliveries to other
+       destination domains is minor because Postfix reuses SMTP
+       client processes and replaces a failed process within seconds
+       (self-healing); the practical impact is believed to be no
+       worse than that of an uncooperative receiver that tarpits
+       SMTP connections from Postfix to one or more destination
+       domains under their control (by replying within Postfix
+       SMTP client read time limits which are several minutes by
+       default).
+
+20260529
+
+       Robustness: the Postfix SMTP server will no longer receive
+       (and discard) an unlimited amount of text while receiving
+       a long SMTP command line. Problem introduced: Postfix 2.9,
+       date: 20110205; reported by Michael Wollner (Ibonok). Under
+       high load conditions, the amount of text was already limited
+       by a 10-second deadline to receive an SMTP command. File:
+       global/smtp_stream.c.
+
+       Robustness: with the above change the Postfix SMTP client
+       will no longer receive (and discard) an unlimited amount
+       of text while receiving a long SMTP response line.
+
+       Robustness: do not receive (and discard) unlimited amounts
+       of data with BDAT commands. Problem introduced: Postfix
+       3.4, date: 20180825; found during code maintenance. File:
+       smtpd/smtpd.c.
+
+       Impact statement:
+       =================
+
+       Postfix should not receive and discard unlimited amounts
+       of input in SMTP commands, but fixing that will not
+       fundamentally change the situation.
+
+       By design, any SMTP client can force a server to receive
+       (and discard) an unlimited amount of text.  For example,
+       an attacker can repeatedly send messages that are a little
+       under the server's message size limit and abort each
+       transaction a before reaching the message end. When sending
+       a message with the "DATA" command, an attacker would
+       disconnect instead of sending <CR><LF>.<CR><LF>; and when
+       sending a message with the "BDAT" command, an attacker would
+       send "RSET" instead of "BDAT LAST".
+
+       To mitigate such abuse, Postfix can rate-limit the number
+       of message transactions from the same IP address or address
+       range (see smtpd_client_message_rate_limit and *prefix_length
+       parameters). Such a defense is ineffective when faced with
+       a distributed attack (botnet); for that, postscreen combined
+       with an IP reputation service (DNSBL) may be more effective.
+
+20260531
+
+       Bugfix: (defect introduced: Postfix 3.6, date: 20200710):
+       panic (assertion failure and voluntary crash) while parsing
+       a TLSA reply with length 3. Found during code maintenance.
+       See below for root cause, reproduction, and impact.
+
+       Root cause:
+       ===========
+
+       An incorrect test 'length < 3' instead of 'length <= 3'
+       causes a safety check to fail when a TLSA parser attempts
+       to create zero-length storage for a non-existent TLSA
+       certificate association data field.
+
+       Reproduction:
+       =============
+
+       The problem happens when the Postfix SMTP client is configured
+       to use opportunistic or mandatory DANE authentication (this
+       is disabled by default); a destination domain publishes a
+       TLSA record with a length of three bytes; and the OS is
+       configured to use a resolver that passes such a TLSA record.
+       For example, a length-three TLSA record is blocked by BIND,
+       and by configurations that use systemd-resolved (the default
+       on many LINUX systems). It is passed by many other resolvers.
+
+       This bug enables an attack that is more potent than the
+       TLSA parsing bug introduced with Postfix 3.1.
+
+       - An attack with a length-three TLSA reply does not depend
+       on smtp_dns_reply_filter configuration.
+
+       - An attack with a length-three TLSA reply propagates through
+       more resolvers than an attack with a length-zero TLSA reply.
+
+       Impact statement:
+       =================
+
+       SMTP client voluntary termination (crash) after an assertion
+       failure. This is a fail-safe mechanism.
+
+       The impact of SMTP client crashes (voluntary or not) is
+       easily overstated. That said, crashes must be eliminated
+       regardless of their impact.
+
+       On systems that deliver fewer than one message per minute,
+       an SMTP client crash can result in a delay of up to one
+       minute for email delivery to other destination domains.
+
+       On systems with a larger traffic volume, the impact of an
+       SMTP client crash on deliveries to other destination domains
+       is minor because Postfix reuses SMTP client processes and
+       replaces a failed process within seconds (self-healing);
+       the practical impact is believed to be no worse than that
+       of an uncooperative receiver that tarpits SMTP connections
+       from Postfix to one or more destination domains under their
+       control (by replying within Postfix SMTP client read time
+       limits which are several minutes by default).
+
+20260608
+
+       Bugfix (defect introduced: Postfix 3.0, date: 20140708):
+       the SMTP client did not xtext_quote a '+' character in a
+       DSN ORCPT parameter value. A strict receiver implementation
+       could reject or discard the parameter value, but this has
+       never been reported to happen. Found during code maintenance.
+       File: smtp_proto.c.
diff -Nru postfix-3.10.10/debian/changelog postfix-3.10.11/debian/changelog
--- postfix-3.10.10/debian/changelog    2026-06-11 09:55:11.000000000 +0300
+++ postfix-3.10.11/debian/changelog    2026-06-18 07:28:13.000000000 +0300
@@ -1,3 +1,20 @@
+postfix (3.10.11-0+deb13u1) trixie; urgency=medium
+
+  * New upstream version 3.10.11, fixing 5 low-impact issues:
+    - Bugfix: null pointer read and heap data overread
+      in the Postfix SMTP client's smtp_dns_reply_filter
+    - Robustness: the Postfix SMTP server will no longer receive (and discard)
+      an unlimited amount of text while receiving a long SMTP command line
+    - Robustness: do not receive (and discard) unlimited amounts of data
+      with BDAT commands
+    - Bugfix: panic (assertion failure and voluntary crash) while parsing
+      a TLSA reply with length 3
+    - Bugfix: the SMTP client did not xtext_quote a '+' character in a
+      DSN ORCPT parameter value.  A strict receiver implementation could reject
+      or discard the parameter value (this has never been reported to happen)
+
+ -- Michael Tokarev <[email protected]>  Thu, 18 Jun 2026 07:28:13 +0300
+
 postfix (3.10.10-0+deb13u1) trixie; urgency=medium
 
   [ Michael Tokarev ]
diff -Nru postfix-3.10.10/html/smtpd.8.html postfix-3.10.11/html/smtpd.8.html
--- postfix-3.10.10/html/smtpd.8.html   2025-10-23 23:05:16.000000000 +0300
+++ postfix-3.10.11/html/smtpd.8.html   2026-06-17 20:13:38.000000000 +0300
@@ -264,7 +264,7 @@
               sions for communication with  a  Milter  application;  prior  to
               Postfix 2.6 the default protocol is 2.
 
-       <b><a 
href="postconf.5.html#milter_default_action">milter_default_action</a> 
(tempfail)</b>
+       <b><a 
href="postconf.5.html#milter_default_action">milter_default_action</a> (see 
'postconf -d <a 
href="postconf.5.html#milter_default_action">milter_default_action</a>' 
output)</b>
               The  default  action  when  a  Milter  (mail filter) response is
               unavailable (for example, bad Postfix  configuration  or  Milter
               failure).
diff -Nru postfix-3.10.10/man/man8/smtpd.8 postfix-3.10.11/man/man8/smtpd.8
--- postfix-3.10.10/man/man8/smtpd.8    2025-10-23 23:05:15.000000000 +0300
+++ postfix-3.10.11/man/man8/smtpd.8    2026-06-17 20:13:38.000000000 +0300
@@ -259,7 +259,7 @@
 The mail filter protocol version and optional protocol extensions
 for communication with a Milter application; prior to Postfix 2.6
 the default protocol is 2.
-.IP "\fBmilter_default_action (tempfail)\fR"
+.IP "\fBmilter_default_action (see 'postconf -d milter_default_action' 
output)\fR"
 The default action when a Milter (mail filter) response is
 unavailable (for example, bad Postfix configuration or Milter
 failure).
diff -Nru postfix-3.10.10/src/dns/dns_strrecord.c 
postfix-3.10.11/src/dns/dns_strrecord.c
--- postfix-3.10.10/src/dns/dns_strrecord.c     2023-02-13 23:58:00.000000000 
+0300
+++ postfix-3.10.11/src/dns/dns_strrecord.c     2026-06-17 20:06:59.000000000 
+0300
@@ -99,6 +99,8 @@
        } else {
            vstring_sprintf_append(buf, "[truncated record]");
        }
+       /* 202605 Missing break found by TristanInSec using ASAN. */
+       break;
 
        /*
         * We use the SOA record TTL to determine the negative reply TTL. We
diff -Nru postfix-3.10.10/src/global/mail_version.h 
postfix-3.10.11/src/global/mail_version.h
--- postfix-3.10.10/src/global/mail_version.h   2026-05-15 21:38:35.000000000 
+0300
+++ postfix-3.10.11/src/global/mail_version.h   2026-06-17 20:07:33.000000000 
+0300
@@ -20,8 +20,8 @@
   * Patches change both the patchlevel and the release date. Snapshots have no
   * patchlevel; they change the release date only.
   */
-#define MAIL_RELEASE_DATE      "20260515"
-#define MAIL_VERSION_NUMBER    "3.10.10"
+#define MAIL_RELEASE_DATE      "20260617"
+#define MAIL_VERSION_NUMBER    "3.10.11"
 
 #ifdef SNAPSHOT
 #define MAIL_VERSION_DATE      "-" MAIL_RELEASE_DATE
diff -Nru postfix-3.10.10/src/global/smtp_stream.c 
postfix-3.10.11/src/global/smtp_stream.c
--- postfix-3.10.10/src/global/smtp_stream.c    2024-01-12 21:39:59.000000000 
+0300
+++ postfix-3.10.11/src/global/smtp_stream.c    2026-06-17 20:06:59.000000000 
+0300
@@ -457,8 +457,12 @@
        && vstream_feof(stream) == 0 && vstream_ferror(stream) == 0)
        while ((next_char = VSTREAM_GETC(stream)) != VSTREAM_EOF
               && next_char != '\n')
-            /* void */ ;
-
+           if (--bound <= 0) {
+               msg_warn("disabling input from %s", VSTREAM_PATH(stream));
+               vstream_fpurge(stream, VSTREAM_PURGE_READ);
+               shutdown(vstream_fileno(stream), SHUT_RD);
+               break;
+           }
     return (last_char);
 }
 
diff -Nru postfix-3.10.10/src/smtp/smtp_proto.c 
postfix-3.10.11/src/smtp/smtp_proto.c
--- postfix-3.10.10/src/smtp/smtp_proto.c       2025-10-23 21:17:45.000000000 
+0300
+++ postfix-3.10.11/src/smtp/smtp_proto.c       2026-06-17 20:06:59.000000000 
+0300
@@ -1867,7 +1867,7 @@
                            vstring_sprintf_append(next_command, " ORCPT=%s",
                                             vstring_str(session->scratch));
                    } else {
-                       xtext_quote(session->scratch, orcpt_type_addr, "=");
+                       xtext_quote(session->scratch, orcpt_type_addr, "+=");
                        vstring_sprintf_append(next_command, " ORCPT=%s",
                                             vstring_str(session->scratch));
                    }
diff -Nru postfix-3.10.10/src/smtpd/smtpd.c postfix-3.10.11/src/smtpd/smtpd.c
--- postfix-3.10.10/src/smtpd/smtpd.c   2025-10-23 19:45:51.000000000 +0300
+++ postfix-3.10.11/src/smtpd/smtpd.c   2026-06-17 20:13:38.000000000 +0300
@@ -233,7 +233,7 @@
 /*     The mail filter protocol version and optional protocol extensions
 /*     for communication with a Milter application; prior to Postfix 2.6
 /*     the default protocol is 2.
-/* .IP "\fBmilter_default_action (tempfail)\fR"
+/* .IP "\fBmilter_default_action (see 'postconf -d milter_default_action' 
output)\fR"
 /*     The default action when a Milter (mail filter) response is
 /*     unavailable (for example, bad Postfix configuration or Milter
 /*     failure).
@@ -3958,6 +3958,21 @@
     off_t   len;
 
     /*
+     * Skip inputs below 1.5 times the message size limit, staying in sync
+     * with the remote SMTP client. Otherwise, force a negative chunk_size
+     * value to disable reading and discarding input here, and to force a
+     * "lost connection" condition upon a later read operation.
+     */
+    if (ENFORCING_SIZE_LIMIT(var_message_limit)
+       && state->act_size / 1.5 > var_message_limit - chunk_size / 1.5) {
+       chunk_size = -1;
+    } else if (state->act_size > OFF_T_MAX - chunk_size) {
+       state->act_size = OFF_T_MAX;
+    } else {
+       state->act_size += chunk_size;
+    }
+
+    /*
      * Read and discard content from the remote SMTP client. TODO: drop the
      * connection in case of overload.
      */
@@ -3975,6 +3990,16 @@
     va_end(ap);
 
     /*
+     * Force a "lost connection" condition upon the next read operation.
+     */
+    if (chunk_size < 0) {
+       msg_warn("%s: too much BDAT content -- disabling further input from %s",
+                state->queue_id ? state->queue_id : "NOQUEUE",
+                state->namaddr);
+       shutdown(vstream_fileno(state->client), SHUT_RD);
+    }
+
+    /*
      * Reset state, or drop subsequent BDAT payloads until BDAT LAST or RSET.
      */
     if (final_chunk)
diff -Nru postfix-3.10.10/src/tls/tls_dane.c postfix-3.10.11/src/tls/tls_dane.c
--- postfix-3.10.10/src/tls/tls_dane.c  2024-10-11 01:15:24.000000000 +0300
+++ postfix-3.10.11/src/tls/tls_dane.c  2026-06-17 20:06:59.000000000 +0300
@@ -518,7 +518,7 @@
                  q, a, r, rr->type);
 
     /* Drop truncated records */
-    if ((dlen = rr->data_len - 3) < 0) {
+    if ((dlen = rr->data_len - 3) <= 0) {
        msg_warn("%s%s%s: truncated TLSA RR length == %u",
                 q, a, r, (unsigned) rr->data_len);
        return (0);

Reply via email to