Bug#991119: unblock: postsrsd/1.10-2
Hi
On 2021-07-17 19:49:05 +0200, Sebastian Ramacher wrote:
> Control: tags -1 confirmed moreinfo
>
> On 2021-07-14 21:48:50, Oxan van Leeuwen wrote:
> > Package: release.debian.org
> > Severity: normal
> > User: release.debian@packages.debian.org
> > Usertags: unblock
> >
> > Please unblock package postsrsd
> >
> > [ Reason ]
> > Security fix for CVE-2021-35525.
> >
> > [ Impact ]
> > Package is vulnerable to a potential DoS attack.
> >
> > [ Tests ]
> > Tests from upstream backported, testsuite from upstream passes, manually
> > tested
> > functionality.
> >
> > [ Risks ]
> > Fix is a one-to-one backport from upstream, modulus formatting changes.
> >
> > [ Checklist ]
> > [x] all changes are documented in the d/changelog
> > [x] I reviewed all changes and I approve them
> > [x] attach debdiff against the package in testing
> >
> > [ Other info ]
> > N/A
> >
> > unblock postsrsd/1.10-2
>
> If this is a pre-approval request, please go ahead and remove the
> moreinfo tag once the new version is available in unstable.
Ping. The window for getting this upload into the initial release of
bullseye is closing.
Cheers
>
> Cheers
>
>
> > diff -Nru postsrsd-1.10/debian/changelog postsrsd-1.10/debian/changelog
> > --- postsrsd-1.10/debian/changelog 2020-12-02 22:36:36.0 +0100
> > +++ postsrsd-1.10/debian/changelog 2021-07-14 21:21:11.0 +0200
> > @@ -1,4 +1,12 @@
> > -postsrsd (1.10-1) UNRELEASED; urgency=medium
> > +postsrsd (1.10-2) UNRELEASED; urgency=medium
> > +
> > + * Fix CVE-2021-35525: potential DoS when Postfix sends certain long data
> > +fields such as multiple concatenated email addresses. Fix backported
> > from
> > +upstream commit 077be98d8c8. (Closes: #990439)
> > +
> > + -- Oxan van Leeuwen Wed, 14 Jul 2021 21:21:11
> > +0200
> > +
> > +postsrsd (1.10-1) unstable; urgency=medium
> >
> >* New upstream release (Closes: #975633)
> >* Drop patches integrated upstream
> > diff -Nru
> > postsrsd-1.10/debian/patches/0002-SECURITY-Fix-DoS-on-overly-long-input-from-Postfix.patch
> >
> > postsrsd-1.10/debian/patches/0002-SECURITY-Fix-DoS-on-overly-long-input-from-Postfix.patch
> > ---
> > postsrsd-1.10/debian/patches/0002-SECURITY-Fix-DoS-on-overly-long-input-from-Postfix.patch
> > 1970-01-01 01:00:00.0 +0100
> > +++
> > postsrsd-1.10/debian/patches/0002-SECURITY-Fix-DoS-on-overly-long-input-from-Postfix.patch
> > 2021-07-14 21:21:11.0 +0200
> > @@ -0,0 +1,211 @@
> > +From: =?utf-8?q?Timo_R=C3=B6hling?=
> > +Date: Sun, 21 Mar 2021 15:27:55 +0100
> > +Subject: SECURITY: Fix DoS on overly long input from Postfix
> > +MIME-Version: 1.0
> > +Content-Type: text/plain; charset="utf-8"
> > +Content-Transfer-Encoding: 8bit
> > +
> > +Thanks to Mateusz Jończyk who reported this issue and gave valuable
> > +feedback for its resolution.
> > +
> > +PostSRSd would hang on an overly long GET request, because the
> > +fread()/fwrite() logic in the subprocess would get confused by the
> > +remaining input line in its buffer.
> > +
> > +Theoretically, this error should never occur, as Postfix is supposed to
> > +send valid email addresses only, which are shorter than the buffer, even
> > +assuming every single character is percent-encoded. However, Postfix
> > +sometimes does seem to send malformed request with multiple concatenated
> > +email addresses. I'm not sure if there's a reliable way to trigger this
> > +condition by an external attacker, but it is a security bug in PostSRSd
> > +nevertheless.
> > +
> > +Fixes CVE-2021-35525.
> > +
> > +Origin:
> > https://github.com/roehling/postsrsd/commit/077be98d8c8a9847e4ae0c7dc09e7474cbe27db2
> > +Forwarded: not-needed
> > +Last-Update: 2021-07-14
> > +---
> > + postsrsd.c | 52
> > ++---
> > + run_postsrsd_tests.bats | 40 +
> > + 2 files changed, 68 insertions(+), 24 deletions(-)
> > +
> > +diff --git a/postsrsd.c b/postsrsd.c
> > +index c009d8f..5ebf7f6 100644
> > +--- a/postsrsd.c
> > b/postsrsd.c
> > +@@ -518,9 +518,9 @@ int main (int argc, char **argv)
> > + fds[sc].events = POLLIN;
> > + }
> > + while(TRUE) {
> > + int conn;
> > +-FILE *fp;
> > ++FILE *fp_read, *fp_write;
> > + char linebuf[1024], *line;
> > + char keybuf[1024], *key;
> > +
> > + if (poll(fds, socket_count, 1000) < 0) {
> > +@@ -540,41 +540,53 @@ int main (int argc, char **argv)
> > + int i;
> > + // close listen sockets so that we don't stop the main daemon
> > process from restarting
> > + for (i = 0; i < socket_count; ++i) close (sockets[i]);
> > +
> > +- fp = fdopen(conn, "r+");
> > +- if (fp == NULL) exit(EXIT_FAILURE);
> > +- fds[0].fd = conn;
> > +- fds[0].events = POLLIN;
> > +- if (poll(fds, 1, timeout * 1000) <= 0) return EXIT_FAILURE;
> > +- line = fgets(linebuf,
Bug#991119: unblock: postsrsd/1.10-2
Control: tags -1 confirmed moreinfo
On 2021-07-14 21:48:50, Oxan van Leeuwen wrote:
> Package: release.debian.org
> Severity: normal
> User: release.debian@packages.debian.org
> Usertags: unblock
>
> Please unblock package postsrsd
>
> [ Reason ]
> Security fix for CVE-2021-35525.
>
> [ Impact ]
> Package is vulnerable to a potential DoS attack.
>
> [ Tests ]
> Tests from upstream backported, testsuite from upstream passes, manually
> tested
> functionality.
>
> [ Risks ]
> Fix is a one-to-one backport from upstream, modulus formatting changes.
>
> [ Checklist ]
> [x] all changes are documented in the d/changelog
> [x] I reviewed all changes and I approve them
> [x] attach debdiff against the package in testing
>
> [ Other info ]
> N/A
>
> unblock postsrsd/1.10-2
If this is a pre-approval request, please go ahead and remove the
moreinfo tag once the new version is available in unstable.
Cheers
> diff -Nru postsrsd-1.10/debian/changelog postsrsd-1.10/debian/changelog
> --- postsrsd-1.10/debian/changelog2020-12-02 22:36:36.0 +0100
> +++ postsrsd-1.10/debian/changelog2021-07-14 21:21:11.0 +0200
> @@ -1,4 +1,12 @@
> -postsrsd (1.10-1) UNRELEASED; urgency=medium
> +postsrsd (1.10-2) UNRELEASED; urgency=medium
> +
> + * Fix CVE-2021-35525: potential DoS when Postfix sends certain long data
> +fields such as multiple concatenated email addresses. Fix backported from
> +upstream commit 077be98d8c8. (Closes: #990439)
> +
> + -- Oxan van Leeuwen Wed, 14 Jul 2021 21:21:11
> +0200
> +
> +postsrsd (1.10-1) unstable; urgency=medium
>
>* New upstream release (Closes: #975633)
>* Drop patches integrated upstream
> diff -Nru
> postsrsd-1.10/debian/patches/0002-SECURITY-Fix-DoS-on-overly-long-input-from-Postfix.patch
>
> postsrsd-1.10/debian/patches/0002-SECURITY-Fix-DoS-on-overly-long-input-from-Postfix.patch
> ---
> postsrsd-1.10/debian/patches/0002-SECURITY-Fix-DoS-on-overly-long-input-from-Postfix.patch
> 1970-01-01 01:00:00.0 +0100
> +++
> postsrsd-1.10/debian/patches/0002-SECURITY-Fix-DoS-on-overly-long-input-from-Postfix.patch
> 2021-07-14 21:21:11.0 +0200
> @@ -0,0 +1,211 @@
> +From: =?utf-8?q?Timo_R=C3=B6hling?=
> +Date: Sun, 21 Mar 2021 15:27:55 +0100
> +Subject: SECURITY: Fix DoS on overly long input from Postfix
> +MIME-Version: 1.0
> +Content-Type: text/plain; charset="utf-8"
> +Content-Transfer-Encoding: 8bit
> +
> +Thanks to Mateusz Jończyk who reported this issue and gave valuable
> +feedback for its resolution.
> +
> +PostSRSd would hang on an overly long GET request, because the
> +fread()/fwrite() logic in the subprocess would get confused by the
> +remaining input line in its buffer.
> +
> +Theoretically, this error should never occur, as Postfix is supposed to
> +send valid email addresses only, which are shorter than the buffer, even
> +assuming every single character is percent-encoded. However, Postfix
> +sometimes does seem to send malformed request with multiple concatenated
> +email addresses. I'm not sure if there's a reliable way to trigger this
> +condition by an external attacker, but it is a security bug in PostSRSd
> +nevertheless.
> +
> +Fixes CVE-2021-35525.
> +
> +Origin:
> https://github.com/roehling/postsrsd/commit/077be98d8c8a9847e4ae0c7dc09e7474cbe27db2
> +Forwarded: not-needed
> +Last-Update: 2021-07-14
> +---
> + postsrsd.c | 52
> ++---
> + run_postsrsd_tests.bats | 40 +
> + 2 files changed, 68 insertions(+), 24 deletions(-)
> +
> +diff --git a/postsrsd.c b/postsrsd.c
> +index c009d8f..5ebf7f6 100644
> +--- a/postsrsd.c
> b/postsrsd.c
> +@@ -518,9 +518,9 @@ int main (int argc, char **argv)
> + fds[sc].events = POLLIN;
> + }
> + while(TRUE) {
> + int conn;
> +-FILE *fp;
> ++FILE *fp_read, *fp_write;
> + char linebuf[1024], *line;
> + char keybuf[1024], *key;
> +
> + if (poll(fds, socket_count, 1000) < 0) {
> +@@ -540,41 +540,53 @@ int main (int argc, char **argv)
> + int i;
> + // close listen sockets so that we don't stop the main daemon
> process from restarting
> + for (i = 0; i < socket_count; ++i) close (sockets[i]);
> +
> +- fp = fdopen(conn, "r+");
> +- if (fp == NULL) exit(EXIT_FAILURE);
> +- fds[0].fd = conn;
> +- fds[0].events = POLLIN;
> +- if (poll(fds, 1, timeout * 1000) <= 0) return EXIT_FAILURE;
> +- line = fgets(linebuf, sizeof(linebuf), fp);
> +- while (line) {
> +-fseek (fp, 0, SEEK_CUR); /* Workaround for Solaris */
> ++ /* create separate input/output streams */
> ++ fp_read = fdopen(conn, "r");
> ++ if (fp_read == NULL)
> ++return EXIT_FAILURE;
> ++ fp_write = fdopen(dup(conn), "w");
> ++ if (fp_write == NULL) return EXIT_FAILURE;
> ++ errno = 0;
> ++
Processed: Re: Bug#991119: unblock: postsrsd/1.10-2
Processing control commands: > tags -1 confirmed moreinfo Bug #991119 [release.debian.org] unblock: postsrsd/1.10-2 Added tag(s) moreinfo and confirmed. -- 991119: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=991119 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#991119: unblock: postsrsd/1.10-2
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
Please unblock package postsrsd
[ Reason ]
Security fix for CVE-2021-35525.
[ Impact ]
Package is vulnerable to a potential DoS attack.
[ Tests ]
Tests from upstream backported, testsuite from upstream passes, manually tested
functionality.
[ Risks ]
Fix is a one-to-one backport from upstream, modulus formatting changes.
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
[ Other info ]
N/A
unblock postsrsd/1.10-2
diff -Nru postsrsd-1.10/debian/changelog postsrsd-1.10/debian/changelog
--- postsrsd-1.10/debian/changelog 2020-12-02 22:36:36.0 +0100
+++ postsrsd-1.10/debian/changelog 2021-07-14 21:21:11.0 +0200
@@ -1,4 +1,12 @@
-postsrsd (1.10-1) UNRELEASED; urgency=medium
+postsrsd (1.10-2) UNRELEASED; urgency=medium
+
+ * Fix CVE-2021-35525: potential DoS when Postfix sends certain long data
+fields such as multiple concatenated email addresses. Fix backported from
+upstream commit 077be98d8c8. (Closes: #990439)
+
+ -- Oxan van Leeuwen Wed, 14 Jul 2021 21:21:11 +0200
+
+postsrsd (1.10-1) unstable; urgency=medium
* New upstream release (Closes: #975633)
* Drop patches integrated upstream
diff -Nru
postsrsd-1.10/debian/patches/0002-SECURITY-Fix-DoS-on-overly-long-input-from-Postfix.patch
postsrsd-1.10/debian/patches/0002-SECURITY-Fix-DoS-on-overly-long-input-from-Postfix.patch
---
postsrsd-1.10/debian/patches/0002-SECURITY-Fix-DoS-on-overly-long-input-from-Postfix.patch
1970-01-01 01:00:00.0 +0100
+++
postsrsd-1.10/debian/patches/0002-SECURITY-Fix-DoS-on-overly-long-input-from-Postfix.patch
2021-07-14 21:21:11.0 +0200
@@ -0,0 +1,211 @@
+From: =?utf-8?q?Timo_R=C3=B6hling?=
+Date: Sun, 21 Mar 2021 15:27:55 +0100
+Subject: SECURITY: Fix DoS on overly long input from Postfix
+MIME-Version: 1.0
+Content-Type: text/plain; charset="utf-8"
+Content-Transfer-Encoding: 8bit
+
+Thanks to Mateusz Jończyk who reported this issue and gave valuable
+feedback for its resolution.
+
+PostSRSd would hang on an overly long GET request, because the
+fread()/fwrite() logic in the subprocess would get confused by the
+remaining input line in its buffer.
+
+Theoretically, this error should never occur, as Postfix is supposed to
+send valid email addresses only, which are shorter than the buffer, even
+assuming every single character is percent-encoded. However, Postfix
+sometimes does seem to send malformed request with multiple concatenated
+email addresses. I'm not sure if there's a reliable way to trigger this
+condition by an external attacker, but it is a security bug in PostSRSd
+nevertheless.
+
+Fixes CVE-2021-35525.
+
+Origin:
https://github.com/roehling/postsrsd/commit/077be98d8c8a9847e4ae0c7dc09e7474cbe27db2
+Forwarded: not-needed
+Last-Update: 2021-07-14
+---
+ postsrsd.c | 52 ++---
+ run_postsrsd_tests.bats | 40 +
+ 2 files changed, 68 insertions(+), 24 deletions(-)
+
+diff --git a/postsrsd.c b/postsrsd.c
+index c009d8f..5ebf7f6 100644
+--- a/postsrsd.c
b/postsrsd.c
+@@ -518,9 +518,9 @@ int main (int argc, char **argv)
+ fds[sc].events = POLLIN;
+ }
+ while(TRUE) {
+ int conn;
+-FILE *fp;
++FILE *fp_read, *fp_write;
+ char linebuf[1024], *line;
+ char keybuf[1024], *key;
+
+ if (poll(fds, socket_count, 1000) < 0) {
+@@ -540,41 +540,53 @@ int main (int argc, char **argv)
+ int i;
+ // close listen sockets so that we don't stop the main daemon
process from restarting
+ for (i = 0; i < socket_count; ++i) close (sockets[i]);
+
+- fp = fdopen(conn, "r+");
+- if (fp == NULL) exit(EXIT_FAILURE);
+- fds[0].fd = conn;
+- fds[0].events = POLLIN;
+- if (poll(fds, 1, timeout * 1000) <= 0) return EXIT_FAILURE;
+- line = fgets(linebuf, sizeof(linebuf), fp);
+- while (line) {
+-fseek (fp, 0, SEEK_CUR); /* Workaround for Solaris */
++ /* create separate input/output streams */
++ fp_read = fdopen(conn, "r");
++ if (fp_read == NULL)
++return EXIT_FAILURE;
++ fp_write = fdopen(dup(conn), "w");
++ if (fp_write == NULL) return EXIT_FAILURE;
++ errno = 0;
++ alarm(timeout);
++ if (errno != 0)
++ return EXIT_FAILURE;
++ while ((line = fgets(linebuf, sizeof(linebuf), fp_read))) {
+ char* token;
++alarm(0);
++if (strlen(line) >= sizeof(linebuf) - 1) {
++ fprintf(fp_write, "500 Invalid request\n");
++ fflush(fp_write);
++ return EXIT_FAILURE;
++}
+ token = strtok(line, " \r\n");
+ if (token == NULL ||
