Bug#991119: unblock: postsrsd/1.10-2
Hi On 2021-07-17 19:49:05 +0200, Sebastian Ramacher wrote: > Control: tags -1 confirmed moreinfo > > On 2021-07-14 21:48:50, Oxan van Leeuwen wrote: > > Package: release.debian.org > > Severity: normal > > User: release.debian@packages.debian.org > > Usertags: unblock > > > > Please unblock package postsrsd > > > > [ Reason ] > > Security fix for CVE-2021-35525. > > > > [ Impact ] > > Package is vulnerable to a potential DoS attack. > > > > [ Tests ] > > Tests from upstream backported, testsuite from upstream passes, manually > > tested > > functionality. > > > > [ Risks ] > > Fix is a one-to-one backport from upstream, modulus formatting changes. > > > > [ Checklist ] > > [x] all changes are documented in the d/changelog > > [x] I reviewed all changes and I approve them > > [x] attach debdiff against the package in testing > > > > [ Other info ] > > N/A > > > > unblock postsrsd/1.10-2 > > If this is a pre-approval request, please go ahead and remove the > moreinfo tag once the new version is available in unstable. Ping. The window for getting this upload into the initial release of bullseye is closing. Cheers > > Cheers > > > > diff -Nru postsrsd-1.10/debian/changelog postsrsd-1.10/debian/changelog > > --- postsrsd-1.10/debian/changelog 2020-12-02 22:36:36.0 +0100 > > +++ postsrsd-1.10/debian/changelog 2021-07-14 21:21:11.0 +0200 > > @@ -1,4 +1,12 @@ > > -postsrsd (1.10-1) UNRELEASED; urgency=medium > > +postsrsd (1.10-2) UNRELEASED; urgency=medium > > + > > + * Fix CVE-2021-35525: potential DoS when Postfix sends certain long data > > +fields such as multiple concatenated email addresses. Fix backported > > from > > +upstream commit 077be98d8c8. (Closes: #990439) > > + > > + -- Oxan van Leeuwen Wed, 14 Jul 2021 21:21:11 > > +0200 > > + > > +postsrsd (1.10-1) unstable; urgency=medium > > > >* New upstream release (Closes: #975633) > >* Drop patches integrated upstream > > diff -Nru > > postsrsd-1.10/debian/patches/0002-SECURITY-Fix-DoS-on-overly-long-input-from-Postfix.patch > > > > postsrsd-1.10/debian/patches/0002-SECURITY-Fix-DoS-on-overly-long-input-from-Postfix.patch > > --- > > postsrsd-1.10/debian/patches/0002-SECURITY-Fix-DoS-on-overly-long-input-from-Postfix.patch > > 1970-01-01 01:00:00.0 +0100 > > +++ > > postsrsd-1.10/debian/patches/0002-SECURITY-Fix-DoS-on-overly-long-input-from-Postfix.patch > > 2021-07-14 21:21:11.0 +0200 > > @@ -0,0 +1,211 @@ > > +From: =?utf-8?q?Timo_R=C3=B6hling?= > > +Date: Sun, 21 Mar 2021 15:27:55 +0100 > > +Subject: SECURITY: Fix DoS on overly long input from Postfix > > +MIME-Version: 1.0 > > +Content-Type: text/plain; charset="utf-8" > > +Content-Transfer-Encoding: 8bit > > + > > +Thanks to Mateusz Jończyk who reported this issue and gave valuable > > +feedback for its resolution. > > + > > +PostSRSd would hang on an overly long GET request, because the > > +fread()/fwrite() logic in the subprocess would get confused by the > > +remaining input line in its buffer. > > + > > +Theoretically, this error should never occur, as Postfix is supposed to > > +send valid email addresses only, which are shorter than the buffer, even > > +assuming every single character is percent-encoded. However, Postfix > > +sometimes does seem to send malformed request with multiple concatenated > > +email addresses. I'm not sure if there's a reliable way to trigger this > > +condition by an external attacker, but it is a security bug in PostSRSd > > +nevertheless. > > + > > +Fixes CVE-2021-35525. > > + > > +Origin: > > https://github.com/roehling/postsrsd/commit/077be98d8c8a9847e4ae0c7dc09e7474cbe27db2 > > +Forwarded: not-needed > > +Last-Update: 2021-07-14 > > +--- > > + postsrsd.c | 52 > > ++--- > > + run_postsrsd_tests.bats | 40 + > > + 2 files changed, 68 insertions(+), 24 deletions(-) > > + > > +diff --git a/postsrsd.c b/postsrsd.c > > +index c009d8f..5ebf7f6 100644 > > +--- a/postsrsd.c > > b/postsrsd.c > > +@@ -518,9 +518,9 @@ int main (int argc, char **argv) > > + fds[sc].events = POLLIN; > > + } > > + while(TRUE) { > > + int conn; > > +-FILE *fp; > > ++FILE *fp_read, *fp_write; > > + char linebuf[1024], *line; > > + char keybuf[1024], *key; > > + > > + if (poll(fds, socket_count, 1000) < 0) { > > +@@ -540,41 +540,53 @@ int main (int argc, char **argv) > > + int i; > > + // close listen sockets so that we don't stop the main daemon > > process from restarting > > + for (i = 0; i < socket_count; ++i) close (sockets[i]); > > + > > +- fp = fdopen(conn, "r+"); > > +- if (fp == NULL) exit(EXIT_FAILURE); > > +- fds[0].fd = conn; > > +- fds[0].events = POLLIN; > > +- if (poll(fds, 1, timeout * 1000) <= 0) return EXIT_FAILURE; > > +- line = fgets(linebuf,
Bug#991119: unblock: postsrsd/1.10-2
Control: tags -1 confirmed moreinfo On 2021-07-14 21:48:50, Oxan van Leeuwen wrote: > Package: release.debian.org > Severity: normal > User: release.debian@packages.debian.org > Usertags: unblock > > Please unblock package postsrsd > > [ Reason ] > Security fix for CVE-2021-35525. > > [ Impact ] > Package is vulnerable to a potential DoS attack. > > [ Tests ] > Tests from upstream backported, testsuite from upstream passes, manually > tested > functionality. > > [ Risks ] > Fix is a one-to-one backport from upstream, modulus formatting changes. > > [ Checklist ] > [x] all changes are documented in the d/changelog > [x] I reviewed all changes and I approve them > [x] attach debdiff against the package in testing > > [ Other info ] > N/A > > unblock postsrsd/1.10-2 If this is a pre-approval request, please go ahead and remove the moreinfo tag once the new version is available in unstable. Cheers > diff -Nru postsrsd-1.10/debian/changelog postsrsd-1.10/debian/changelog > --- postsrsd-1.10/debian/changelog2020-12-02 22:36:36.0 +0100 > +++ postsrsd-1.10/debian/changelog2021-07-14 21:21:11.0 +0200 > @@ -1,4 +1,12 @@ > -postsrsd (1.10-1) UNRELEASED; urgency=medium > +postsrsd (1.10-2) UNRELEASED; urgency=medium > + > + * Fix CVE-2021-35525: potential DoS when Postfix sends certain long data > +fields such as multiple concatenated email addresses. Fix backported from > +upstream commit 077be98d8c8. (Closes: #990439) > + > + -- Oxan van Leeuwen Wed, 14 Jul 2021 21:21:11 > +0200 > + > +postsrsd (1.10-1) unstable; urgency=medium > >* New upstream release (Closes: #975633) >* Drop patches integrated upstream > diff -Nru > postsrsd-1.10/debian/patches/0002-SECURITY-Fix-DoS-on-overly-long-input-from-Postfix.patch > > postsrsd-1.10/debian/patches/0002-SECURITY-Fix-DoS-on-overly-long-input-from-Postfix.patch > --- > postsrsd-1.10/debian/patches/0002-SECURITY-Fix-DoS-on-overly-long-input-from-Postfix.patch > 1970-01-01 01:00:00.0 +0100 > +++ > postsrsd-1.10/debian/patches/0002-SECURITY-Fix-DoS-on-overly-long-input-from-Postfix.patch > 2021-07-14 21:21:11.0 +0200 > @@ -0,0 +1,211 @@ > +From: =?utf-8?q?Timo_R=C3=B6hling?= > +Date: Sun, 21 Mar 2021 15:27:55 +0100 > +Subject: SECURITY: Fix DoS on overly long input from Postfix > +MIME-Version: 1.0 > +Content-Type: text/plain; charset="utf-8" > +Content-Transfer-Encoding: 8bit > + > +Thanks to Mateusz Jończyk who reported this issue and gave valuable > +feedback for its resolution. > + > +PostSRSd would hang on an overly long GET request, because the > +fread()/fwrite() logic in the subprocess would get confused by the > +remaining input line in its buffer. > + > +Theoretically, this error should never occur, as Postfix is supposed to > +send valid email addresses only, which are shorter than the buffer, even > +assuming every single character is percent-encoded. However, Postfix > +sometimes does seem to send malformed request with multiple concatenated > +email addresses. I'm not sure if there's a reliable way to trigger this > +condition by an external attacker, but it is a security bug in PostSRSd > +nevertheless. > + > +Fixes CVE-2021-35525. > + > +Origin: > https://github.com/roehling/postsrsd/commit/077be98d8c8a9847e4ae0c7dc09e7474cbe27db2 > +Forwarded: not-needed > +Last-Update: 2021-07-14 > +--- > + postsrsd.c | 52 > ++--- > + run_postsrsd_tests.bats | 40 + > + 2 files changed, 68 insertions(+), 24 deletions(-) > + > +diff --git a/postsrsd.c b/postsrsd.c > +index c009d8f..5ebf7f6 100644 > +--- a/postsrsd.c > b/postsrsd.c > +@@ -518,9 +518,9 @@ int main (int argc, char **argv) > + fds[sc].events = POLLIN; > + } > + while(TRUE) { > + int conn; > +-FILE *fp; > ++FILE *fp_read, *fp_write; > + char linebuf[1024], *line; > + char keybuf[1024], *key; > + > + if (poll(fds, socket_count, 1000) < 0) { > +@@ -540,41 +540,53 @@ int main (int argc, char **argv) > + int i; > + // close listen sockets so that we don't stop the main daemon > process from restarting > + for (i = 0; i < socket_count; ++i) close (sockets[i]); > + > +- fp = fdopen(conn, "r+"); > +- if (fp == NULL) exit(EXIT_FAILURE); > +- fds[0].fd = conn; > +- fds[0].events = POLLIN; > +- if (poll(fds, 1, timeout * 1000) <= 0) return EXIT_FAILURE; > +- line = fgets(linebuf, sizeof(linebuf), fp); > +- while (line) { > +-fseek (fp, 0, SEEK_CUR); /* Workaround for Solaris */ > ++ /* create separate input/output streams */ > ++ fp_read = fdopen(conn, "r"); > ++ if (fp_read == NULL) > ++return EXIT_FAILURE; > ++ fp_write = fdopen(dup(conn), "w"); > ++ if (fp_write == NULL) return EXIT_FAILURE; > ++ errno = 0; > ++
Processed: Re: Bug#991119: unblock: postsrsd/1.10-2
Processing control commands: > tags -1 confirmed moreinfo Bug #991119 [release.debian.org] unblock: postsrsd/1.10-2 Added tag(s) moreinfo and confirmed. -- 991119: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=991119 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#991119: unblock: postsrsd/1.10-2
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package postsrsd [ Reason ] Security fix for CVE-2021-35525. [ Impact ] Package is vulnerable to a potential DoS attack. [ Tests ] Tests from upstream backported, testsuite from upstream passes, manually tested functionality. [ Risks ] Fix is a one-to-one backport from upstream, modulus formatting changes. [ Checklist ] [x] all changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in testing [ Other info ] N/A unblock postsrsd/1.10-2 diff -Nru postsrsd-1.10/debian/changelog postsrsd-1.10/debian/changelog --- postsrsd-1.10/debian/changelog 2020-12-02 22:36:36.0 +0100 +++ postsrsd-1.10/debian/changelog 2021-07-14 21:21:11.0 +0200 @@ -1,4 +1,12 @@ -postsrsd (1.10-1) UNRELEASED; urgency=medium +postsrsd (1.10-2) UNRELEASED; urgency=medium + + * Fix CVE-2021-35525: potential DoS when Postfix sends certain long data +fields such as multiple concatenated email addresses. Fix backported from +upstream commit 077be98d8c8. (Closes: #990439) + + -- Oxan van Leeuwen Wed, 14 Jul 2021 21:21:11 +0200 + +postsrsd (1.10-1) unstable; urgency=medium * New upstream release (Closes: #975633) * Drop patches integrated upstream diff -Nru postsrsd-1.10/debian/patches/0002-SECURITY-Fix-DoS-on-overly-long-input-from-Postfix.patch postsrsd-1.10/debian/patches/0002-SECURITY-Fix-DoS-on-overly-long-input-from-Postfix.patch --- postsrsd-1.10/debian/patches/0002-SECURITY-Fix-DoS-on-overly-long-input-from-Postfix.patch 1970-01-01 01:00:00.0 +0100 +++ postsrsd-1.10/debian/patches/0002-SECURITY-Fix-DoS-on-overly-long-input-from-Postfix.patch 2021-07-14 21:21:11.0 +0200 @@ -0,0 +1,211 @@ +From: =?utf-8?q?Timo_R=C3=B6hling?= +Date: Sun, 21 Mar 2021 15:27:55 +0100 +Subject: SECURITY: Fix DoS on overly long input from Postfix +MIME-Version: 1.0 +Content-Type: text/plain; charset="utf-8" +Content-Transfer-Encoding: 8bit + +Thanks to Mateusz Jończyk who reported this issue and gave valuable +feedback for its resolution. + +PostSRSd would hang on an overly long GET request, because the +fread()/fwrite() logic in the subprocess would get confused by the +remaining input line in its buffer. + +Theoretically, this error should never occur, as Postfix is supposed to +send valid email addresses only, which are shorter than the buffer, even +assuming every single character is percent-encoded. However, Postfix +sometimes does seem to send malformed request with multiple concatenated +email addresses. I'm not sure if there's a reliable way to trigger this +condition by an external attacker, but it is a security bug in PostSRSd +nevertheless. + +Fixes CVE-2021-35525. + +Origin: https://github.com/roehling/postsrsd/commit/077be98d8c8a9847e4ae0c7dc09e7474cbe27db2 +Forwarded: not-needed +Last-Update: 2021-07-14 +--- + postsrsd.c | 52 ++--- + run_postsrsd_tests.bats | 40 + + 2 files changed, 68 insertions(+), 24 deletions(-) + +diff --git a/postsrsd.c b/postsrsd.c +index c009d8f..5ebf7f6 100644 +--- a/postsrsd.c b/postsrsd.c +@@ -518,9 +518,9 @@ int main (int argc, char **argv) + fds[sc].events = POLLIN; + } + while(TRUE) { + int conn; +-FILE *fp; ++FILE *fp_read, *fp_write; + char linebuf[1024], *line; + char keybuf[1024], *key; + + if (poll(fds, socket_count, 1000) < 0) { +@@ -540,41 +540,53 @@ int main (int argc, char **argv) + int i; + // close listen sockets so that we don't stop the main daemon process from restarting + for (i = 0; i < socket_count; ++i) close (sockets[i]); + +- fp = fdopen(conn, "r+"); +- if (fp == NULL) exit(EXIT_FAILURE); +- fds[0].fd = conn; +- fds[0].events = POLLIN; +- if (poll(fds, 1, timeout * 1000) <= 0) return EXIT_FAILURE; +- line = fgets(linebuf, sizeof(linebuf), fp); +- while (line) { +-fseek (fp, 0, SEEK_CUR); /* Workaround for Solaris */ ++ /* create separate input/output streams */ ++ fp_read = fdopen(conn, "r"); ++ if (fp_read == NULL) ++return EXIT_FAILURE; ++ fp_write = fdopen(dup(conn), "w"); ++ if (fp_write == NULL) return EXIT_FAILURE; ++ errno = 0; ++ alarm(timeout); ++ if (errno != 0) ++ return EXIT_FAILURE; ++ while ((line = fgets(linebuf, sizeof(linebuf), fp_read))) { + char* token; ++alarm(0); ++if (strlen(line) >= sizeof(linebuf) - 1) { ++ fprintf(fp_write, "500 Invalid request\n"); ++ fflush(fp_write); ++ return EXIT_FAILURE; ++} + token = strtok(line, " \r\n"); + if (token == NULL ||