Package: postsrsd / 1.5-2+deb10u2

Metadata

Package Version Patches format
postsrsd 1.5-2+deb10u2 3.0 (quilt)

Patch series

view the series file
Patch File delta Description
0001 Adapt init scripts for Debian practices.patch | (download)

init/postsrsd.default.in | 2 1 + 1 - 0 !
init/postsrsd.systemd.in | 10 10 + 0 - 0 !
init/postsrsd.sysv-lsb.in | 21 17 + 4 - 0 !
3 files changed, 28 insertions(+), 5 deletions(-)

 
 adapt init scripts for debian practices

- Set default user to postsrsd instead of nobody.
- Define fallback values for all options in init scripts, so that
  /etc/default may be removed by the administrator.
- Expand LSB header for SysV init script.
0002 Increase hash length for unit tests.patch | (download)

tests.c | 1 1 + 0 - 0 !
1 file changed, 1 insertion(+)

 
 increase hash length for unit tests

This is to minimize the likelihood of false-positive hash collisions.
Fixes #89
(cherry picked from commit db9ed58e94e2e7c5c87b1ebed6b49e8e8ca860ec)
0003 Hook up endianness sizeof long detection code in SHA.patch | (download)

CMakeLists.txt | 9 9 + 0 - 0 !
sha1.c | 17 13 + 4 - 0 !
2 files changed, 22 insertions(+), 4 deletions(-)

 
 hook-up endianness & sizeof(long) detection code in sha-1
 implementation (#90)

This makes the SHA-1 implementation valid for big endian architectures
as well.
(cherry picked from commit 0b8f8be8ceeee41e2d0c82b9232d98dbe5f44cba)
0004 SECURITY Fix potential denial of service attack agai.patch | (download)

srs2.c | 1 1 + 0 - 0 !
1 file changed, 1 insertion(+)

 
 security: fix potential denial of service attack against postsrsd

I discovered that PostSRSd could be tricked into consuming a lot of CPU
time with an SRS address that has an excessively long time stamp tag,
e.g.

SRS0=HHHH=TTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTT=0@example.com

(cherry picked from commit 4733fb11f6bec6524bb8518c5e1a699288c26bac)

Fixes CVE-2020-35573.
0005 SECURITY Fix DoS on overly long input from Postfix.patch | (download)

postsrsd.c | 54 35 + 19 - 0 !
1 file changed, 35 insertions(+), 19 deletions(-)

 
 security: fix dos on overly long input from postfix
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit

Thanks to Mateusz Joczyk who reported this issue and gave valuable
feedback for its resolution.

PostSRSd would hang on an overly long GET request, because the
fread()/fwrite() logic in the subprocess would get confused by the
remaining input line in its buffer.

Theoretically, this error should never occur, as Postfix is supposed to
send valid email addresses only, which are shorter than the buffer, even
assuming every single character is percent-encoded. However, Postfix
sometimes does seem to send malformed request with multiple concatenated
email addresses. I'm not sure if there's a reliable way to trigger this
condition by an external attacker, but it is a security bug in PostSRSd
nevertheless.

Fixes CVE-2021-35525.

Tests not backported, as v1.5 did not have them yet.