Package: release.debian.org Severity: normal Tags: buster User: release.debian....@packages.debian.org Usertags: pu
Upstream recently discovered a potential remote denial-of-service attack in postsrsd (CVE-2020-35573) [1]. Fortunately, this issue is currently not exploitable in Debian due to gcc optimizing the problematic loop away. Thus, the security has decided not to issue a DSA [2], but instead suggested to fix it through a stable update. This issue is already fixed in postsrsd/1.10-1 in unstable and testing. I've prepared a backport of the one-line fix to stable, and attached the source debdiff. I've verified that this doesn't break anything and the package still works properly. Cheers, Oxan [1] https://github.com/roehling/postsrsd/commit/4733fb11f6bec6524bb8518c5e1a699288c26bac [2] https://security-tracker.debian.org/tracker/CVE-2020-35573 diff -Nru postsrsd-1.5/debian/changelog postsrsd-1.5/debian/changelog --- postsrsd-1.5/debian/changelog 2019-02-23 14:27:44.000000000 +0100 +++ postsrsd-1.5/debian/changelog 2020-12-19 01:36:37.000000000 +0100 @@ -1,3 +1,11 @@ +postsrsd (1.5-2+deb10u1) buster; urgency=medium + + * CVE-2020-35573: Ensure timestamp tags aren't too long before trying to + decode them, to protect against a potential denial-of-service attack + (backported from upstream commit 4733fb1). + + -- Oxan van Leeuwen <o...@oxanvanleeuwen.nl> Sat, 19 Dec 2020 01:36:37 +0100 + postsrsd (1.5-2) unstable; urgency=medium * Increase hashlength for unit tests (cherry-picked from upstream db9ed58) diff -Nru postsrsd-1.5/debian/patches/0004-SECURITY-Fix-potential-denial-of-service-attack-agai.patch postsrsd-1.5/debian/patches/0004-SECURITY-Fix-potential-denial-of-service-attack-agai.patch --- postsrsd-1.5/debian/patches/0004-SECURITY-Fix-potential-denial-of-service-attack-agai.patch 1970-01-01 01:00:00.000000000 +0100 +++ postsrsd-1.5/debian/patches/0004-SECURITY-Fix-potential-denial-of-service-attack-agai.patch 2020-12-19 01:36:37.000000000 +0100 @@ -0,0 +1,29 @@ +From: =?utf-8?q?Timo_R=C3=B6hling?= <t...@gaussglocke.de> +Date: Sat, 12 Dec 2020 10:42:28 +0100 +Subject: SECURITY: Fix potential denial of service attack against PostSRSd + +I discovered that PostSRSd could be tricked into consuming a lot of CPU +time with an SRS address that has an excessively long time stamp tag, +e.g. + +SRS0=HHHH=TTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTT=0...@example.com + +(cherry picked from commit 4733fb11f6bec6524bb8518c5e1a699288c26bac) + +Fixes CVE-2020-35573. +--- + srs2.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/srs2.c b/srs2.c +index b07a664..6a2eebb 100644 +--- a/srs2.c ++++ b/srs2.c +@@ -230,6 +230,7 @@ srs_timestamp_check(srs_t *srs, const char *stamp) + time_t now; + time_t then; + ++ if (strlen(stamp) != 2) return SRS_ETIMESTAMPOUTOFDATE; + /* We had better go around this loop exactly twice! */ + then = 0; + for (sp = stamp; *sp; sp++) { diff -Nru postsrsd-1.5/debian/patches/series postsrsd-1.5/debian/patches/series --- postsrsd-1.5/debian/patches/series 2019-02-23 14:27:44.000000000 +0100 +++ postsrsd-1.5/debian/patches/series 2020-12-19 01:36:37.000000000 +0100 @@ -1,3 +1,4 @@ 0001-Adapt-init-scripts-for-Debian-practices.patch 0002-Increase-hash-length-for-unit-tests.patch 0003-Hook-up-endianness-sizeof-long-detection-code-in-SHA.patch +0004-SECURITY-Fix-potential-denial-of-service-attack-agai.patch
