760821 – (CVE-2020-35573) <mail-filter/postsrsd-1.10: specially crafted SRS address could cause dos (CVE-2020-35573)

Bug 760821 (CVE-2020-35573) - <mail-filter/postsrsd-1.10: specially crafted SRS address could cause dos (CVE-2020-35573)

Summary: <mail-filter/postsrsd-1.10: specially crafted SRS address could cause dos (CV...

Status:	RESOLVED FIXED

Alias:	CVE-2020-35573

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:	https://github.com/roehling/postsrsd/...
Whiteboard:	B3 [glsa+ cve]
Keywords:

Depends on:
Blocks:

Reported:	2020-12-20 05:51 UTC by Sam James
Modified:	2021-07-06 03:47 UTC (History)
CC List:	1 user (show)

See Also:
Package list:	mail-filter/postsrsd-1.10
Runtime testing required:	---

Flags:	nattka: sanity-check-

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sam James archtester

2020-12-20 05:51:12 UTC

Description:
"srs2.c in PostSRSd before 1.10 allows remote attackers to cause a denial of service (CPU consumption) via a long timestamp tag in an SRS address."

Please bump to 1.10, thanks!

Comment 1 Larry the Git Cow gentoo-dev

2020-12-20 19:25:44 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a91026aa9742129fd7d2fddfa491a11fb6dad2fb

commit a91026aa9742129fd7d2fddfa491a11fb6dad2fb
Author:     Dirkjan Ochtman <djc@gentoo.org>
AuthorDate: 2020-12-20 19:25:13 +0000
Commit:     Dirkjan Ochtman <djc@gentoo.org>
CommitDate: 2020-12-20 19:25:38 +0000

    mail-filter/postsrsd: bump to 1.10 to fix CVE-2020-35573
    
    Bug: https://bugs.gentoo.org/760821
    Package-Manager: Portage-3.0.9, Repoman-3.0.2
    Signed-off-by: Dirkjan Ochtman <djc@gentoo.org>

 mail-filter/postsrsd/Manifest             |  1 +
 mail-filter/postsrsd/postsrsd-1.10.ebuild | 35 +++++++++++++++++++++++++++++++
 2 files changed, 36 insertions(+)

Comment 2 Sam James archtester

2020-12-20 19:37:20 UTC

Thanks for the quick bump djc!

Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev

2020-12-21 00:31:44 UTC

x86 stable

Comment 4 Sam James archtester

2020-12-21 18:26:32 UTC

amd64 done

all arches done

Comment 5 John Helmert III archtester

2020-12-21 21:59:25 UTC

Please cleanup

Comment 6 Larry the Git Cow gentoo-dev

2020-12-22 20:26:48 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=09b8f71a2bea30bd2ef3dfef0777d7da50ea1bfa

commit 09b8f71a2bea30bd2ef3dfef0777d7da50ea1bfa
Author:     Dirkjan Ochtman <djc@gentoo.org>
AuthorDate: 2020-12-22 20:26:25 +0000
Commit:     Dirkjan Ochtman <djc@gentoo.org>
CommitDate: 2020-12-22 20:26:42 +0000

    mail-filter/postsrsd: remove vulnerable version 1.6
    
    Bug: https://bugs.gentoo.org/show_bug.cgi?id=760821
    Package-Manager: Portage-3.0.9, Repoman-3.0.2
    Signed-off-by: Dirkjan Ochtman <djc@gentoo.org>

 mail-filter/postsrsd/Manifest            |  1 -
 mail-filter/postsrsd/postsrsd-1.6.ebuild | 35 --------------------------------
 2 files changed, 36 deletions(-)

Comment 7 Sam James archtester

2020-12-22 20:32:46 UTC

Thank you!

Comment 8 Thomas Deutschmann (RETIRED) gentoo-dev

2021-02-20 19:46:58 UTC

GLSA Vote: Yes

New GLSA request filed.

Comment 9 NATTkA bot gentoo-dev

2021-06-09 07:40:38 UTC

Unable to check for sanity:

> no match for package: mail-filter/postsrsd-1.10

Comment 10 GLSAMaker/CVETool Bot gentoo-dev

2021-07-06 03:47:28 UTC

This issue was resolved and addressed in
 GLSA 202107-08 at https://security.gentoo.org/glsa/202107-08
by GLSA coordinator John Helmert III (ajak).