Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 760821 (CVE-2020-35573) - <mail-filter/postsrsd-1.10: specially crafted SRS address could cause dos (CVE-2020-35573)
Summary: <mail-filter/postsrsd-1.10: specially crafted SRS address could cause dos (CV...
Status: RESOLVED FIXED
Alias: CVE-2020-35573
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://github.com/roehling/postsrsd/...
Whiteboard: B3 [glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-12-20 05:51 UTC by Sam James
Modified: 2021-07-06 03:47 UTC (History)
1 user (show)

See Also:
Package list:
mail-filter/postsrsd-1.10
Runtime testing required: ---
nattka: sanity-check-


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester gentoo-dev Security 2020-12-20 05:51:12 UTC
Description:
"srs2.c in PostSRSd before 1.10 allows remote attackers to cause a denial of service (CPU consumption) via a long timestamp tag in an SRS address."

Please bump to 1.10, thanks!
Comment 1 Larry the Git Cow gentoo-dev 2020-12-20 19:25:44 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a91026aa9742129fd7d2fddfa491a11fb6dad2fb

commit a91026aa9742129fd7d2fddfa491a11fb6dad2fb
Author:     Dirkjan Ochtman <djc@gentoo.org>
AuthorDate: 2020-12-20 19:25:13 +0000
Commit:     Dirkjan Ochtman <djc@gentoo.org>
CommitDate: 2020-12-20 19:25:38 +0000

    mail-filter/postsrsd: bump to 1.10 to fix CVE-2020-35573
    
    Bug: https://bugs.gentoo.org/760821
    Package-Manager: Portage-3.0.9, Repoman-3.0.2
    Signed-off-by: Dirkjan Ochtman <djc@gentoo.org>

 mail-filter/postsrsd/Manifest             |  1 +
 mail-filter/postsrsd/postsrsd-1.10.ebuild | 35 +++++++++++++++++++++++++++++++
 2 files changed, 36 insertions(+)
Comment 2 Sam James archtester gentoo-dev Security 2020-12-20 19:37:20 UTC
Thanks for the quick bump djc!
Comment 3 Thomas Deutschmann gentoo-dev Security 2020-12-21 00:31:44 UTC
x86 stable
Comment 4 Sam James archtester gentoo-dev Security 2020-12-21 18:26:32 UTC
amd64 done

all arches done
Comment 5 John Helmert III gentoo-dev Security 2020-12-21 21:59:25 UTC
Please cleanup
Comment 6 Larry the Git Cow gentoo-dev 2020-12-22 20:26:48 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=09b8f71a2bea30bd2ef3dfef0777d7da50ea1bfa

commit 09b8f71a2bea30bd2ef3dfef0777d7da50ea1bfa
Author:     Dirkjan Ochtman <djc@gentoo.org>
AuthorDate: 2020-12-22 20:26:25 +0000
Commit:     Dirkjan Ochtman <djc@gentoo.org>
CommitDate: 2020-12-22 20:26:42 +0000

    mail-filter/postsrsd: remove vulnerable version 1.6
    
    Bug: https://bugs.gentoo.org/show_bug.cgi?id=760821
    Package-Manager: Portage-3.0.9, Repoman-3.0.2
    Signed-off-by: Dirkjan Ochtman <djc@gentoo.org>

 mail-filter/postsrsd/Manifest            |  1 -
 mail-filter/postsrsd/postsrsd-1.6.ebuild | 35 --------------------------------
 2 files changed, 36 deletions(-)
Comment 7 Sam James archtester gentoo-dev Security 2020-12-22 20:32:46 UTC
Thank you!
Comment 8 Thomas Deutschmann gentoo-dev Security 2021-02-20 19:46:58 UTC
GLSA Vote: Yes

New GLSA request filed.
Comment 9 NATTkA bot gentoo-dev 2021-06-09 07:40:38 UTC
Unable to check for sanity:

> no match for package: mail-filter/postsrsd-1.10
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2021-07-06 03:47:28 UTC
This issue was resolved and addressed in
 GLSA 202107-08 at https://security.gentoo.org/glsa/202107-08
by GLSA coordinator John Helmert III (ajak).