Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 793674 (CVE-2021-35525) - <mail-filter/postsrsd-1.11: denial of service (CVE-2021-35525)
Summary: <mail-filter/postsrsd-1.11: denial of service (CVE-2021-35525)
Status: RESOLVED FIXED
Alias: CVE-2021-35525
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [glsa+]
Keywords:
Depends on:
Blocks:
 
Reported: 2021-06-01 08:35 UTC by Alix
Modified: 2021-07-06 03:47 UTC (History)
1 user (show)

See Also:
Package list:
mail-filter/postsrsd-1.11
Runtime testing required: ---
nattka: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Alix 2021-06-01 08:35:08 UTC 
1.11 was released on 21.03.21 with security fix: https://github.com/roehling/postsrsd/releases/tag/1.11

Reproducible: Always
Comment 1 Larry the Git Cow gentoo-dev 2021-06-07 15:14:41 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1c2210c49a427dd15d93fd3635557ec9e1dbff1e

commit 1c2210c49a427dd15d93fd3635557ec9e1dbff1e
Author:     Dirkjan Ochtman <djc@gentoo.org>
AuthorDate: 2021-06-07 15:14:27 +0000
Commit:     Dirkjan Ochtman <djc@gentoo.org>
CommitDate: 2021-06-07 15:14:27 +0000

    mail-filter/postsrsd: version bump to 1.11 with security fix
    
    Bug: https://bugs.gentoo.org/793674
    Package-Manager: Portage-3.0.18, Repoman-3.0.2
    Signed-off-by: Dirkjan Ochtman <djc@gentoo.org>

 mail-filter/postsrsd/Manifest             |  1 +
 mail-filter/postsrsd/postsrsd-1.11.ebuild | 35 +++++++++++++++++++++++++++++++
 2 files changed, 36 insertions(+)
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-06-07 16:11:40 UTC 
"SECURITY FIX: The subprocess that talks to Postfix could be caused to hang with a very long email address (see 077be98 for details, thanks to Mateusz Jończyk for the report).
[Note: This bug seems only exploitable if Postfix is tricked into passing a whole list of addresses as single query to PostSRSd, such as it was observed in #37.]"
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-06-07 23:09:09 UTC 
x86 done
Comment 4 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-06-07 23:09:43 UTC 
amd64 done

all arches done
Comment 5 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-06-09 04:22:49 UTC 
Please cleanup.
Comment 6 Larry the Git Cow gentoo-dev 2021-06-09 07:39:37 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ace18e8c1379f3854c589153ba9029287c1bdbc7

commit ace18e8c1379f3854c589153ba9029287c1bdbc7
Author:     Dirkjan Ochtman <djc@gentoo.org>
AuthorDate: 2021-06-09 07:39:07 +0000
Commit:     Dirkjan Ochtman <djc@gentoo.org>
CommitDate: 2021-06-09 07:39:30 +0000

    mail-filter/postsrsd: clean up vulnerable version
    
    Bug: https://bugs.gentoo.org/show_bug.cgi?id=793674
    Package-Manager: Portage-3.0.18, Repoman-3.0.2
    Signed-off-by: Dirkjan Ochtman <djc@gentoo.org>

 mail-filter/postsrsd/Manifest             |  1 -
 mail-filter/postsrsd/postsrsd-1.10.ebuild | 35 -------------------------------
 2 files changed, 36 deletions(-)
Comment 7 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-06-09 11:35:35 UTC 
Thank you!
Comment 8 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-06-30 04:02:46 UTC 
Added to existing request
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2021-07-06 03:47:32 UTC 
This issue was resolved and addressed in
 GLSA 202107-08 at https://security.gentoo.org/glsa/202107-08
by GLSA coordinator John Helmert III (ajak).