Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package postfix for openSUSE:Factory checked in at 2026-06-23 17:35:33 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/postfix (Old) and /work/SRC/openSUSE:Factory/.postfix.new.1956 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "postfix" Tue Jun 23 17:35:33 2026 rev:274 rq:1360732 version:3.11.4 Changes: -------- --- /work/SRC/openSUSE:Factory/postfix/postfix-bdb.changes 2026-05-21 18:24:55.668618728 +0200 +++ /work/SRC/openSUSE:Factory/.postfix.new.1956/postfix-bdb.changes 2026-06-23 17:36:07.108349347 +0200 @@ -1,0 +2,20 @@ +Thu Jun 18 18:18:11 UTC 2026 - Arjen de Korte <[email protected]> + +- update to 3.11.4 + * Bug 1 (defect introduced: Postfix 3.1, date 20150607): null pointer + read and heap data overread in the Postfix SMTP client's + smtp_dns_reply_filter. + * Bug 2 (defect introduced: Postfix 3.6, date: 20200710): panic + (assertion failure and voluntary crash) while parsing a TLSA reply + with length 3. + * Bug 3 (Problem introduced: Postfix 2.9, date: 20110205) Robustness: + the Postfix SMTP server will no longer receive (and discard) an + unlimited amount of text while receiving a long SMTP command line. + * Bug 4 Robustness: with the above change the Postfix SMTP client will + no longer receive (and discard) an unlimited amount of text while + receiving a long SMTP response line. + * Bug 5 (Problem introduced: Postfix 3.4, date: 20180825) Robustness: + do not receive (and discard) unlimited amounts of data with BDAT + commands. + +------------------------------------------------------------------- postfix.changes: same change Old: ---- postfix-3.11.3.tar.gz postfix-3.11.3.tar.gz.asc New: ---- postfix-3.11.4.tar.gz postfix-3.11.4.tar.gz.asc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ postfix-bdb.spec ++++++ --- /var/tmp/diff_new_pack.4c8g8g/_old 2026-06-23 17:36:08.372393392 +0200 +++ /var/tmp/diff_new_pack.4c8g8g/_new 2026-06-23 17:36:08.376393532 +0200 @@ -61,7 +61,7 @@ %endif %bcond_without ldap Name: postfix-bdb -Version: 3.11.3 +Version: 3.11.4 Release: 0 Summary: A fast, secure, and flexible mailer License: EPL-2.0 OR IPL-1.0 postfix.spec: same change ++++++ postfix-3.11.3.tar.gz -> postfix-3.11.4.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-3.11.3/HISTORY new/postfix-3.11.4/HISTORY --- old/postfix-3.11.3/HISTORY 2026-05-15 19:47:50.000000000 +0200 +++ new/postfix-3.11.4/HISTORY 2026-06-17 18:57:14.000000000 +0200 @@ -30695,3 +30695,173 @@ implementation-defined behavior (shift one bit into the sign position). This works today but may break later. Reported by Kamil Frankowicz. File: util/sys_defs.h. + +20260524 + + Bugfix (defect introduced: Postfix 3.1, date 20150607): + null pointer read and heap data overread in the Postfix + SMTP client's smtp_dns_reply_filter. Problem reported by + TristanInSec, found with ASAN. Also reported by other people. + Reproduction and real-world impact researched by Wietse. + File: dns/dns_strrecord.c. + + This is a different problem than the one that was introduced + later in Postfix 3.6. + + The root cause is a missing 'break' statement after the + code that converts a TLSA record to string. + + Reproduction: + ============= + + The problem happens when smtp_dns_reply_filter is configured + (this is disabled by default); the Postfix SMTP client is + configured to use opportunistic or mandatory DANE authentication + (this is disabled by default); the destination domain + publishes a TLSA record that is empty or shorter than 20 + bytes; and the OS is configured to use a resolver that + passes such a TLSA record. For example, a zero-length TLSA + record is blocked by BIND, Google DNS, OpenDNS, and by + configurations that use systemd-resolved (the default on + many LINUX systems); it is passed by Cloudflare, Quad9 DNS, + and unbound, as long as these resolvers are used without + systemd-resolved. + + Impact statement: + ================= + + SMTP client termination with a null pointer read crash when + the TLSA record length is zero; or an SMTP client data + overread (or rarely, SMTP client termination with a read + segfault crash) when 0 < record length < 20 bytes. The + overread content is not disclosed. + + The impact of SMTP client crashes is easily overstated. + That said, crashes must be eliminated regardless of their + impact. + + On systems that deliver fewer than one message per minute, + an SMTP client crash can result in a delay of up to one + minute for email delivery to other destination domains. On + systems with a larger traffic volume, the impact of a null + pointer or other segfault crash on deliveries to other + destination domains is minor because Postfix reuses SMTP + client processes and replaces a failed process within seconds + (self-healing); the practical impact is believed to be no + worse than that of an uncooperative receiver that tarpits + SMTP connections from Postfix to one or more destination + domains under their control (by replying within Postfix + SMTP client read time limits which are several minutes by + default). + +20260529 + + Robustness: the Postfix SMTP server will no longer receive + (and discard) an unlimited amount of text while receiving + a long SMTP command line. Problem introduced: Postfix 2.9, + date: 20110205; reported by Michael Wollner (Ibonok). Under + high load conditions, the amount of text was already limited + by a 10-second deadline to receive an SMTP command. File: + global/smtp_stream.c. + + Robustness: with the above change the Postfix SMTP client + will no longer receive (and discard) an unlimited amount + of text while receiving a long SMTP response line. + + Robustness: do not receive (and discard) unlimited amounts + of data with BDAT commands. Problem introduced: Postfix + 3.4, date: 20180825; found during code maintenance. File: + smtpd/smtpd.c. + + Impact statement: + ================= + + Postfix should not receive and discard unlimited amounts + of input in SMTP commands, but fixing that will not + fundamentally change the situation. + + By design, any SMTP client can force a server to receive + (and discard) an unlimited amount of text. For example, + an attacker can repeatedly send messages that are a little + under the server's message size limit and abort each + transaction a before reaching the message end. When sending + a message with the "DATA" command, an attacker would + disconnect instead of sending <CR><LF>.<CR><LF>; and when + sending a message with the "BDAT" command, an attacker would + send "RSET" instead of "BDAT LAST". + + To mitigate such abuse, Postfix can rate-limit the number + of message transactions from the same IP address or address + range (see smtpd_client_message_rate_limit and *prefix_length + parameters). Such a defense is ineffective when faced with + a distributed attack (botnet); for that, postscreen combined + with an IP reputation service (DNSBL) may be more effective. + +20260531 + + Bugfix: (defect introduced: Postfix 3.6, date: 20200710): + panic (assertion failure and voluntary crash) while parsing + a TLSA reply with length 3. Found during code maintenance. + See below for root cause, reproduction, and impact. + + Root cause: + =========== + + An incorrect test 'length < 3' instead of 'length <= 3' + causes a safety check to fail when a TLSA parser attempts + to create zero-length storage for a non-existent TLSA + certificate association data field. + + Reproduction: + ============= + + The problem happens when the Postfix SMTP client is configured + to use opportunistic or mandatory DANE authentication (this + is disabled by default); a destination domain publishes a + TLSA record with a length of three bytes; and the OS is + configured to use a resolver that passes such a TLSA record. + For example, a length-three TLSA record is blocked by BIND, + and by configurations that use systemd-resolved (the default + on many LINUX systems). It is passed by many other resolvers. + + This bug enables an attack that is more potent than the + TLSA parsing bug introduced with Postfix 3.1. + + - An attack with a length-three TLSA reply does not depend + on smtp_dns_reply_filter configuration. + + - An attack with a length-three TLSA reply propagates through + more resolvers than an attack with a length-zero TLSA reply. + + Impact statement: + ================= + + SMTP client voluntary termination (crash) after an assertion + failure. This is a fail-safe mechanism. + + The impact of SMTP client crashes (voluntary or not) is + easily overstated. That said, crashes must be eliminated + regardless of their impact. + + On systems that deliver fewer than one message per minute, + an SMTP client crash can result in a delay of up to one + minute for email delivery to other destination domains. + + On systems with a larger traffic volume, the impact of an + SMTP client crash on deliveries to other destination domains + is minor because Postfix reuses SMTP client processes and + replaces a failed process within seconds (self-healing); + the practical impact is believed to be no worse than that + of an uncooperative receiver that tarpits SMTP connections + from Postfix to one or more destination domains under their + control (by replying within Postfix SMTP client read time + limits which are several minutes by default). + +20260608 + + Bugfix (defect introduced: Postfix 3.0, date: 20140708): + the SMTP client did not xtext_quote a '+' character in a + DSN ORCPT parameter value. A strict receiver implementation + could reject or discard the parameter value, but this has + never been reported to happen. Found during code maintenance. + File: smtp_proto.c. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-3.11.3/src/dns/dns_strrecord.c new/postfix-3.11.4/src/dns/dns_strrecord.c --- old/postfix-3.11.3/src/dns/dns_strrecord.c 2023-02-13 21:58:00.000000000 +0100 +++ new/postfix-3.11.4/src/dns/dns_strrecord.c 2026-06-08 17:54:52.000000000 +0200 @@ -99,6 +99,8 @@ } else { vstring_sprintf_append(buf, "[truncated record]"); } + /* 202605 Missing break found by TristanInSec using ASAN. */ + break; /* * We use the SOA record TTL to determine the negative reply TTL. We diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-3.11.3/src/global/mail_version.h new/postfix-3.11.4/src/global/mail_version.h --- old/postfix-3.11.3/src/global/mail_version.h 2026-05-15 20:26:45.000000000 +0200 +++ new/postfix-3.11.4/src/global/mail_version.h 2026-06-17 19:00:24.000000000 +0200 @@ -20,8 +20,8 @@ * Patches change both the patchlevel and the release date. Snapshots have no * patchlevel; they change the release date only. */ -#define MAIL_RELEASE_DATE "20260515" -#define MAIL_VERSION_NUMBER "3.11.3" +#define MAIL_RELEASE_DATE "20260617" +#define MAIL_VERSION_NUMBER "3.11.4" #ifdef SNAPSHOT #define MAIL_VERSION_DATE "-" MAIL_RELEASE_DATE diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-3.11.3/src/global/smtp_stream.c new/postfix-3.11.4/src/global/smtp_stream.c --- old/postfix-3.11.3/src/global/smtp_stream.c 2024-01-12 19:39:59.000000000 +0100 +++ new/postfix-3.11.4/src/global/smtp_stream.c 2026-06-08 17:52:02.000000000 +0200 @@ -457,8 +457,12 @@ && vstream_feof(stream) == 0 && vstream_ferror(stream) == 0) while ((next_char = VSTREAM_GETC(stream)) != VSTREAM_EOF && next_char != '\n') - /* void */ ; - + if (--bound <= 0) { + msg_warn("disabling input from %s", VSTREAM_PATH(stream)); + vstream_fpurge(stream, VSTREAM_PURGE_READ); + shutdown(vstream_fileno(stream), SHUT_RD); + break; + } return (last_char); } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-3.11.3/src/smtp/smtp_proto.c new/postfix-3.11.4/src/smtp/smtp_proto.c --- old/postfix-3.11.3/src/smtp/smtp_proto.c 2025-11-16 18:11:28.000000000 +0100 +++ new/postfix-3.11.4/src/smtp/smtp_proto.c 2026-06-08 18:06:22.000000000 +0200 @@ -2022,7 +2022,7 @@ vstring_sprintf_append(next_command, " ORCPT=%s", vstring_str(session->scratch)); } else { - xtext_quote(session->scratch, orcpt_type_addr, "="); + xtext_quote(session->scratch, orcpt_type_addr, "+="); vstring_sprintf_append(next_command, " ORCPT=%s", vstring_str(session->scratch)); } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-3.11.3/src/smtpd/smtpd.c new/postfix-3.11.4/src/smtpd/smtpd.c --- old/postfix-3.11.3/src/smtpd/smtpd.c 2025-12-22 23:08:53.000000000 +0100 +++ new/postfix-3.11.4/src/smtpd/smtpd.c 2026-06-08 18:02:48.000000000 +0200 @@ -4008,6 +4008,21 @@ off_t len; /* + * Skip inputs below 1.5 times the message size limit, staying in sync + * with the remote SMTP client. Otherwise, force a negative chunk_size + * value to disable reading and discarding input here, and to force a + * "lost connection" condition upon a later read operation. + */ + if (ENFORCING_SIZE_LIMIT(var_message_limit) + && state->act_size / 1.5 > var_message_limit - chunk_size / 1.5) { + chunk_size = -1; + } else if (state->act_size > OFF_T_MAX - chunk_size) { + state->act_size = OFF_T_MAX; + } else { + state->act_size += chunk_size; + } + + /* * Read and discard content from the remote SMTP client. TODO: drop the * connection in case of overload. */ @@ -4025,6 +4040,16 @@ va_end(ap); /* + * Force a "lost connection" condition upon the next read operation. + */ + if (chunk_size < 0) { + msg_warn("%s: too much BDAT content -- disabling further input from %s", + state->queue_id ? state->queue_id : "NOQUEUE", + state->namaddr); + shutdown(vstream_fileno(state->client), SHUT_RD); + } + + /* * Reset state, or drop subsequent BDAT payloads until BDAT LAST or RSET. */ if (final_chunk) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-3.11.3/src/tls/tls_dane.c new/postfix-3.11.4/src/tls/tls_dane.c --- old/postfix-3.11.3/src/tls/tls_dane.c 2026-05-15 19:43:35.000000000 +0200 +++ new/postfix-3.11.4/src/tls/tls_dane.c 2026-06-08 17:57:15.000000000 +0200 @@ -518,7 +518,7 @@ q, a, r, rr->type); /* Drop truncated records */ - if ((dlen = rr->data_len - 3) < 0) { + if ((dlen = rr->data_len - 3) <= 0) { msg_warn("%s%s%s: truncated TLSA RR length == %u", q, a, r, (unsigned) rr->data_len); return (0);
