Your message dated Sat, 06 Feb 2021 10:39:26 +0000
with message-id
<6425525e38201ecf9a2d3e0f1e63c0d3b08e0fc0.ca...@adam-barratt.org.uk>
and subject line Closing p-u bugs for updates in 10.8
has caused the Debian Bug report #977782,
regarding buster-pu: package postsrsd/1.5-2
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
977782: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=977782
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: buster
User: [email protected]
Usertags: pu
Upstream recently discovered a potential remote denial-of-service attack in
postsrsd (CVE-2020-35573) [1]. Fortunately, this issue is currently not
exploitable in Debian due to gcc optimizing the problematic loop away. Thus,
the
security has decided not to issue a DSA [2], but instead suggested to fix it
through a stable update.
This issue is already fixed in postsrsd/1.10-1 in unstable and testing.
I've prepared a backport of the one-line fix to stable, and attached the source
debdiff. I've verified that this doesn't break anything and the package still
works properly.
Cheers,
Oxan
[1]
https://github.com/roehling/postsrsd/commit/4733fb11f6bec6524bb8518c5e1a699288c26bac
[2] https://security-tracker.debian.org/tracker/CVE-2020-35573
diff -Nru postsrsd-1.5/debian/changelog postsrsd-1.5/debian/changelog
--- postsrsd-1.5/debian/changelog 2019-02-23 14:27:44.000000000 +0100
+++ postsrsd-1.5/debian/changelog 2020-12-19 01:36:37.000000000 +0100
@@ -1,3 +1,11 @@
+postsrsd (1.5-2+deb10u1) buster; urgency=medium
+
+ * CVE-2020-35573: Ensure timestamp tags aren't too long before trying to
+ decode them, to protect against a potential denial-of-service attack
+ (backported from upstream commit 4733fb1).
+
+ -- Oxan van Leeuwen <[email protected]> Sat, 19 Dec 2020 01:36:37 +0100
+
postsrsd (1.5-2) unstable; urgency=medium
* Increase hashlength for unit tests (cherry-picked from upstream db9ed58)
diff -Nru
postsrsd-1.5/debian/patches/0004-SECURITY-Fix-potential-denial-of-service-attack-agai.patch
postsrsd-1.5/debian/patches/0004-SECURITY-Fix-potential-denial-of-service-attack-agai.patch
---
postsrsd-1.5/debian/patches/0004-SECURITY-Fix-potential-denial-of-service-attack-agai.patch
1970-01-01 01:00:00.000000000 +0100
+++
postsrsd-1.5/debian/patches/0004-SECURITY-Fix-potential-denial-of-service-attack-agai.patch
2020-12-19 01:36:37.000000000 +0100
@@ -0,0 +1,29 @@
+From: =?utf-8?q?Timo_R=C3=B6hling?= <[email protected]>
+Date: Sat, 12 Dec 2020 10:42:28 +0100
+Subject: SECURITY: Fix potential denial of service attack against PostSRSd
+
+I discovered that PostSRSd could be tricked into consuming a lot of CPU
+time with an SRS address that has an excessively long time stamp tag,
+e.g.
+
+SRS0=HHHH=TTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTT=0...@example.com
+
+(cherry picked from commit 4733fb11f6bec6524bb8518c5e1a699288c26bac)
+
+Fixes CVE-2020-35573.
+---
+ srs2.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/srs2.c b/srs2.c
+index b07a664..6a2eebb 100644
+--- a/srs2.c
++++ b/srs2.c
+@@ -230,6 +230,7 @@ srs_timestamp_check(srs_t *srs, const char *stamp)
+ time_t now;
+ time_t then;
+
++ if (strlen(stamp) != 2) return SRS_ETIMESTAMPOUTOFDATE;
+ /* We had better go around this loop exactly twice! */
+ then = 0;
+ for (sp = stamp; *sp; sp++) {
diff -Nru postsrsd-1.5/debian/patches/series postsrsd-1.5/debian/patches/series
--- postsrsd-1.5/debian/patches/series 2019-02-23 14:27:44.000000000 +0100
+++ postsrsd-1.5/debian/patches/series 2020-12-19 01:36:37.000000000 +0100
@@ -1,3 +1,4 @@
0001-Adapt-init-scripts-for-Debian-practices.patch
0002-Increase-hash-length-for-unit-tests.patch
0003-Hook-up-endianness-sizeof-long-detection-code-in-SHA.patch
+0004-SECURITY-Fix-potential-denial-of-service-attack-agai.patch
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 10.8
Hi,
Each of the updates referenced by these bugs was included in today's
10.8 point release.
Regards,
Adam
--- End Message ---
