[An on-line version of this announcement will be available at
https://www.postfix.org/announcements/postfix-3.11.5.html]

This release addresses medium-impact problems that need to be fixed
as some enable remote DOS, or local memory corruption.

The fixes below, and more, are also released in the unstable version
postfix-3.12-20260706.

In addition to updated releases for the supported Postfix versions
3.8-3.11, releases will also be available for the out-of-support
Postfix versions 3.5-3.7. NOTE: these do not include the patches
for out-of-support Postfix versions that have been issued for "large
SMTP inputs (June 2026)", "TLSA parsing (June 2026)", and "SMTP
smuggling fixes". Those patches still need to be applied.

These defects were found by Qualys assisted by Claude Mythos Preview;
more than half date from 20 or more years ago. When I implemented
Postfix, I knew that there were going to be mistakes. That is the
reason why Postfix has its architecture and safety nets. The number
of defects may seem large, but consdering that they were found in
a code base of some 150 thousand lines, the error rate is still
lower than what I designed for.

Denial of service:

  * Bug (defect introduced: Postfix 2.7, date: 20090617): out-of-memory
    condition with remote input in the postscreen dummy SMTP engine.
    This dummy engine is used after PREGREET or DNSBL checks fail,
    or when "after 220" protocol checks are enabled. Reported by
    Qualys, assisted by Claude Mythos Preview.

  * Bug (defect introduced: Postfix 2.0, date: 20030619): file
    system DOS: with smtpd_proxy_filter enabled, the before-filter
    SMTP server did not enforce the message size limit for mailbox
    From_ lines at the beginning of a message. With smtpd_proxy_filter
    disabled, the file size limit was still enforced by the cleanup
    daemon. Reported by Qualys, assisted by Claude Mythos Preview.

Memory corruption:

  * Bug (defect introduced: Postfix 2.3, date: 20060611): double
    ldap_msgfree(resloop) call during error handling when
    special_result_attribute is configured. An attacker who controls
    the LDAP server or can play attacker-in-the-middle could corrupt
    heap memory. Reported by Qualys, assisted by Claude Mythos
    Preview.

  * Bug (defect introduced: Postfix 3.4, date: 20190121): missing
    null termination in a postlogd process that was started with
    an EMPTY maillog_file setting, while receiving a message from
    a postlog command that was started with a NON-EMPTY maillog_file
    setting. Under these contradicting conditions, an unprivileged
    attacker could cause postlogd to write null bytes to stack
    memory as it tokenized text outside the receive buffer, and
    possibly gain 'postfix' privilege. Problem reported by Qualys,
    assisted by Claude Mythos Preview.

  * Bug (defect introduced: Postfix 2.3, date: 20060711): one-byte
    heap over-write in the Milter client with soft_bounce=yes while
    processing a malformed SMFIR_REPLYCODE Milter response. An
    attacker who controls the Milter or who can play attacker-in-the-middle
    could corrupt heap memory. Reported by Qualys, assisted by
    Claude Mythos Preview.

Other crashes and panic()s:

  * Bug (defect introduced: Postfix 2.1, date: 20030619): SMTP
    server panic() in smtpd_proxy_filter when handling long mailbox
    From_ lines at the beginning of a message. Reported by Qualys,
    assisted by Claude Mythos Preview.

  * Bug (defect introduced: Postfix 3.1, date: 20151129): a missing
    return statement in the SHOWQ_CLEANUP_AND_RETURN() macro. A
    local user could submit a crafted message that triggered a
    read-after-free and panic() in the unprivileged showq daemon
    (which scans the mail queue for the 'postqueue -p' and 'mailq'
    commands). This could happen only before a message had been
    picked up by the pickup(8) daemon. Problem reported by Qualys,
    assisted by Claude Mythos Preview.

  * Bug: (defect introduced: Postfix 3.10, date: 20240925): NULL
    pointer read in the TLSRPT client, caused by missing STR_OR_NULL()
    wrappers. Reported by Qualys, assisted by Claude Mythos Preview.

  * Bug (defect introduced: Postfix < alpha, date: 1997): missing
    recursion guard while processing :include: files that directly
    include other :include: files in local(8) aliases or .forward
    files. This could result in exhausting stack space (segfault)
    or file handles (fatal error). This is not a global DOS; it
    affected at most two parallel delivery processes for the local
    recipient who created the condition. Reported by Qualys, assisted
    by Claude Mythos Preview.

Other read after free:

  * Bug (defect introduced: postfix-3.11.0-RC1, date: 20251222):
    heap memory over-read in the cleanup daemon as it handled a
    milter "shutdown" reply. The over-read memory was logged after
    masking unprintable content. Problem reported by Qualys, assisted
    by Claude Mythos Preview.

  * Bug (defect introduced: Postfix 2.3, date: 20050526): limited
    (<= 11 byte) heap over-read in the cleanup daemon. This could
    be triggered by local user with a crafted queue file, but the
    over-read content was not disclosed and there was no other
    impact. Problem reported by Qualys, assisted by Claude Mythos
    Preview.

  * Bug (defect introduced: Postfix < alpha, date: 19971221): a
    signal handler in the postdrop command could call unlink() with
    a pathname that was already wiped and free()d, but not yet
    reused. Reported by Qualys, assisted by Claude Mythos Preview.

Other code hygiene:

  * Bug (defect introduced: Postfix 3.11, date: 20260219): In the
    non-BerkeleyDB re-indexing server, vstream_fopen_as() ignored
    the uid and gid arguments and opened a database source file
    read-only as the 'postfix' user instead of the file owner.
    Reported by Qualys, assisted by Claude Mythos Preview.

  * Bug (defect introduced: Postfix 2.2. date: 20040829): after a
    RAND_bytes() call failure, do not rely on stack-based
    pseudo-randomness for tlsmgr seed generation, and for timing
    jitter of tlsmgr seed refresh intervals. Reported by Qualys,
    assisted by Claude Mythos Preview.

  * Bug (defect introduced: Postfix 2.3, date: 20060711): In the
    Milter client, null-terminate the SMFIR_REPLYCODE response data
    to exclude stale data when processing the result as a C string.
    Reported by Qualys, assisted by Claude Mythos Preview.

Proactive changes:

  * Hardening: make sure that optimizers will not delete a memset()
    call in myfree() that wipes memory.

  * Allow zero-length memory allocation requests. Many people have
    experience with systems that allow this, therefore it should
    not trigger a panic in Postfix.

  * Safety: added a global recursion guard in the local delivery
    agent.

You can find the updated Postfix source code at the mirrors
listed at https://www.postfix.org/.

        Wietse
_______________________________________________
Postfix-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to