[An on-line version of this announcement will be available at
https://www.postfix.org/announcements/postfix-3.11.5.html]
This release addresses medium-impact problems that need to be fixed
as some enable remote DOS, or local memory corruption.
The fixes below, and more, are also released in the unstable version
postfix-3.12-20260706.
In addition to updated releases for the supported Postfix versions
3.8-3.11, releases will also be available for the out-of-support
Postfix versions 3.5-3.7. NOTE: these do not include the patches
for out-of-support Postfix versions that have been issued for "large
SMTP inputs (June 2026)", "TLSA parsing (June 2026)", and "SMTP
smuggling fixes". Those patches still need to be applied.
These defects were found by Qualys assisted by Claude Mythos Preview;
more than half date from 20 or more years ago. When I implemented
Postfix, I knew that there were going to be mistakes. That is the
reason why Postfix has its architecture and safety nets. The number
of defects may seem large, but consdering that they were found in
a code base of some 150 thousand lines, the error rate is still
lower than what I designed for.
Denial of service:
* Bug (defect introduced: Postfix 2.7, date: 20090617): out-of-memory
condition with remote input in the postscreen dummy SMTP engine.
This dummy engine is used after PREGREET or DNSBL checks fail,
or when "after 220" protocol checks are enabled. Reported by
Qualys, assisted by Claude Mythos Preview.
* Bug (defect introduced: Postfix 2.0, date: 20030619): file
system DOS: with smtpd_proxy_filter enabled, the before-filter
SMTP server did not enforce the message size limit for mailbox
From_ lines at the beginning of a message. With smtpd_proxy_filter
disabled, the file size limit was still enforced by the cleanup
daemon. Reported by Qualys, assisted by Claude Mythos Preview.
Memory corruption:
* Bug (defect introduced: Postfix 2.3, date: 20060611): double
ldap_msgfree(resloop) call during error handling when
special_result_attribute is configured. An attacker who controls
the LDAP server or can play attacker-in-the-middle could corrupt
heap memory. Reported by Qualys, assisted by Claude Mythos
Preview.
* Bug (defect introduced: Postfix 3.4, date: 20190121): missing
null termination in a postlogd process that was started with
an EMPTY maillog_file setting, while receiving a message from
a postlog command that was started with a NON-EMPTY maillog_file
setting. Under these contradicting conditions, an unprivileged
attacker could cause postlogd to write null bytes to stack
memory as it tokenized text outside the receive buffer, and
possibly gain 'postfix' privilege. Problem reported by Qualys,
assisted by Claude Mythos Preview.
* Bug (defect introduced: Postfix 2.3, date: 20060711): one-byte
heap over-write in the Milter client with soft_bounce=yes while
processing a malformed SMFIR_REPLYCODE Milter response. An
attacker who controls the Milter or who can play attacker-in-the-middle
could corrupt heap memory. Reported by Qualys, assisted by
Claude Mythos Preview.
Other crashes and panic()s:
* Bug (defect introduced: Postfix 2.1, date: 20030619): SMTP
server panic() in smtpd_proxy_filter when handling long mailbox
From_ lines at the beginning of a message. Reported by Qualys,
assisted by Claude Mythos Preview.
* Bug (defect introduced: Postfix 3.1, date: 20151129): a missing
return statement in the SHOWQ_CLEANUP_AND_RETURN() macro. A
local user could submit a crafted message that triggered a
read-after-free and panic() in the unprivileged showq daemon
(which scans the mail queue for the 'postqueue -p' and 'mailq'
commands). This could happen only before a message had been
picked up by the pickup(8) daemon. Problem reported by Qualys,
assisted by Claude Mythos Preview.
* Bug: (defect introduced: Postfix 3.10, date: 20240925): NULL
pointer read in the TLSRPT client, caused by missing STR_OR_NULL()
wrappers. Reported by Qualys, assisted by Claude Mythos Preview.
* Bug (defect introduced: Postfix < alpha, date: 1997): missing
recursion guard while processing :include: files that directly
include other :include: files in local(8) aliases or .forward
files. This could result in exhausting stack space (segfault)
or file handles (fatal error). This is not a global DOS; it
affected at most two parallel delivery processes for the local
recipient who created the condition. Reported by Qualys, assisted
by Claude Mythos Preview.
Other read after free:
* Bug (defect introduced: postfix-3.11.0-RC1, date: 20251222):
heap memory over-read in the cleanup daemon as it handled a
milter "shutdown" reply. The over-read memory was logged after
masking unprintable content. Problem reported by Qualys, assisted
by Claude Mythos Preview.
* Bug (defect introduced: Postfix 2.3, date: 20050526): limited
(<= 11 byte) heap over-read in the cleanup daemon. This could
be triggered by local user with a crafted queue file, but the
over-read content was not disclosed and there was no other
impact. Problem reported by Qualys, assisted by Claude Mythos
Preview.
* Bug (defect introduced: Postfix < alpha, date: 19971221): a
signal handler in the postdrop command could call unlink() with
a pathname that was already wiped and free()d, but not yet
reused. Reported by Qualys, assisted by Claude Mythos Preview.
Other code hygiene:
* Bug (defect introduced: Postfix 3.11, date: 20260219): In the
non-BerkeleyDB re-indexing server, vstream_fopen_as() ignored
the uid and gid arguments and opened a database source file
read-only as the 'postfix' user instead of the file owner.
Reported by Qualys, assisted by Claude Mythos Preview.
* Bug (defect introduced: Postfix 2.2. date: 20040829): after a
RAND_bytes() call failure, do not rely on stack-based
pseudo-randomness for tlsmgr seed generation, and for timing
jitter of tlsmgr seed refresh intervals. Reported by Qualys,
assisted by Claude Mythos Preview.
* Bug (defect introduced: Postfix 2.3, date: 20060711): In the
Milter client, null-terminate the SMFIR_REPLYCODE response data
to exclude stale data when processing the result as a C string.
Reported by Qualys, assisted by Claude Mythos Preview.
Proactive changes:
* Hardening: make sure that optimizers will not delete a memset()
call in myfree() that wipes memory.
* Allow zero-length memory allocation requests. Many people have
experience with systems that allow this, therefore it should
not trigger a panic in Postfix.
* Safety: added a global recursion guard in the local delivery
agent.
You can find the updated Postfix source code at the mirrors
listed at https://www.postfix.org/.
Wietse
_______________________________________________
Postfix-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]