Bug#977782: buster-pu: package postsrsd/1.5-2
On 31/01/21 11:08, Salvatore Bonaccorso wrote: > Hi Oxan, > > On Sat, Jan 30, 2021 at 09:58:23PM +0100, Oxan van Leeuwen wrote: > > Hi, > > > > On 30-01-2021 21:27, Salvatore Bonaccorso wrote: > > > I noticed that today there was an upload to security-master for it. > > > Given our previous discussion, was this an oversight? I just have > > > rejected the package, could you please upload it for the upcoming > > > point release instead to ftp-master? > > > > Ah, that wasn't the intention. > > > > @Tomasz: it seems you accidentally uploaded to the security archive tonight. > > The last commit in the buster branch on Salsa should be for an upload the > > regular archive, maybe you forgot to pull? In any case, can you please > > upload that one? Thanks! > > Thanks for clarification! If possible please do upload this weekend, > because the uploading window for packages to enter the 10.8 point > release would end tonight. > > Many thanks for your work! > > Regards, > Salvatore Oh, as usual, I messed it up. :| Ok, now uploaded directly to buster (and with a proper e-mail of Oxan). Let me know if that's better! Tomasz signature.asc Description: PGP signature
Bug#977782: buster-pu: package postsrsd/1.5-2
Hi Oxan, On Sat, Jan 30, 2021 at 09:58:23PM +0100, Oxan van Leeuwen wrote: > Hi, > > On 30-01-2021 21:27, Salvatore Bonaccorso wrote: > > I noticed that today there was an upload to security-master for it. > > Given our previous discussion, was this an oversight? I just have > > rejected the package, could you please upload it for the upcoming > > point release instead to ftp-master? > > Ah, that wasn't the intention. > > @Tomasz: it seems you accidentally uploaded to the security archive tonight. > The last commit in the buster branch on Salsa should be for an upload the > regular archive, maybe you forgot to pull? In any case, can you please > upload that one? Thanks! Thanks for clarification! If possible please do upload this weekend, because the uploading window for packages to enter the 10.8 point release would end tonight. Many thanks for your work! Regards, Salvatore
Bug#977782: buster-pu: package postsrsd/1.5-2
Hi, On 30-01-2021 21:27, Salvatore Bonaccorso wrote: I noticed that today there was an upload to security-master for it. Given our previous discussion, was this an oversight? I just have rejected the package, could you please upload it for the upcoming point release instead to ftp-master? Ah, that wasn't the intention. @Tomasz: it seems you accidentally uploaded to the security archive tonight. The last commit in the buster branch on Salsa should be for an upload the regular archive, maybe you forgot to pull? In any case, can you please upload that one? Thanks! Regards, Oxan
Bug#977782: buster-pu: package postsrsd/1.5-2
hi Oxan, On Thu, Dec 31, 2020 at 05:11:13PM +, Adam D. Barratt wrote: > Control: tags -1 + confirmed > > On Sun, 2020-12-20 at 20:48 +0100, Oxan van Leeuwen wrote: > > Upstream recently discovered a potential remote denial-of-service > > attack in postsrsd (CVE-2020-35573) [1]. Fortunately, this issue is > > currently not exploitable in Debian due to gcc optimizing the > > problematic loop away. Thus, the security has decided not to issue a > > DSA [2], but instead suggested to fix it > > through a stable update. > > > > Please go ahead. I noticed that today there was an upload to security-master for it. Given our previous discussion, was this an oversight? I just have rejected the package, could you please upload it for the upcoming point release instead to ftp-master? Regards, Salvatore
Bug#977782: buster-pu: package postsrsd/1.5-2
Control: tags -1 + confirmed On Sun, 2020-12-20 at 20:48 +0100, Oxan van Leeuwen wrote: > Upstream recently discovered a potential remote denial-of-service > attack in postsrsd (CVE-2020-35573) [1]. Fortunately, this issue is > currently not exploitable in Debian due to gcc optimizing the > problematic loop away. Thus, the security has decided not to issue a > DSA [2], but instead suggested to fix it > through a stable update. > Please go ahead. Regards, Adam
Bug#977782: buster-pu: package postsrsd/1.5-2
Package: release.debian.org Severity: normal Tags: buster User: release.debian@packages.debian.org Usertags: pu Upstream recently discovered a potential remote denial-of-service attack in postsrsd (CVE-2020-35573) [1]. Fortunately, this issue is currently not exploitable in Debian due to gcc optimizing the problematic loop away. Thus, the security has decided not to issue a DSA [2], but instead suggested to fix it through a stable update. This issue is already fixed in postsrsd/1.10-1 in unstable and testing. I've prepared a backport of the one-line fix to stable, and attached the source debdiff. I've verified that this doesn't break anything and the package still works properly. Cheers, Oxan [1] https://github.com/roehling/postsrsd/commit/4733fb11f6bec6524bb8518c5e1a699288c26bac [2] https://security-tracker.debian.org/tracker/CVE-2020-35573 diff -Nru postsrsd-1.5/debian/changelog postsrsd-1.5/debian/changelog --- postsrsd-1.5/debian/changelog 2019-02-23 14:27:44.0 +0100 +++ postsrsd-1.5/debian/changelog 2020-12-19 01:36:37.0 +0100 @@ -1,3 +1,11 @@ +postsrsd (1.5-2+deb10u1) buster; urgency=medium + + * CVE-2020-35573: Ensure timestamp tags aren't too long before trying to +decode them, to protect against a potential denial-of-service attack +(backported from upstream commit 4733fb1). + + -- Oxan van Leeuwen Sat, 19 Dec 2020 01:36:37 +0100 + postsrsd (1.5-2) unstable; urgency=medium * Increase hashlength for unit tests (cherry-picked from upstream db9ed58) diff -Nru postsrsd-1.5/debian/patches/0004-SECURITY-Fix-potential-denial-of-service-attack-agai.patch postsrsd-1.5/debian/patches/0004-SECURITY-Fix-potential-denial-of-service-attack-agai.patch --- postsrsd-1.5/debian/patches/0004-SECURITY-Fix-potential-denial-of-service-attack-agai.patch 1970-01-01 01:00:00.0 +0100 +++ postsrsd-1.5/debian/patches/0004-SECURITY-Fix-potential-denial-of-service-attack-agai.patch 2020-12-19 01:36:37.0 +0100 @@ -0,0 +1,29 @@ +From: =?utf-8?q?Timo_R=C3=B6hling?= +Date: Sat, 12 Dec 2020 10:42:28 +0100 +Subject: SECURITY: Fix potential denial of service attack against PostSRSd + +I discovered that PostSRSd could be tricked into consuming a lot of CPU +time with an SRS address that has an excessively long time stamp tag, +e.g. + +SRS0==T=0...@example.com + +(cherry picked from commit 4733fb11f6bec6524bb8518c5e1a699288c26bac) + +Fixes CVE-2020-35573. +--- + srs2.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/srs2.c b/srs2.c +index b07a664..6a2eebb 100644 +--- a/srs2.c b/srs2.c +@@ -230,6 +230,7 @@ srs_timestamp_check(srs_t *srs, const char *stamp) + time_t now; + time_t then; + ++ if (strlen(stamp) != 2) return SRS_ETIMESTAMPOUTOFDATE; + /* We had better go around this loop exactly twice! */ + then = 0; + for (sp = stamp; *sp; sp++) { diff -Nru postsrsd-1.5/debian/patches/series postsrsd-1.5/debian/patches/series --- postsrsd-1.5/debian/patches/series 2019-02-23 14:27:44.0 +0100 +++ postsrsd-1.5/debian/patches/series 2020-12-19 01:36:37.0 +0100 @@ -1,3 +1,4 @@ 0001-Adapt-init-scripts-for-Debian-practices.patch 0002-Increase-hash-length-for-unit-tests.patch 0003-Hook-up-endianness-sizeof-long-detection-code-in-SHA.patch +0004-SECURITY-Fix-potential-denial-of-service-attack-agai.patch