--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: buster-pu: package postsrsd/1.5-2
- From: Oxan van Leeuwen <oxan@oxanvanleeuwen.nl>
- Date: Sun, 20 Dec 2020 20:48:06 +0100
- Message-id: <160849368648.12701.9198143416705134562.reportbug@thomson.student.utwente.nl>
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
Upstream recently discovered a potential remote denial-of-service attack in
postsrsd (CVE-2020-35573) [1]. Fortunately, this issue is currently not
exploitable in Debian due to gcc optimizing the problematic loop away. Thus, the
security has decided not to issue a DSA [2], but instead suggested to fix it
through a stable update.
This issue is already fixed in postsrsd/1.10-1 in unstable and testing.
I've prepared a backport of the one-line fix to stable, and attached the source
debdiff. I've verified that this doesn't break anything and the package still
works properly.
Cheers,
Oxan
[1] https://github.com/roehling/postsrsd/commit/4733fb11f6bec6524bb8518c5e1a699288c26bac
[2] https://security-tracker.debian.org/tracker/CVE-2020-35573
diff -Nru postsrsd-1.5/debian/changelog postsrsd-1.5/debian/changelog
--- postsrsd-1.5/debian/changelog 2019-02-23 14:27:44.000000000 +0100
+++ postsrsd-1.5/debian/changelog 2020-12-19 01:36:37.000000000 +0100
@@ -1,3 +1,11 @@
+postsrsd (1.5-2+deb10u1) buster; urgency=medium
+
+ * CVE-2020-35573: Ensure timestamp tags aren't too long before trying to
+ decode them, to protect against a potential denial-of-service attack
+ (backported from upstream commit 4733fb1).
+
+ -- Oxan van Leeuwen <oxan@oxanvanleeuwen.nl> Sat, 19 Dec 2020 01:36:37 +0100
+
postsrsd (1.5-2) unstable; urgency=medium
* Increase hashlength for unit tests (cherry-picked from upstream db9ed58)
diff -Nru postsrsd-1.5/debian/patches/0004-SECURITY-Fix-potential-denial-of-service-attack-agai.patch postsrsd-1.5/debian/patches/0004-SECURITY-Fix-potential-denial-of-service-attack-agai.patch
--- postsrsd-1.5/debian/patches/0004-SECURITY-Fix-potential-denial-of-service-attack-agai.patch 1970-01-01 01:00:00.000000000 +0100
+++ postsrsd-1.5/debian/patches/0004-SECURITY-Fix-potential-denial-of-service-attack-agai.patch 2020-12-19 01:36:37.000000000 +0100
@@ -0,0 +1,29 @@
+From: =?utf-8?q?Timo_R=C3=B6hling?= <timo@gaussglocke.de>
+Date: Sat, 12 Dec 2020 10:42:28 +0100
+Subject: SECURITY: Fix potential denial of service attack against PostSRSd
+
+I discovered that PostSRSd could be tricked into consuming a lot of CPU
+time with an SRS address that has an excessively long time stamp tag,
+e.g.
+
+SRS0=HHHH=TTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTT=0@example.com
+
+(cherry picked from commit 4733fb11f6bec6524bb8518c5e1a699288c26bac)
+
+Fixes CVE-2020-35573.
+---
+ srs2.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/srs2.c b/srs2.c
+index b07a664..6a2eebb 100644
+--- a/srs2.c
++++ b/srs2.c
+@@ -230,6 +230,7 @@ srs_timestamp_check(srs_t *srs, const char *stamp)
+ time_t now;
+ time_t then;
+
++ if (strlen(stamp) != 2) return SRS_ETIMESTAMPOUTOFDATE;
+ /* We had better go around this loop exactly twice! */
+ then = 0;
+ for (sp = stamp; *sp; sp++) {
diff -Nru postsrsd-1.5/debian/patches/series postsrsd-1.5/debian/patches/series
--- postsrsd-1.5/debian/patches/series 2019-02-23 14:27:44.000000000 +0100
+++ postsrsd-1.5/debian/patches/series 2020-12-19 01:36:37.000000000 +0100
@@ -1,3 +1,4 @@
0001-Adapt-init-scripts-for-Debian-practices.patch
0002-Increase-hash-length-for-unit-tests.patch
0003-Hook-up-endianness-sizeof-long-detection-code-in-SHA.patch
+0004-SECURITY-Fix-potential-denial-of-service-attack-agai.patch
--- End Message ---