mail/postsrsd: patch for CVE-2020-35573

To: pkgsrc-users%netbsd.org@localhost
Subject: mail/postsrsd: patch for CVE-2020-35573
From: Matthias Ferdinand <mf%14v.de@localhost>
Date: Fri, 8 Jan 2021 11:56:43 +0100

Hi,

please find attached the patch for CVE-2020-35573.

Regards
Matthias Ferdinand
-- 
one4vision GmbH                    Fon +49 681 96727 - 60
Residenz am Schlossgarten          Fax +49 681 96727 - 69
Talstraße 34-42                    info%one4vision.de@localhost
D-66119 Saarbrücken                http://www.one4vision.de
HRB 11751                          verantwortl. Geschäftsführer:
Amtsgericht Saarbrücken            Christof Allmann, Christoph Harth

$NetBSD$

Fix for https://nvd.nist.gov/vuln/detail/CVE-2020-35573:
  srs2.c in PostSRSd before 1.10 allows remote attackers to cause a denial of
  service (CPU consumption) via a long timestamp tag in an SRS address.

https://github.com/roehling/postsrsd/commit/4733fb11f6bec6524bb8518c5e1a699288c26bac
https://lists.debian.org/debian-lts-announce/2020/12/msg00031.html

--- srs2.c.orig	2016-02-13 23:40:42.000000000 +0000
+++ srs2.c
@@ -230,6 +230,7 @@ srs_timestamp_check(srs_t *srs, const ch
 	time_t		 now;
 	time_t		 then;
 
+	if (strlen(stamp) != 2) return SRS_ETIMESTAMPOUTOFDATE;
 	/* We had better go around this loop exactly twice! */
 	then = 0;
 	for (sp = stamp; *sp; sp++) {

Prev by Date: Question about PKG_DEVELOPER and math/py-scipy
Next by Date: [Greg Troxel] pkgsrc-2020Q4 released
Previous by Thread: Question about PKG_DEVELOPER and math/py-scipy
Next by Thread: [Greg Troxel] pkgsrc-2020Q4 released
Indexes:

Home | Main Index | Thread Index | Old Index