pkgsrc-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

mail/postsrsd: patch for CVE-2020-35573



Hi,

please find attached the patch for CVE-2020-35573.

Regards
Matthias Ferdinand
-- 
one4vision GmbH                    Fon +49 681 96727 - 60
Residenz am Schlossgarten          Fax +49 681 96727 - 69
Talstraße 34-42                    info%one4vision.de@localhost
D-66119 Saarbrücken                http://www.one4vision.de
HRB 11751                          verantwortl. Geschäftsführer:
Amtsgericht Saarbrücken            Christof Allmann, Christoph Harth
$NetBSD$

Fix for https://nvd.nist.gov/vuln/detail/CVE-2020-35573:
  srs2.c in PostSRSd before 1.10 allows remote attackers to cause a denial of
  service (CPU consumption) via a long timestamp tag in an SRS address.

https://github.com/roehling/postsrsd/commit/4733fb11f6bec6524bb8518c5e1a699288c26bac
https://lists.debian.org/debian-lts-announce/2020/12/msg00031.html

--- srs2.c.orig	2016-02-13 23:40:42.000000000 +0000
+++ srs2.c
@@ -230,6 +230,7 @@ srs_timestamp_check(srs_t *srs, const ch
 	time_t		 now;
 	time_t		 then;
 
+	if (strlen(stamp) != 2) return SRS_ETIMESTAMPOUTOFDATE;
 	/* We had better go around this loop exactly twice! */
 	then = 0;
 	for (sp = stamp; *sp; sp++) {


Home | Main Index | Thread Index | Old Index