Fix for CVE-2026-43964

Upstream note:
  * Bugfix (defect introduced: Postfix 2.3, date: 20050323): buffer
    over-read when Postfix an enhanced status code is not followed
    by other text. For example, "5.7.2" without text after the
    three-number code. This CANNOT be triggered with an SMTP or
    LMTP server response; is confirmed with an access(5) table and
    likely with a policy server response; can possibly be triggered
    with pipe-to-command output, header_checks(5), body_checks(5),
    an error(8) transport in transport_maps, or a milter response;
    and is confirmed with a DNSBL server TXT response while Postfix
    is configured with "$rbl_code $rbl_text" in rbl_reply_maps or
    default_rbl_reply. This could result in process termination.
    Problem reported by Kamil Frankowicz.

Resolves-Vulnerability: CVE-2026-43964
Resolves: RHEL-176544
This commit is contained in:
Fedor Vorobev 2026-05-21 12:44:53 +02:00
parent 9cec44912e
commit 57cce9540b
2 changed files with 22 additions and 1 deletions

View File

@ -0,0 +1,13 @@
diff --git a/src/global/dsn_util.c b/src/global/dsn_util.c
index 52b997a..5751128 100644
--- a/src/global/dsn_util.c
+++ b/src/global/dsn_util.c
@@ -154,7 +154,7 @@ DSN_SPLIT *dsn_split(DSN_SPLIT *dp, const char *def_dsn, const char *text)
if ((len = dsn_valid(cp)) > 0) {
strncpy(dp->dsn.data, cp, len);
dp->dsn.data[len] = 0;
- cp += len + 1;
+ cp += len;
} else if ((len = dsn_valid(def_dsn)) > 0) {
strncpy(dp->dsn.data, def_dsn, len);
dp->dsn.data[len] = 0;

View File

@ -46,7 +46,7 @@
Name: postfix
Summary: Postfix Mail Transport Agent
Version: 3.5.25
Release: 2%{?dist}
Release: 3%{?dist}
Epoch: 2
URL: http://www.postfix.org
License: (IBM and GPLv2+) or (EPL-2.0 and GPLv2+)
@ -103,6 +103,9 @@ Patch14: pflogsumm-1.1.5-syslog-name-underscore-fix.patch
# rhbz#2134789, backported feature from upstream
Patch15: postfix-3.5.25-SRV-resolve.patch
Patch16: postfix-3.5.25-rhel-remove-version-mismatch-warning.patch
# https://redhat.atlassian.net/browse/RHEL-176550
# https://www.mail-archive.com/postfix-announce@postfix.org/msg00110.html
Patch17: postfix-3.8.16-CVE-2026-43964.patch
# Optional patches - set the appropriate environment variables to include
# them when building the package/spec file
@ -259,6 +262,7 @@ popd
%patch14 -p1 -b .pflogsumm-1.1.5-syslog-name-underscore-fix
%patch15 -p1 -b .SRV-resolution
%patch16 -p1 -b .warning
%patch17 -p1 -b .cve-2026-43964
for f in README_FILES/TLS_{LEGACY_,}README TLS_ACKNOWLEDGEMENTS; do
iconv -f iso8859-1 -t utf8 -o ${f}{_,} &&
@ -805,6 +809,10 @@ fi
%endif
%changelog
* Thu May 21 2026 Fedor Vorobev <fvorobev@redhat.com> - 2:3.5.25-3
- Fix for CVE-2026-43964: buffer over-read via malformed enhanced status code.
Resolves: RHEL-176544
* Tue Jan 06 2026 Fedor Vorobev <fvorobev@redhat.com> - 2:3.5.25-2
- Added a RHEL-specific patch to remove an OpenSSL version mismatch warning.
RHEL-128018