From 57cce9540b9038aa96f60b653d51aaa67470f99b Mon Sep 17 00:00:00 2001 From: Fedor Vorobev Date: Thu, 21 May 2026 12:44:53 +0200 Subject: [PATCH] Fix for CVE-2026-43964 Upstream note: * Bugfix (defect introduced: Postfix 2.3, date: 20050323): buffer over-read when Postfix an enhanced status code is not followed by other text. For example, "5.7.2" without text after the three-number code. This CANNOT be triggered with an SMTP or LMTP server response; is confirmed with an access(5) table and likely with a policy server response; can possibly be triggered with pipe-to-command output, header_checks(5), body_checks(5), an error(8) transport in transport_maps, or a milter response; and is confirmed with a DNSBL server TXT response while Postfix is configured with "$rbl_code $rbl_text" in rbl_reply_maps or default_rbl_reply. This could result in process termination. Problem reported by Kamil Frankowicz. Resolves-Vulnerability: CVE-2026-43964 Resolves: RHEL-176544 --- postfix-3.8.16-CVE-2026-43964.patch | 13 +++++++++++++ postfix.spec | 10 +++++++++- 2 files changed, 22 insertions(+), 1 deletion(-) create mode 100644 postfix-3.8.16-CVE-2026-43964.patch diff --git a/postfix-3.8.16-CVE-2026-43964.patch b/postfix-3.8.16-CVE-2026-43964.patch new file mode 100644 index 0000000..d7a9183 --- /dev/null +++ b/postfix-3.8.16-CVE-2026-43964.patch @@ -0,0 +1,13 @@ +diff --git a/src/global/dsn_util.c b/src/global/dsn_util.c +index 52b997a..5751128 100644 +--- a/src/global/dsn_util.c ++++ b/src/global/dsn_util.c +@@ -154,7 +154,7 @@ DSN_SPLIT *dsn_split(DSN_SPLIT *dp, const char *def_dsn, const char *text) + if ((len = dsn_valid(cp)) > 0) { + strncpy(dp->dsn.data, cp, len); + dp->dsn.data[len] = 0; +- cp += len + 1; ++ cp += len; + } else if ((len = dsn_valid(def_dsn)) > 0) { + strncpy(dp->dsn.data, def_dsn, len); + dp->dsn.data[len] = 0; diff --git a/postfix.spec b/postfix.spec index f3ef3f1..c5898a0 100644 --- a/postfix.spec +++ b/postfix.spec @@ -46,7 +46,7 @@ Name: postfix Summary: Postfix Mail Transport Agent Version: 3.5.25 -Release: 2%{?dist} +Release: 3%{?dist} Epoch: 2 URL: http://www.postfix.org License: (IBM and GPLv2+) or (EPL-2.0 and GPLv2+) @@ -103,6 +103,9 @@ Patch14: pflogsumm-1.1.5-syslog-name-underscore-fix.patch # rhbz#2134789, backported feature from upstream Patch15: postfix-3.5.25-SRV-resolve.patch Patch16: postfix-3.5.25-rhel-remove-version-mismatch-warning.patch +# https://redhat.atlassian.net/browse/RHEL-176550 +# https://www.mail-archive.com/postfix-announce@postfix.org/msg00110.html +Patch17: postfix-3.8.16-CVE-2026-43964.patch # Optional patches - set the appropriate environment variables to include # them when building the package/spec file @@ -259,6 +262,7 @@ popd %patch14 -p1 -b .pflogsumm-1.1.5-syslog-name-underscore-fix %patch15 -p1 -b .SRV-resolution %patch16 -p1 -b .warning +%patch17 -p1 -b .cve-2026-43964 for f in README_FILES/TLS_{LEGACY_,}README TLS_ACKNOWLEDGEMENTS; do iconv -f iso8859-1 -t utf8 -o ${f}{_,} && @@ -805,6 +809,10 @@ fi %endif %changelog +* Thu May 21 2026 Fedor Vorobev - 2:3.5.25-3 +- Fix for CVE-2026-43964: buffer over-read via malformed enhanced status code. + Resolves: RHEL-176544 + * Tue Jan 06 2026 Fedor Vorobev - 2:3.5.25-2 - Added a RHEL-specific patch to remove an OpenSSL version mismatch warning. RHEL-128018