From 65ef400c89881f59211a497a8dfa7fcfeea96c17 Mon Sep 17 00:00:00 2001
From: Fedor Vorobev <fvorobev@redhat.com>
Date: Thu, 21 May 2026 12:44:53 +0200
Subject: [PATCH] Fix for CVE-2026-43964

Upstream note:
  * Bugfix (defect introduced: Postfix 2.3, date: 20050323): buffer
    over-read when Postfix an enhanced status code is not followed
    by other text. For example, "5.7.2" without text after the
    three-number code. This CANNOT be triggered with an SMTP or
    LMTP server response; is confirmed with an access(5) table and
    likely with a policy server response; can possibly be triggered
    with pipe-to-command output, header_checks(5), body_checks(5),
    an error(8) transport in transport_maps, or a milter response;
    and is confirmed with a DNSBL server TXT response while Postfix
    is configured with "$rbl_code $rbl_text" in rbl_reply_maps or
    default_rbl_reply. This could result in process termination.
    Problem reported by Kamil Frankowicz.

Resolves-Vulnerability: CVE-2026-43964
Resolves: RHEL-176548
---
 postfix-3.8.16-CVE-2026-43964.patch | 13 +++++++++++++
 postfix.spec                        | 10 +++++++++-
 2 files changed, 22 insertions(+), 1 deletion(-)
 create mode 100644 postfix-3.8.16-CVE-2026-43964.patch

diff --git a/postfix-3.8.16-CVE-2026-43964.patch b/postfix-3.8.16-CVE-2026-43964.patch
new file mode 100644
index 0000000..d7a9183
--- /dev/null
+++ b/postfix-3.8.16-CVE-2026-43964.patch
@@ -0,0 +1,13 @@
+diff --git a/src/global/dsn_util.c b/src/global/dsn_util.c
+index 52b997a..5751128 100644
+--- a/src/global/dsn_util.c
++++ b/src/global/dsn_util.c
+@@ -154,7 +154,7 @@ DSN_SPLIT *dsn_split(DSN_SPLIT *dp, const char *def_dsn, const char *text)
+     if ((len = dsn_valid(cp)) > 0) {
+ 	strncpy(dp->dsn.data, cp, len);
+ 	dp->dsn.data[len] = 0;
+-	cp += len + 1;
++	cp += len;
+     } else if ((len = dsn_valid(def_dsn)) > 0) {
+ 	strncpy(dp->dsn.data, def_dsn, len);
+ 	dp->dsn.data[len] = 0;
diff --git a/postfix.spec b/postfix.spec
index 805c1bf..de5749f 100644
--- a/postfix.spec
+++ b/postfix.spec
@@ -49,7 +49,7 @@
 Name: postfix
 Summary: Postfix Mail Transport Agent
 Version: 3.5.8
-Release: 7%{?dist}
+Release: 8%{?dist}
 Epoch: 2
 Group: System Environment/Daemons
 URL: http://www.postfix.org
@@ -107,6 +107,9 @@ Patch14: pflogsumm-1.1.5-syslog-name-underscore-fix.patch
 Patch15: postfix-3.5.8-SRV-resolve.patch
 # rhbz#2196577, ZUUL CI uses kernel 6 and we have to add this to postfix
 Patch16: postfix-3.5.8-makedefs.patch
+# https://redhat.atlassian.net/browse/RHEL-176548
+# https://www.mail-archive.com/postfix-announce@postfix.org/msg00110.html
+Patch17: postfix-3.8.16-CVE-2026-43964.patch
 
 # Optional patches - set the appropriate environment variables to include
 #                    them when building the package/spec file
@@ -250,6 +253,7 @@ popd
 %patch14 -p1 -b .pflogsumm-1.1.5-syslog-name-underscore-fix
 %patch15 -p1 -b .SRV-resolve
 %patch16 -p1 -b .makedefs
+%patch17 -p1 -b .cve-2026-43964
 
 for f in README_FILES/TLS_{LEGACY_,}README TLS_ACKNOWLEDGEMENTS; do
 	iconv -f iso8859-1 -t utf8 -o ${f}{_,} &&
@@ -763,6 +767,10 @@ exit 0
 %endif
 
 %changelog
+* Thu May 21 2026 Fedor Vorobev <fvorobev@redhat.com> - 2:3.5.8-8
+- Fix for CVE-2026-43964: buffer over-read via malformed enhanced status code.
+  Resolves: RHEL-176548
+
 * Mon Aug 14 2023 Jaroslav Škarvada <jskarvad@redhat.com> - 2:3.5.8-7
 - Fixed possible warning when postfix is restarted
   Resolves: rhbz#2162659