Postfix Buffer Over-Read Vulnerability Leading to Process Crash

A buffer over-read vulnerability has been identified in Postfix versions prior to 3.8.16, 3.9 prior to 3.9.10, and 3.10 prior to 3.10.9. This vulnerability can cause a process crash by allowing an enhanced status code to be interpreted incorrectly when it lacks accompanying text after the third number. The issue arises in the proxymap daemon, which can dereference an uninitialized pointer after a request protocol error, leading to process termination. While this specific defect is not exposed to users, the buffer over-read can be triggered under certain conditions, such as with an access table response, a policy server response, or through pipe-to-command output, among other scenarios.

Impact

Exploitation of this vulnerability can lead to a process crash, causing a denial of service condition.

Reproduction

The vulnerability can be reproduced by sending an enhanced status code that is not followed by text after the third number. This can be done through an access table response, a policy server response, or by using pipe-to-command output, header checks, body checks, an error transport in transport maps, or a milter response. The issue has also been confirmed with a DNSBL server TXT response when Postfix is configured to include RBL code and text in the reply.

Remediation

Users can upgrade to Postfix 3.11.2 or Postfix 3.10.9 to address this vulnerability.