Comment 1 Sune Kloppenborg Jeppesen (RETIRED) 2006-05-09 13:54:57 UTC

Reported by Karl Chen:
Libspf contains at least one format string vulnerability which is
remote-exploitable when debugging is enabled.

Example of attacker controlling the email address:
  spfqtool -d 4 -h example.com -s '%n@example.com' -i 10.10.10.10

Example of attacker controlling DNS server:
  dig txt fsv.quarl.org
   
  ;; ANSWER SECTION:
  fsv.quarl.org.          84389   IN      TXT     "v=%n%n%n%n%n%n%n"

  spfqtool -d 4 -h example.com -s test@fsv.quarl.org -i 10.10.10.10


diff -u -wr orig/libspf-1.0.0-p3/src/libspf/util.c.in libspf-1.0.0-p3/src/libspf/util.c.in
--- orig/libspf-1.0.0-p3/src/libspf/util.c.in   2005-04-28 13:41:46.000000000 -0700
+++ libspf-1.0.0-p3/src/libspf/util.c.in        2006-05-08 05:11:17.000000000 -0700
@@ -124,7 +124,7 @@
     if (level == FL_D)          /* xpprintf */
     {
 #ifndef _SPF_DEBUG_LOGFILE
-      fprintf(stdout, buf);
+      fprintf(stdout, "%s", buf);
       fflush(stdout);
 #else
       if ((fp = fopen(DEBUG_LOG_FILE, "a")) != NULL)
@@ -146,7 +146,7 @@
 
   if (level == FL_F)           /* xepprintf */
   { 
-    fprintf(stderr, buf);
+    fprintf(stderr, "%s", buf);
     fflush(stderr);
   }
 
@@ -211,7 +211,7 @@
   /* xepprintf */
   if (level == FL_E)
   {
-    fprintf(stderr, tbuf);
+    fprintf(stderr, "%s", tbuf);
     fflush(stderr);
   }
   else
@@ -219,7 +219,7 @@
     if (f_bit_set(confg.level, level))
     {
 #ifndef _SPF_DEBUG_LOGFILE
-      fprintf(stdout, tbuf);
+      fprintf(stdout, "%s", tbuf);
       fflush(stdout);
 #else
       if ((fp = fopen(DEBUG_LOG_FILE, "a")) != NULL)

Comment 2 Thierry Carrez (RETIRED) 2006-05-14 10:10:20 UTC

Pulling maintainer in.
No release date yet.

Comment 3 Thierry Carrez (RETIRED) 2006-05-16 09:32:28 UTC

I asked for a release date on v-s

Comment 4 Sune Kloppenborg Jeppesen (RETIRED) 2006-05-17 00:35:29 UTC

New upstream release available. net-mail please provide an updated ebuild.

Comment 5 Tuan Van (RETIRED) 2006-05-17 09:55:35 UTC

pulling maintainer back in as he is not in net-mail alias.

Comment 6 Thierry Carrez (RETIRED) 2006-05-30 11:03:17 UTC

pfeifer or net-mail group, please apply patch.

Comment 7 Thierry Carrez (RETIRED) 2006-07-03 12:44:02 UTC

pfeifer / net-mail : please bump to libspf-1.0.0-p5, it's been already two months now...

Comment 8 Thierry Carrez (RETIRED) 2006-07-13 09:56:48 UTC

I guess we should mask it, the maintainer(s) do(es) not care about it.

Comment 9 Wolf Giesen (RETIRED) 2006-07-13 11:06:19 UTC

Seems to be deprecated in favour of libspf2, too? Jeeves went silent on rdep, too, so masking sounds appropriate (unless my brain loss activated again).

Comment 10 Thierry Carrez (RETIRED) 2006-07-29 05:47:16 UTC

OK, next time someone edits packagemask, please add this one in.

Comment 11 Tuan Van (RETIRED) 2006-08-10 17:24:08 UTC

(In reply to comment #9)
> OK, next time someone edits packagemask, please add this one in.
> 

done.

Comment 12 Jakub Moc (RETIRED) 2006-12-16 20:08:45 UTC

# Tu&#7845;n V&#259;n <langthang@gentoo.org> (10 Aug 2006)
# Security mask
# Bug #132821
mail-filter/libspf

Time to die? ;)

Comment 13 Raphael Marichez (Falco) (RETIRED) 2007-01-12 22:27:07 UTC

someone with commits rights, can you remove this package please and close the bug

Comment 14 Andrej Kacian (RETIRED) 2007-01-13 17:00:30 UTC

Package removed, package.mask entry removed. R.I.P.