Reported by Karl Chen: Libspf contains at least one format string vulnerability which is remote-exploitable when debugging is enabled. Example of attacker controlling the email address:
Reported by Karl Chen: Libspf contains at least one format string vulnerability which is remote-exploitable when debugging is enabled. Example of attacker controlling the email address: spfqtool -d 4 -h example.com -s '%n@example.com' -i 10.10.10.10 Example of attacker controlling DNS server: dig txt fsv.quarl.org ;; ANSWER SECTION: fsv.quarl.org. 84389 IN TXT "v=%n%n%n%n%n%n%n" spfqtool -d 4 -h example.com -s test@fsv.quarl.org -i 10.10.10.10 diff -u -wr orig/libspf-1.0.0-p3/src/libspf/util.c.in libspf-1.0.0-p3/src/libspf/util.c.in --- orig/libspf-1.0.0-p3/src/libspf/util.c.in 2005-04-28 13:41:46.000000000 -0700 +++ libspf-1.0.0-p3/src/libspf/util.c.in 2006-05-08 05:11:17.000000000 -0700 @@ -124,7 +124,7 @@ if (level == FL_D) /* xpprintf */ { #ifndef _SPF_DEBUG_LOGFILE - fprintf(stdout, buf); + fprintf(stdout, "%s", buf); fflush(stdout); #else if ((fp = fopen(DEBUG_LOG_FILE, "a")) != NULL) @@ -146,7 +146,7 @@ if (level == FL_F) /* xepprintf */ { - fprintf(stderr, buf); + fprintf(stderr, "%s", buf); fflush(stderr); } @@ -211,7 +211,7 @@ /* xepprintf */ if (level == FL_E) { - fprintf(stderr, tbuf); + fprintf(stderr, "%s", tbuf); fflush(stderr); } else @@ -219,7 +219,7 @@ if (f_bit_set(confg.level, level)) { #ifndef _SPF_DEBUG_LOGFILE - fprintf(stdout, tbuf); + fprintf(stdout, "%s", tbuf); fflush(stdout); #else if ((fp = fopen(DEBUG_LOG_FILE, "a")) != NULL)
Pulling maintainer in. No release date yet.
I asked for a release date on v-s
New upstream release available. net-mail please provide an updated ebuild.
pulling maintainer back in as he is not in net-mail alias.
pfeifer or net-mail group, please apply patch.
pfeifer / net-mail : please bump to libspf-1.0.0-p5, it's been already two months now...
I guess we should mask it, the maintainer(s) do(es) not care about it.
Seems to be deprecated in favour of libspf2, too? Jeeves went silent on rdep, too, so masking sounds appropriate (unless my brain loss activated again).
OK, next time someone edits packagemask, please add this one in.
(In reply to comment #9) > OK, next time someone edits packagemask, please add this one in. > done.
# Tuấn Văn <langthang@gentoo.org> (10 Aug 2006) # Security mask # Bug #132821 mail-filter/libspf Time to die? ;)
someone with commits rights, can you remove this package please and close the bug
Package removed, package.mask entry removed. R.I.P.