916493 – (CVE-2023-42118, ZDI-23-1472, ZDI-CAN-17578) mail-filter/libspf2: integer underflow

Bug 916493 (CVE-2023-42118, ZDI-23-1472, ZDI-CAN-17578) - mail-filter/libspf2: integer underflow

Summary: mail-filter/libspf2: integer underflow

Status:	IN_PROGRESS

Alias:	CVE-2023-42118, ZDI-23-1472, ZDI-CAN-17578

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal major
Assignee:	Gentoo Security

URL:	https://github.com/shevek/libspf2/iss...
Whiteboard:	B2 [upstream]
Keywords:

Depends on:
Blocks:

Reported:	2023-10-29 18:17 UTC by John Helmert III
Modified:	2024-02-13 19:28 UTC (History)
CC List:	2 users (show)

See Also:	CVE-2023-42114, CVE-2023-42115, CVE-2023-42116, CVE-2023-42117, CVE-2023-42119, ZDI-23-1468, ZDI-23-1469, ZDI-23-1470, ZDI-23-1471, ZDI-23-1473, ZDI-CAN-17433, ZDI-CAN-17434, ZDI-CAN-17515, ZDI-CAN-17554, ZDI-CAN-17643 https://github.com/shevek/libspf2/pull/44
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description John Helmert III archtester

2023-10-29 18:17:15 UTC

According to the ZDI advisory (https://www.zerodayinitiative.com/advisories/ZDI-23-1472/):

"This vulnerability allows network-adjacent attackers to execute
arbitrary code on affected installations of Exim
libspf2. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the parsing of SPF macros. When
parsing SPF macros, the process does not properly validate
user-supplied data, which can result in an integer underflow before
writing to memory. An attacker can leverage this vulnerability to
execute code in the context of the service account."

ZDI apparently initially reported to Exim, but Exim people say this is in libspf2. According to https://www.exim.org/static/doc/security/CVE-2023-zdi.txt:

"""
ZDI-23-1472 | ZDI-CAN-17578 | CVE-2023-42118 | Exim Bug 3032
------------------------------------------------------------
Subject:    libspf2 Integer Underflow
CVSS Score: 7.5
Mitigation: Do not use the `spf` condition in your ACL
Subsystem:  spf
Remark:     This CVE should be filed against libspf2.
            See: https://github.com/shevek/libspf2/issues/45
"""

Comment 1 Sam James archtester

2023-10-30 08:46:28 UTC

IIRC the patch Debian is using is at https://github.com/shevek/libspf2/pull/44, although it's still unclear if it's the same vulnerability.