Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 242254 (CVE-2008-2469)

Summary: mail-filter/libspf2 <1.2.8 DNS response buffer overflow (CVE-2008-2469)
Product: Gentoo Security Reporter: Robert Buchholz (RETIRED) <rbu>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: net-mail+disabled, summercurrants
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugs.launchpad.net/ubuntu/feisty/+source/libspf2/+bug/271025
Whiteboard: B1 [glsa]
Package list:
Runtime testing required: ---
Attachments:
Description Flags
50_dns_resolv_bufoverflow.dpatch none

Description Robert Buchholz (RETIRED) gentoo-dev 2008-10-15 19:56:27 UTC
** Please note that this issue is confidential and no information should be
disclosed until it is made public, see "Whiteboard" for a date **

libspf2 upstream informed us about an undisclosed vulnerability in versions previous to 1.2.8:
Unpublished CVE-2008-2469 will be released this week concerning libspf2.
Please update the version of libspf2 in the Gentoo Linux distribution to
1.2.8 as soon as reasonably possible. If you require a minimal patch for
security maintenance of previous versions, please let me know.

md5  19d82e62e4f70056a1d0f194d94906f3          libspf2-1.2.8.tar.gz
sha1 81be05cb435c9d92e0fba4b59bdf204eab4ac6ec  libspf2-1.2.8.tar.gz
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2008-10-15 19:58:16 UTC
Let's get this bumped in the public tree, and proceed it via fast stabling if there are no regressions. Robin and Tobias, since all who ever touched the package retired, I cc'ed you for net-mail.
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2008-10-15 20:04:16 UTC
this is semi-public.
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2008-10-15 20:26:26 UTC
Upstream adds:

Please note that while --enable-perl probably works, it is not yet
considered stable, I suggest not adding a perl USE flag at this stage.
Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2008-10-16 01:09:00 UTC
Following note: One bug has been fixed and the tarball has been
replaced; it has new md5sums.

md5  824d62a83e76108f8e21a39e1ae2ad62  libspf2-1.2.8.tar.gz
sha1 17180c88b3dbad98cc22d80e6f5cb5441b5f25bd  libspf2-1.2.8.tar.gz
Comment 5 Tobias Scherbaum (RETIRED) gentoo-dev 2008-10-16 18:29:33 UTC
1.2.8 is inCVS.
Comment 6 Robert Buchholz (RETIRED) gentoo-dev 2008-10-16 19:44:16 UTC
Arch Security Liaisons, please test and mark stable:
=mail-filter/libspf2-1.2.8
Target keywords : "alpha amd64 hppa ia64 ppc ppc64 sparc x86"

CC'ing current Liaisons:
   alpha : yoswink, armin76
   amd64 : keytoaster, tester
    hppa : jer
     ppc : dertobi123
   ppc64 : corsair
   sparc : fmccor
     x86 : maekke, armin76
Comment 7 Tobias Heinlein (RETIRED) gentoo-dev 2008-10-16 21:15:23 UTC
amd64 stable, exim[spf] emerges fine with it.
Comment 8 Ferris McCormick (RETIRED) gentoo-dev 2008-10-16 21:38:04 UTC
Sparc looks good.
Comment 9 Robert Buchholz (RETIRED) gentoo-dev 2008-10-17 00:20:22 UTC
(In reply to comment #8)
> Sparc looks good.

Please mark stable in-tree.
Comment 10 Ferris McCormick (RETIRED) gentoo-dev 2008-10-17 03:05:08 UTC
(In reply to comment #9)
> (In reply to comment #8)
> > Sparc looks good.
> 
> Please mark stable in-tree.
> 

Sorry, wasn't paying attention.  Done for sparc.
Comment 11 Jeroen Roovers (RETIRED) gentoo-dev 2008-10-17 05:43:16 UTC
HPPA is OK.
Comment 12 Markus Rothe (RETIRED) gentoo-dev 2008-10-17 08:11:35 UTC
ppc64 stable
Comment 13 Jose Luis Rivero (yoswink) (RETIRED) gentoo-dev 2008-10-17 08:22:43 UTC
alpha stable.

(In reply to comment #11)
> HPPA is OK.

@jer: please go and mark it on the tree, see comments 6 and 9.
Comment 14 Tobias Scherbaum (RETIRED) gentoo-dev 2008-10-17 15:47:12 UTC
ppc stable
Comment 15 Markus Meier gentoo-dev 2008-10-17 20:24:10 UTC
x86 stable
Comment 16 Raúl Porcel (RETIRED) gentoo-dev 2008-10-18 14:49:54 UTC
Adding gmsoft for hppa since jer is away
Comment 17 Robert Buchholz (RETIRED) gentoo-dev 2008-10-18 15:39:20 UTC
This is now public via:
https://answers.launchpad.net/ubuntu/gutsy/+source/libspf2/1.2.5.dfsg-4ubuntu0.7.10.1
Comment 18 Robert Buchholz (RETIRED) gentoo-dev 2008-10-18 15:39:50 UTC
Created attachment 168944 [details, diff]
50_dns_resolv_bufoverflow.dpatch

For reference, the patch debian applied.
Comment 19 Robert Buchholz (RETIRED) gentoo-dev 2008-10-18 15:42:27 UTC
Arches, please test and mark stable:
=mail-filter/libspf2-1.2.8
Target keywords : "alpha amd64 hppa ia64 ppc ppc64 sparc x86"
Already stabled : "alpha amd64 ia64 ppc ppc64 sparc x86"
Missing keywords: "hppa"
Comment 20 Guy Martin (RETIRED) gentoo-dev 2008-10-18 16:39:52 UTC
hppa stable
Comment 21 Robert Buchholz (RETIRED) gentoo-dev 2008-10-18 16:48:15 UTC
not so fast with the closing...
Comment 22 Robert Buchholz (RETIRED) gentoo-dev 2008-10-30 21:27:41 UTC
GLSA 200810-03
Comment 23 boinkkelp 2024-04-19 08:12:05 UTC
(In reply to Larry the Git Cow from comment #20)
> The bug has been referenced in the following commit(s):
> 
> https://gitweb.gentoo.org/repo/gentoo.git/commit/
>  https://happy-wheels.co
> ?id=e4104b9c4bd8cbaba4712e6a8d4e6c8d120ba5c0
> 
> commit e4104b9c4bd8cbaba4712e6a8d4e6c8d120ba5c0
> Author:     Fabian Groffen <grobian@gentoo.org>
> AuthorDate: 2019-08-02 06:42:47 +0000
> Commit:     Fabian Groffen <grobian@gentoo.org>
> CommitDate: 2019-08-02 06:42:47 +0000
> 
>     mail-mta/exim: cleanup vulnerable CVE-2019-10149 
>     
>     Bug: https://bugs.gentoo.org/687336
>     Package-Manager: Portage-2.3.66, Repoman-2.3.16
>     Signed-off-by: Fabian Groffen <grobian@gentoo.org>
> 
>  mail-mta/exim/Manifest                             |   2 -
>  mail-mta/exim/exim-4.91-r2.ebuild                  | 561
> ---------------------
>  .../exim/files/exim-4.74-localscan_dlopen.patch    | 262 ----------
>  3 files changed, 825 deletions(-)


Thank you!