Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 916493 (CVE-2023-42118, ZDI-23-1472, ZDI-CAN-17578)

Summary: mail-filter/libspf2: integer underflow
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: IN_PROGRESS ---    
Severity: major CC: bugmail, grobian, hanno
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://github.com/shevek/libspf2/issues/45
See Also: https://bugs.gentoo.org/show_bug.cgi?id=914923
https://github.com/shevek/libspf2/pull/44
Whiteboard: B2 [upstream]
Package list:
Runtime testing required: ---

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-10-29 18:17:15 UTC 
According to the ZDI advisory (https://www.zerodayinitiative.com/advisories/ZDI-23-1472/):

"This vulnerability allows network-adjacent attackers to execute
arbitrary code on affected installations of Exim
libspf2. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the parsing of SPF macros. When
parsing SPF macros, the process does not properly validate
user-supplied data, which can result in an integer underflow before
writing to memory. An attacker can leverage this vulnerability to
execute code in the context of the service account."

ZDI apparently initially reported to Exim, but Exim people say this is in libspf2. According to https://www.exim.org/static/doc/security/CVE-2023-zdi.txt:

"""
ZDI-23-1472 | ZDI-CAN-17578 | CVE-2023-42118 | Exim Bug 3032
------------------------------------------------------------
Subject:    libspf2 Integer Underflow
CVSS Score: 7.5
Mitigation: Do not use the `spf` condition in your ACL
Subsystem:  spf
Remark:     This CVE should be filed against libspf2.
            See: https://github.com/shevek/libspf2/issues/45
"""
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2023-10-30 08:46:28 UTC 
IIRC the patch Debian is using is at https://github.com/shevek/libspf2/pull/44, although it's still unclear if it's the same vulnerability.
Comment 2 Hanno Böck gentoo-dev 2025-02-21 08:49:46 UTC 
It seems this issue got stuck due to a lack of a final explanation.

It appears to me the following happened:

* ZDI mentions a vulnerability in libspf2 with CVE id CVE-2023-42118, but without any further explanation.

* There was a bug fix for an integer underflow in the libspf2 upstream repo:
https://github.com/shevek/libspf2/commit/d14abff4b544cfc53a8b5ef54cbc2353866b5081
Unfortunately, upstream is quite inactive, and this has not been released.

* It is neither clear whether this integer underflow is CVE-2023-42118, nor whether it is practically exploitable. Yet, it seems undesputed that it fixes a bug.

* ZDI never provided clarification on the issue.

While the last point is quite unfortunate, it would appear to me that applying the bugfix is certainly a good idea. Either it fixes the vuln, or it fixes another bug, but in both cases, it's certainly an improvement.

Therefore, I'd suggest that we update our ebuild with the patch from the upstream commit.
Comment 3 Larry the Git Cow gentoo-dev 2025-02-21 19:42:46 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b9117143f6602a3abbe3261f55b13b90e2298733

commit b9117143f6602a3abbe3261f55b13b90e2298733
Author:     Fabian Groffen <grobian@gentoo.org>
AuthorDate: 2025-02-21 19:41:31 +0000
Commit:     Fabian Groffen <grobian@gentoo.org>
CommitDate: 2025-02-21 19:41:31 +0000

    mail-filter/libspf2-1.2.11-r1: add upstream integer underflow patch
    
    As suggested by hanno, seems like a good idea to have to fix in any
    case.
    
    Bug: https://bugs.gentoo.org/916493
    Signed-off-by: Fabian Groffen <grobian@gentoo.org>

 .../files/libspf2-1.2.11-integer-underflow.patch   | 26 +++++++++++
 mail-filter/libspf2/libspf2-1.2.11-r1.ebuild       | 51 ++++++++++++++++++++++
 2 files changed, 77 insertions(+)