Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 242254 (CVE-2008-2469) - mail-filter/libspf2 <1.2.8 DNS response buffer overflow (CVE-2008-2469)
Summary: mail-filter/libspf2 <1.2.8 DNS response buffer overflow (CVE-2008-2469)
Status: RESOLVED FIXED
Alias: CVE-2008-2469
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
URL: https://bugs.launchpad.net/ubuntu/fei...
Whiteboard: B1 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2008-10-15 19:56 UTC by Robert Buchholz (RETIRED)
Modified: 2008-10-30 21:27 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
50_dns_resolv_bufoverflow.dpatch (50_dns_resolv_bufoverflow.dpatch,8.98 KB, patch)
2008-10-18 15:39 UTC, Robert Buchholz (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2008-10-15 19:56:27 UTC
** Please note that this issue is confidential and no information should be
disclosed until it is made public, see "Whiteboard" for a date **

libspf2 upstream informed us about an undisclosed vulnerability in versions previous to 1.2.8:
Unpublished CVE-2008-2469 will be released this week concerning libspf2.
Please update the version of libspf2 in the Gentoo Linux distribution to
1.2.8 as soon as reasonably possible. If you require a minimal patch for
security maintenance of previous versions, please let me know.

md5  19d82e62e4f70056a1d0f194d94906f3          libspf2-1.2.8.tar.gz
sha1 81be05cb435c9d92e0fba4b59bdf204eab4ac6ec  libspf2-1.2.8.tar.gz
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2008-10-15 19:58:16 UTC
Let's get this bumped in the public tree, and proceed it via fast stabling if there are no regressions. Robin and Tobias, since all who ever touched the package retired, I cc'ed you for net-mail.
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2008-10-15 20:04:16 UTC
this is semi-public.
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2008-10-15 20:26:26 UTC
Upstream adds:

Please note that while --enable-perl probably works, it is not yet
considered stable, I suggest not adding a perl USE flag at this stage.
Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2008-10-16 01:09:00 UTC
Following note: One bug has been fixed and the tarball has been
replaced; it has new md5sums.

md5  824d62a83e76108f8e21a39e1ae2ad62  libspf2-1.2.8.tar.gz
sha1 17180c88b3dbad98cc22d80e6f5cb5441b5f25bd  libspf2-1.2.8.tar.gz
Comment 5 Tobias Scherbaum (RETIRED) gentoo-dev 2008-10-16 18:29:33 UTC
1.2.8 is inCVS.
Comment 6 Robert Buchholz (RETIRED) gentoo-dev 2008-10-16 19:44:16 UTC
Arch Security Liaisons, please test and mark stable:
=mail-filter/libspf2-1.2.8
Target keywords : "alpha amd64 hppa ia64 ppc ppc64 sparc x86"

CC'ing current Liaisons:
   alpha : yoswink, armin76
   amd64 : keytoaster, tester
    hppa : jer
     ppc : dertobi123
   ppc64 : corsair
   sparc : fmccor
     x86 : maekke, armin76
Comment 7 Tobias Heinlein (RETIRED) gentoo-dev 2008-10-16 21:15:23 UTC
amd64 stable, exim[spf] emerges fine with it.
Comment 8 Ferris McCormick (RETIRED) gentoo-dev 2008-10-16 21:38:04 UTC
Sparc looks good.
Comment 9 Robert Buchholz (RETIRED) gentoo-dev 2008-10-17 00:20:22 UTC
(In reply to comment #8)
> Sparc looks good.

Please mark stable in-tree.
Comment 10 Ferris McCormick (RETIRED) gentoo-dev 2008-10-17 03:05:08 UTC
(In reply to comment #9)
> (In reply to comment #8)
> > Sparc looks good.
> 
> Please mark stable in-tree.
> 

Sorry, wasn't paying attention.  Done for sparc.
Comment 11 Jeroen Roovers gentoo-dev 2008-10-17 05:43:16 UTC
HPPA is OK.
Comment 12 Markus Rothe (RETIRED) gentoo-dev 2008-10-17 08:11:35 UTC
ppc64 stable
Comment 13 Jose Luis Rivero (yoswink) (RETIRED) gentoo-dev 2008-10-17 08:22:43 UTC
alpha stable.

(In reply to comment #11)
> HPPA is OK.

@jer: please go and mark it on the tree, see comments 6 and 9.
Comment 14 Tobias Scherbaum (RETIRED) gentoo-dev 2008-10-17 15:47:12 UTC
ppc stable
Comment 15 Markus Meier gentoo-dev 2008-10-17 20:24:10 UTC
x86 stable
Comment 16 Raúl Porcel (RETIRED) gentoo-dev 2008-10-18 14:49:54 UTC
Adding gmsoft for hppa since jer is away
Comment 17 Robert Buchholz (RETIRED) gentoo-dev 2008-10-18 15:39:20 UTC
This is now public via:
https://answers.launchpad.net/ubuntu/gutsy/+source/libspf2/1.2.5.dfsg-4ubuntu0.7.10.1
Comment 18 Robert Buchholz (RETIRED) gentoo-dev 2008-10-18 15:39:50 UTC
Created attachment 168944 [details, diff]
50_dns_resolv_bufoverflow.dpatch

For reference, the patch debian applied.
Comment 19 Robert Buchholz (RETIRED) gentoo-dev 2008-10-18 15:42:27 UTC
Arches, please test and mark stable:
=mail-filter/libspf2-1.2.8
Target keywords : "alpha amd64 hppa ia64 ppc ppc64 sparc x86"
Already stabled : "alpha amd64 ia64 ppc ppc64 sparc x86"
Missing keywords: "hppa"
Comment 20 Guy Martin (RETIRED) gentoo-dev 2008-10-18 16:39:52 UTC
hppa stable
Comment 21 Robert Buchholz (RETIRED) gentoo-dev 2008-10-18 16:48:15 UTC
not so fast with the closing...
Comment 22 Robert Buchholz (RETIRED) gentoo-dev 2008-10-30 21:27:41 UTC
GLSA 200810-03