Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 807739 (CVE-2021-20314, CVE-2021-33912, CVE-2021-33913) - <mail-filter/libspf2-1.2.11: Buffer overflow in processing SPF macros
Summary: <mail-filter/libspf2-1.2.11: Buffer overflow in processing SPF macros
Status: IN_PROGRESS
Alias: CVE-2021-20314, CVE-2021-33912, CVE-2021-33913
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://nathanielbennett.com/blog/lib...
Whiteboard: B2 [glsa?]
Keywords:
Depends on: 820347 829390
Blocks:
  Show dependency tree
 
Reported: 2021-08-11 16:16 UTC by Sam James
Modified: 2022-01-19 23:07 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester gentoo-dev Security 2021-08-11 16:16:57 UTC
"""
#### Description

Stack buffer overflow in libspf2 versions below 1.2.11 when processing certain SPF macros can lead to Denial of service and potentially code execution via malicious crafted SPF explanation messages. CVE-2021-20314 has been assigned to this issue.

#### Attack type

Remote

#### Impact

(x) Code Execution (x) Denial of Service

#### Attack vector(s):

Attackers need to cause a mail server to process a malicious SPF record, ie. via sending an email from an attacker-controlled domain. Thus, any mail server accepting mails and processing them via libspf2 is vulnerable.

#### Patch

The issue has been fixed in github commit c37b7c1:

https://github.com/shevek/libspf2/commit/c37b7c13c30e225183899364b9f2efdfa85552ef

An updated version of libspf2 (1.2.11) which also fixes other security related issues is available from github (https://github.com/shevek/libspf2). The libspf2 website (https://www.libspf2.org/download.html) and latest release there is NOT UPDATED YET.
"""
Comment 1 Sam James archtester gentoo-dev Security 2021-08-16 00:27:48 UTC
No actual release tagged: https://github.com/shevek/libspf2/issues/36.

I requested one here too: https://www.openwall.com/lists/oss-security/2021/08/12/1.
Comment 2 Sam James archtester gentoo-dev Security 2021-10-25 13:25:51 UTC
@grobian: ccing you b/c you maintain exim and opendmarc which optionally depends on this. Any interest in saving this, or shall we last-rite it?

Note it fails to build w/ glibc 2.34 too and seems dead upstream sadly.
Comment 3 Fabian Groffen gentoo-dev 2021-10-25 13:51:09 UTC
we need to save this, else Exim loses SPF support
Comment 4 Larry the Git Cow gentoo-dev 2021-10-25 17:22:20 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1e3fe23e7247dd1a86584577b1e3ac8437da31c2

commit 1e3fe23e7247dd1a86584577b1e3ac8437da31c2
Author:     Fabian Groffen <grobian@gentoo.org>
AuthorDate: 2021-10-25 17:22:07 +0000
Commit:     Fabian Groffen <grobian@gentoo.org>
CommitDate: 2021-10-25 17:22:17 +0000

    mail-filter/libspf2-1.2.11: version bump
    
    Bug: https://bugs.gentoo.org/807739
    Package-Manager: Portage-3.0.20, Repoman-3.0.3
    Signed-off-by: Fabian Groffen <grobian@gentoo.org>

 mail-filter/libspf2/Manifest                       |  1 +
 .../libspf2-1.2.11-memset-include-string-h.patch   | 12 ++++++
 mail-filter/libspf2/libspf2-1.2.11.ebuild          | 48 ++++++++++++++++++++++
 3 files changed, 61 insertions(+)
Comment 5 John Helmert III gentoo-dev Security 2021-10-25 21:21:09 UTC
Thanks! Please file a stablereq when ready.
Comment 6 Reuben Farrelly 2021-10-26 11:55:11 UTC
One of the patches included in this ebuild breaks compilation:

[ebuild     U  ] mail-filter/libspf2-1.2.11 [1.2.10]

make[4]: Leaving directory '/home/portage/mail-filter/libspf2-1.2.11/work/libspf2-4915c308d57ff3abac9fb241f09c4bed2ab54815/src/libspf2'
make[3]: Leaving directory '/home/portage/mail-filter/libspf2-1.2.11/work/libspf2-4915c308d57ff3abac9fb241f09c4bed2ab54815/src/libspf2'
Making all in spfquery
make[3]: Entering directory '/home/portage/mail-filter/libspf2-1.2.11/work/libspf2-4915c308d57ff3abac9fb241f09c4bed2ab54815/src/spfquery'
make[4]: Entering directory '/home/portage/mail-filter/libspf2-1.2.11/work/libspf2-4915c308d57ff3abac9fb241f09c4bed2ab54815/src/spfquery'
x86_64-pc-linux-gnu-gcc -DHAVE_CONFIG_H -I. -I../..  -I../../src/include -I../../src   -O2 -pipe -march=native -mtune=native -Wall -c -o spfquery.o spfquery.c
/bin/sh ../../libtool  --tag=CC   --mode=link x86_64-pc-linux-gnu-gcc  -O2 -pipe -march=native -mtune=native -Wall  -Wl,-O1 -Wl,--as-needed -o spfquery spfquery.o ../../src/libspf2/libspf2.la -lpthread -lnsl -lresolv 
libtool: link: x86_64-pc-linux-gnu-gcc -O2 -pipe -march=native -mtune=native -Wall -Wl,-O1 -o .libs/spfquery spfquery.o  -Wl,--as-needed ../../src/libspf2/.libs/libspf2.so -lpthread -lnsl -lresolv
/usr/lib/gcc/x86_64-pc-linux-gnu/11.2.0/../../../../x86_64-pc-linux-gnu/bin/ld: ../../src/libspf2/.libs/libspf2.so: undefined reference to `dn_expand'
collect2: error: ld returned 1 exit status
make[4]: *** [Makefile:436: spfquery] Error 1
make[4]: Leaving directory '/home/portage/mail-filter/libspf2-1.2.11/work/libspf2-4915c308d57ff3abac9fb241f09c4bed2ab54815/src/spfquery'
make[3]: *** [Makefile:486: all-recursive] Error 1
make[3]: Leaving directory '/home/portage/mail-filter/libspf2-1.2.11/work/libspf2-4915c308d57ff3abac9fb241f09c4bed2ab54815/src/spfquery'
make[2]: *** [Makefile:356: all-recursive] Error 1
make[2]: Leaving directory '/home/portage/mail-filter/libspf2-1.2.11/work/libspf2-4915c308d57ff3abac9fb241f09c4bed2ab54815/src'
make[1]: *** [Makefile:412: all-recursive] Error 1
make[1]: Leaving directory '/home/portage/mail-filter/libspf2-1.2.11/work/libspf2-4915c308d57ff3abac9fb241f09c4bed2ab54815'
make: *** [Makefile:342: all] Error 2
 * ERROR: mail-filter/libspf2-1.2.11::gentoo failed (compile phase):
 *   emake failed

1.2.10 works fine, 1.2.11 fails as above.
Comment 7 Sam James archtester gentoo-dev Security 2021-10-26 11:57:11 UTC
(In reply to Reuben Farrelly from comment #6)
> One of the patches included in this ebuild breaks compilation:
> 
> [ebuild     U  ] mail-filter/libspf2-1.2.11 [1.2.10]
> 
> 1.2.10 works fine, 1.2.11 fails as above.

Please file a new bug with the full build.log and emerge —-info.
Comment 8 Reuben Farrelly 2021-10-26 12:09:39 UTC
(In reply to Sam James from comment #7)
> (In reply to Reuben Farrelly from comment #6)
> > One of the patches included in this ebuild breaks compilation:
> > 
> > [ebuild     U  ] mail-filter/libspf2-1.2.11 [1.2.10]
> > 
> > 1.2.10 works fine, 1.2.11 fails as above.
> 
> Please file a new bug with the full build.log and emerge —-info.

Filed as bug 820347 .
Comment 9 Larry the Git Cow gentoo-dev 2021-12-17 12:06:24 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e060ecb135942f007611a79e1bc41503fcde651d

commit e060ecb135942f007611a79e1bc41503fcde651d
Author:     Fabian Groffen <grobian@gentoo.org>
AuthorDate: 2021-12-17 12:06:18 +0000
Commit:     Fabian Groffen <grobian@gentoo.org>
CommitDate: 2021-12-17 12:06:18 +0000

    mail-filter/libspf2-1.2.10: cleanup vulnerable version
    
    Bug: https://bugs.gentoo.org/807739
    Package-Manager: Portage-3.0.28, Repoman-3.0.3
    Signed-off-by: Fabian Groffen <grobian@gentoo.org>

 mail-filter/libspf2/Manifest                       |  1 -
 .../libspf2/files/libspf2-1.2.10-gcc5.patch        | 20 ----------
 mail-filter/libspf2/libspf2-1.2.10.ebuild          | 43 ----------------------
 3 files changed, 64 deletions(-)
Comment 10 John Helmert III gentoo-dev Security 2021-12-17 17:42:40 UTC
Thank you!
Comment 11 John Helmert III gentoo-dev Security 2022-01-19 23:07:58 UTC
CVE-2021-33912:

libspf2 before 1.2.11 has a four-byte heap-based buffer overflow that might allow remote attackers to execute arbitrary code (via an unauthenticated e-mail message from anywhere on the Internet) with a crafted SPF DNS record, because of incorrect sprintf usage in SPF_record_expand_data in spf_expand.c. The vulnerable code may be part of the supply chain of a site's e-mail infrastructure (e.g., with additional configuration, Exim can use libspf2; the Postfix web site links to unofficial patches for use of libspf2 with Postfix; older versions of spfquery relied on libspf2) but most often is not.

CVE-2021-33913:

libspf2 before 1.2.11 has a heap-based buffer overflow that might allow remote attackers to execute arbitrary code (via an unauthenticated e-mail message from anywhere on the Internet) with a crafted SPF DNS record, because of SPF_record_expand_data in spf_expand.c. The amount of overflowed data depends on the relationship between the length of an entire domain name and the length of its leftmost label. The vulnerable code may be part of the supply chain of a site's e-mail infrastructure (e.g., with additional configuration, Exim can use libspf2; the Postfix web site links to unofficial patches for use of libspf2 with Postfix; older versions of spfquery relied on libspf2) but most often is not.