""" #### Description Stack buffer overflow in libspf2 versions below 1.2.11 when processing certain SPF macros can lead to Denial of service and potentially code execution via malicious crafted SPF explanation messages. CVE-2021-20314 has been assigned to this issue. #### Attack type Remote #### Impact (x) Code Execution (x) Denial of Service #### Attack vector(s): Attackers need to cause a mail server to process a malicious SPF record, ie. via sending an email from an attacker-controlled domain. Thus, any mail server accepting mails and processing them via libspf2 is vulnerable. #### Patch The issue has been fixed in github commit c37b7c1: https://github.com/shevek/libspf2/commit/c37b7c13c30e225183899364b9f2efdfa85552ef An updated version of libspf2 (1.2.11) which also fixes other security related issues is available from github (https://github.com/shevek/libspf2). The libspf2 website (https://www.libspf2.org/download.html) and latest release there is NOT UPDATED YET. """
No actual release tagged: https://github.com/shevek/libspf2/issues/36. I requested one here too: https://www.openwall.com/lists/oss-security/2021/08/12/1.
@grobian: ccing you b/c you maintain exim and opendmarc which optionally depends on this. Any interest in saving this, or shall we last-rite it? Note it fails to build w/ glibc 2.34 too and seems dead upstream sadly.
we need to save this, else Exim loses SPF support
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1e3fe23e7247dd1a86584577b1e3ac8437da31c2 commit 1e3fe23e7247dd1a86584577b1e3ac8437da31c2 Author: Fabian Groffen <grobian@gentoo.org> AuthorDate: 2021-10-25 17:22:07 +0000 Commit: Fabian Groffen <grobian@gentoo.org> CommitDate: 2021-10-25 17:22:17 +0000 mail-filter/libspf2-1.2.11: version bump Bug: https://bugs.gentoo.org/807739 Package-Manager: Portage-3.0.20, Repoman-3.0.3 Signed-off-by: Fabian Groffen <grobian@gentoo.org> mail-filter/libspf2/Manifest | 1 + .../libspf2-1.2.11-memset-include-string-h.patch | 12 ++++++ mail-filter/libspf2/libspf2-1.2.11.ebuild | 48 ++++++++++++++++++++++ 3 files changed, 61 insertions(+)
Thanks! Please file a stablereq when ready.
One of the patches included in this ebuild breaks compilation: [ebuild U ] mail-filter/libspf2-1.2.11 [1.2.10] make[4]: Leaving directory '/home/portage/mail-filter/libspf2-1.2.11/work/libspf2-4915c308d57ff3abac9fb241f09c4bed2ab54815/src/libspf2' make[3]: Leaving directory '/home/portage/mail-filter/libspf2-1.2.11/work/libspf2-4915c308d57ff3abac9fb241f09c4bed2ab54815/src/libspf2' Making all in spfquery make[3]: Entering directory '/home/portage/mail-filter/libspf2-1.2.11/work/libspf2-4915c308d57ff3abac9fb241f09c4bed2ab54815/src/spfquery' make[4]: Entering directory '/home/portage/mail-filter/libspf2-1.2.11/work/libspf2-4915c308d57ff3abac9fb241f09c4bed2ab54815/src/spfquery' x86_64-pc-linux-gnu-gcc -DHAVE_CONFIG_H -I. -I../.. -I../../src/include -I../../src -O2 -pipe -march=native -mtune=native -Wall -c -o spfquery.o spfquery.c /bin/sh ../../libtool --tag=CC --mode=link x86_64-pc-linux-gnu-gcc -O2 -pipe -march=native -mtune=native -Wall -Wl,-O1 -Wl,--as-needed -o spfquery spfquery.o ../../src/libspf2/libspf2.la -lpthread -lnsl -lresolv libtool: link: x86_64-pc-linux-gnu-gcc -O2 -pipe -march=native -mtune=native -Wall -Wl,-O1 -o .libs/spfquery spfquery.o -Wl,--as-needed ../../src/libspf2/.libs/libspf2.so -lpthread -lnsl -lresolv /usr/lib/gcc/x86_64-pc-linux-gnu/11.2.0/../../../../x86_64-pc-linux-gnu/bin/ld: ../../src/libspf2/.libs/libspf2.so: undefined reference to `dn_expand' collect2: error: ld returned 1 exit status make[4]: *** [Makefile:436: spfquery] Error 1 make[4]: Leaving directory '/home/portage/mail-filter/libspf2-1.2.11/work/libspf2-4915c308d57ff3abac9fb241f09c4bed2ab54815/src/spfquery' make[3]: *** [Makefile:486: all-recursive] Error 1 make[3]: Leaving directory '/home/portage/mail-filter/libspf2-1.2.11/work/libspf2-4915c308d57ff3abac9fb241f09c4bed2ab54815/src/spfquery' make[2]: *** [Makefile:356: all-recursive] Error 1 make[2]: Leaving directory '/home/portage/mail-filter/libspf2-1.2.11/work/libspf2-4915c308d57ff3abac9fb241f09c4bed2ab54815/src' make[1]: *** [Makefile:412: all-recursive] Error 1 make[1]: Leaving directory '/home/portage/mail-filter/libspf2-1.2.11/work/libspf2-4915c308d57ff3abac9fb241f09c4bed2ab54815' make: *** [Makefile:342: all] Error 2 * ERROR: mail-filter/libspf2-1.2.11::gentoo failed (compile phase): * emake failed 1.2.10 works fine, 1.2.11 fails as above.
(In reply to Reuben Farrelly from comment #6) > One of the patches included in this ebuild breaks compilation: > > [ebuild U ] mail-filter/libspf2-1.2.11 [1.2.10] > > 1.2.10 works fine, 1.2.11 fails as above. Please file a new bug with the full build.log and emerge —-info.
(In reply to Sam James from comment #7) > (In reply to Reuben Farrelly from comment #6) > > One of the patches included in this ebuild breaks compilation: > > > > [ebuild U ] mail-filter/libspf2-1.2.11 [1.2.10] > > > > 1.2.10 works fine, 1.2.11 fails as above. > > Please file a new bug with the full build.log and emerge —-info. Filed as bug 820347 .
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e060ecb135942f007611a79e1bc41503fcde651d commit e060ecb135942f007611a79e1bc41503fcde651d Author: Fabian Groffen <grobian@gentoo.org> AuthorDate: 2021-12-17 12:06:18 +0000 Commit: Fabian Groffen <grobian@gentoo.org> CommitDate: 2021-12-17 12:06:18 +0000 mail-filter/libspf2-1.2.10: cleanup vulnerable version Bug: https://bugs.gentoo.org/807739 Package-Manager: Portage-3.0.28, Repoman-3.0.3 Signed-off-by: Fabian Groffen <grobian@gentoo.org> mail-filter/libspf2/Manifest | 1 - .../libspf2/files/libspf2-1.2.10-gcc5.patch | 20 ---------- mail-filter/libspf2/libspf2-1.2.10.ebuild | 43 ---------------------- 3 files changed, 64 deletions(-)
Thank you!
CVE-2021-33912: libspf2 before 1.2.11 has a four-byte heap-based buffer overflow that might allow remote attackers to execute arbitrary code (via an unauthenticated e-mail message from anywhere on the Internet) with a crafted SPF DNS record, because of incorrect sprintf usage in SPF_record_expand_data in spf_expand.c. The vulnerable code may be part of the supply chain of a site's e-mail infrastructure (e.g., with additional configuration, Exim can use libspf2; the Postfix web site links to unofficial patches for use of libspf2 with Postfix; older versions of spfquery relied on libspf2) but most often is not. CVE-2021-33913: libspf2 before 1.2.11 has a heap-based buffer overflow that might allow remote attackers to execute arbitrary code (via an unauthenticated e-mail message from anywhere on the Internet) with a crafted SPF DNS record, because of SPF_record_expand_data in spf_expand.c. The amount of overflowed data depends on the relationship between the length of an entire domain name and the length of its leftmost label. The vulnerable code may be part of the supply chain of a site's e-mail infrastructure (e.g., with additional configuration, Exim can use libspf2; the Postfix web site links to unofficial patches for use of libspf2 with Postfix; older versions of spfquery relied on libspf2) but most often is not.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=9cdf086497a5ec3652db4ca75fc899675aa0af77 commit 9cdf086497a5ec3652db4ca75fc899675aa0af77 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2024-01-15 15:55:55 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2024-01-15 15:56:21 +0000 [ GLSA 202401-22 ] libspf2: Multiple vulnerabilities Bug: https://bugs.gentoo.org/807739 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Hans de Graaff <graaff@gentoo.org> glsa-202401-22.xml | 44 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 44 insertions(+)
