Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 916493 (CVE-2023-42118, ZDI-23-1472, ZDI-CAN-17578) - mail-filter/libspf2: integer underflow
Summary: mail-filter/libspf2: integer underflow
Alias: CVE-2023-42118, ZDI-23-1472, ZDI-CAN-17578
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
Whiteboard: B2 [upstream]
Depends on:
Reported: 2023-10-29 18:17 UTC by John Helmert III
Modified: 2024-02-13 19:28 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-10-29 18:17:15 UTC
According to the ZDI advisory (

"This vulnerability allows network-adjacent attackers to execute
arbitrary code on affected installations of Exim
libspf2. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the parsing of SPF macros. When
parsing SPF macros, the process does not properly validate
user-supplied data, which can result in an integer underflow before
writing to memory. An attacker can leverage this vulnerability to
execute code in the context of the service account."

ZDI apparently initially reported to Exim, but Exim people say this is in libspf2. According to

ZDI-23-1472 | ZDI-CAN-17578 | CVE-2023-42118 | Exim Bug 3032
Subject:    libspf2 Integer Underflow
CVSS Score: 7.5
Mitigation: Do not use the `spf` condition in your ACL
Subsystem:  spf
Remark:     This CVE should be filed against libspf2.
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2023-10-30 08:46:28 UTC
IIRC the patch Debian is using is at, although it's still unclear if it's the same vulnerability.