Bug#1043463: libspf2-2: macro expansion in spf resource record gets truncated by one character

[Moritz C.K.U. Schneider]

Package: libspf2-2
Version: 1.2.10-7.1~deb11u1
Severity: normal
Tags: patch upstream
X-Debbugs-Cc: moritz_cku_schnei...@web.de


There is a bug in the expansion of macros in SPF resource records. If
there is no delimiter present in the string that is used for the macro
expansion the expanded string is truncated by one character. This might
cause a failed SPF result, or much worse it can cause a SPF success ,
where it should in reality be a failed result.

The bug is not only in the (up to date) Debian version, but also in the
upstream version. Hence I've already created a upstream issue, which you
can follow here:
https://github.com/shevek/libspf2/issues/42

Unfortunately the libspf2 upstream repository seems not so good
maintained anymore. So it would be a good idea to include this at least
in the Debian build.

I've build a local backport and already made a quilt patch for this
bug, which I've also attached to this issue.


Kind regards
Moritz

-- System Information:
Debian Release: 11.7
  APT prefers oldstable-updates
  APT policy: (500, 'oldstable-updates'), (500, 'oldstable-security'), (500, 
'oldstable')
Architecture: amd64 (x86_64)

Kernel: Linux 6.1.0-0.deb11.7-amd64 (SMP w/12 CPU threads; PREEMPT)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages libspf2-2 depends on:
ii  libc6  2.31-13+deb11u6

libspf2-2 recommends no packages.

libspf2-2 suggests no packages.

-- no debconf information

 src/libspf2/spf_expand.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

Only remove a delimiter in macro expansion if a delimiter was found
    
Some macros are truncated by on character if expanded on input strings without
a delimiter. This commit will fix that.
--- a/src/libspf2/spf_expand.c
+++ b/src/libspf2/spf_expand.c
@@ -354,7 +354,13 @@
                                        break;
                                p_write--;
                        }
-                       p_write++;              /* Move to just after the '.' */
+                       /* Move to just after the '.', but only if we have 
found at least
+                        * one '.' in the string. For a string without any 
delimiter
+                        * inside there is no '.' to remove, otherwise we would 
remove a
+                        * character from the payload */
+                       if (num_found != 0) {
+                               p_write++;
+                       }
                        /* This moves the '\0' as well. */
                        len = p_read_end - p_write;
                        memmove(munged_var, p_write, len + 1);