Bug#1053870: CVE-2023-42118: integer underflow in libspf2 resulting in RCE
It seems this has stalled. Most distros have already released a patched version of libspf2. While I agree it's unclear whether the currently available patch fixes this CVE, it does however fix an underflow that would be relevant to release as a security fix, I think. Libspf2 has tried to reach out to Zero Day Initiative, but it seems they never got any clear and concrete response. I would suggest that Debian move ahead with this patch at least, or what is the common procedure in cases like this? Bert
Bug#1053870: CVE-2023-42118: integer underflow in libspf2 resulting in RCE
Hi Magnus, On Sat, Oct 21, 2023 at 08:09:35PM +0200, Magnus Holmgren wrote: > Wednesday, 18 October 2023 11:56:01 CEST, Salvatore Bonaccorso wrote: > > On Fri, Oct 13, 2023 at 12:05:19PM +0200, Bert Van de Poel wrote: > > > As already outlined on > > > https://security-tracker.debian.org/tracker/CVE-2023-42118 there's a > > > known security issue in libspf2 found through a security review of > > > Exim by the Zero Day Initiative. An integer underflow in libspf2 was > > > found which can be used to perform RCEs. A patch on > > > https://github.com/shevek/libspf2/pull/44 is available and has been > > > merged into the main repository. All relevant links are already > > > available on the Debian Security Tracker. > > > > Please note that as already outlined in the security-tracker and on > > the upstream issue there is still no confirmation from ZDI that the > > two issues are the same. So no, we cannot consider the pull/44 from > > upstream the fix for CVE-2023-42118. > > It looks like it fixes *some* important bug, so should I make uploads with it > for the time being? > > BTW, the same exact place in the code was the subject of CVE-2021-20314, but > nobody realised that the patch applied then wasn't complete. To expose the fix for pull/44 from upstream I would suggest to upload to unstable, but do not reference the CVE (again we have no understanding if that's the same issue). And if we want to keep this bug associated for the CVE, then neither should it be closed. FWIW, it is also mentioned in by the commiter, that "I can find one integer underflow which I've fixed with #44 but I haven't been able to get it to do anything after that because another buffer fills up." We can next then discuss if/what to do about stable and oldstable. It is as well plausible that CVE-2021-20314 was "rediscovered" or its incomplete fix. But again, without further information from the anonymous reporter to ZDI we cannot know. Regards, Salvatore
Bug#1053870: CVE-2023-42118: integer underflow in libspf2 resulting in RCE
Wednesday, 18 October 2023 11:56:01 CEST, Salvatore Bonaccorso wrote: > On Fri, Oct 13, 2023 at 12:05:19PM +0200, Bert Van de Poel wrote: > > As already outlined on > > https://security-tracker.debian.org/tracker/CVE-2023-42118 there's a > > known security issue in libspf2 found through a security review of > > Exim by the Zero Day Initiative. An integer underflow in libspf2 was > > found which can be used to perform RCEs. A patch on > > https://github.com/shevek/libspf2/pull/44 is available and has been > > merged into the main repository. All relevant links are already > > available on the Debian Security Tracker. > > Please note that as already outlined in the security-tracker and on > the upstream issue there is still no confirmation from ZDI that the > two issues are the same. So no, we cannot consider the pull/44 from > upstream the fix for CVE-2023-42118. It looks like it fixes *some* important bug, so should I make uploads with it for the time being? BTW, the same exact place in the code was the subject of CVE-2021-20314, but nobody realised that the patch applied then wasn't complete. -- Magnus Holmgrenholmg...@debian.org Debian Developer signature.asc Description: This is a digitally signed message part.
Bug#1053870: CVE-2023-42118: integer underflow in libspf2 resulting in RCE
Dear Salvatore, I don't disagree with your statement. However, many have already tried to reach ZDI and have not received clear communication. Perhaps Debain can add to the pressure to get more clarity? While the ZDI webpage on this CVE claims they contacted the developer, it's unclear whether they contacted exim or libspf2 and exactly what information they shared. However, this does not take away that the current pull request fixes a potential RCE (whether it's part of this CVE or not) that should, with some urgency, get packaged and released. Many other distros have already done so, and Debian is lagging behind. This is even more serious considering exim is the default MTA on Debian, while many other distros opt for postfix. Kind regards, Bert Van de Poel On 18/10/2023 11:56, Salvatore Bonaccorso wrote: Hi, On Fri, Oct 13, 2023 at 12:05:19PM +0200, Bert Van de Poel wrote: Package: libspf2-2 Version: 1.2.10-7.1~deb11u1 Severity: critical Tags: security patch Justification: root security hole X-Debbugs-Cc: Debian Security Team As already outlined on https://security-tracker.debian.org/tracker/CVE-2023-42118 there's a known security issue in libspf2 found through a security review of Exim by the Zero Day Initiative. An integer underflow in libspf2 was found which can be used to perform RCEs. A patch on https://github.com/shevek/libspf2/pull/44 is available and has been merged into the main repository. All relevant links are already available on the Debian Security Tracker. Please note that as already outlined in the security-tracker and on the upstream issue there is still no confirmation from ZDI that the two issues are the same. So no, we cannot consider the pull/44 from upstream the fix for CVE-2023-42118. Better communication on that matter from the anonymous reporter would be very helpfull to clarify the libspf2 status. Regards, Salvatore
Bug#1053870: CVE-2023-42118: integer underflow in libspf2 resulting in RCE
Hi, On Fri, Oct 13, 2023 at 12:05:19PM +0200, Bert Van de Poel wrote: > Package: libspf2-2 > Version: 1.2.10-7.1~deb11u1 > Severity: critical > Tags: security patch > Justification: root security hole > X-Debbugs-Cc: Debian Security Team > > > As already outlined on > https://security-tracker.debian.org/tracker/CVE-2023-42118 there's a > known security issue in libspf2 found through a security review of > Exim by the Zero Day Initiative. An integer underflow in libspf2 was > found which can be used to perform RCEs. A patch on > https://github.com/shevek/libspf2/pull/44 is available and has been > merged into the main repository. All relevant links are already > available on the Debian Security Tracker. Please note that as already outlined in the security-tracker and on the upstream issue there is still no confirmation from ZDI that the two issues are the same. So no, we cannot consider the pull/44 from upstream the fix for CVE-2023-42118. Better communication on that matter from the anonymous reporter would be very helpfull to clarify the libspf2 status. Regards, Salvatore
Bug#1053870: CVE-2023-42118: integer underflow in libspf2 resulting in RCE
Package: libspf2-2 Version: 1.2.10-7.1~deb11u1 Severity: critical Tags: security patch Justification: root security hole X-Debbugs-Cc: Debian Security Team As already outlined on https://security-tracker.debian.org/tracker/CVE-2023-42118 there's a known security issue in libspf2 found through a security review of Exim by the Zero Day Initiative. An integer underflow in libspf2 was found which can be used to perform RCEs. A patch on https://github.com/shevek/libspf2/pull/44 is available and has been merged into the main repository. All relevant links are already available on the Debian Security Tracker. -- System Information: Debian Release: 11.8 APT prefers oldstable-updates APT policy: (500, 'oldstable-updates'), (500, 'oldstable-security'), (500, 'oldstable') Architecture: amd64 (x86_64) Kernel: Linux 5.10.0-25-amd64 (SMP w/16 CPU threads) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=locale: Cannot set LC_ALL to default locale: No such file or directory UTF-8), LANGUAGE=en_US:en Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages libspf2-2 depends on: ii libc6 2.31-13+deb11u7 libspf2-2 recommends no packages. libspf2-2 suggests no packages. -- debconf information excluded
