oss-sec mailing list archives

Re: CVE-2021-20314: Remote stack buffer overflow in libspf2

From: Sam James <sam () cmpct info>
Date: Thu, 12 Aug 2021 00:18:46 +0100

On 11 Aug 2021, at 15:41, Philipp Jeitner (SIT) <philipp.jeitner () sit fraunhofer de> wrote:

#### Description

Stack buffer overflow in libspf2 versions below 1.2.11 when processing certain SPF macros can lead to Denial of 
service and potentially code execution via malicious crafted SPF explanation messages. CVE-2021-20314 has been 
assigned to this issue.
[...]
#### Patch

The issue has been fixed in github commit c37b7c1:

https://github.com/shevek/libspf2/commit/c37b7c13c30e225183899364b9f2efdfa85552ef

An updated version of libspf2 (1.2.11) which also fixes other security related issues is available from github 
(https://github.com/shevek/libspf2). The libspf2 website (https://www.libspf2.org/download.html) and latest release 
there is NOT UPDATED YET.


I don't see this as either a tag or a release on the GitHub repository. Possibly the maintainer forgot to run git push 
--tags?

Thanks for your work on this issue.

best,
sam

Attachment: signature.asc
Description: Message signed with OpenPGP

Current thread:

CVE-2021-20314: Remote stack buffer overflow in libspf2 Philipp Jeitner (SIT) (Aug 11)
- Re: CVE-2021-20314: Remote stack buffer overflow in libspf2 Sam James (Aug 12)