Created attachment 245380 [details] patch-src_libspf2_spf__compile.c Add patch to files/ and rebuild.
See also: https://www.zerodayinitiative.com/advisories/ZDI-23-1472/
^Triage: needs-patch (keyword) for VuXML, <https://vuxml.freebsd.org/>
Testbuilds are fine: 150 140 15i 132 124
Plase MFH to 2023Q4
Source of the patch: https://github.com/shevek/libspf2/pull/44
pi@ please commit this with proper bump and proper entry in vuxml and: Approved-by: portmgr
(In reply to Muhammad Moinur Rahman from comment #6) I got in touch with upstream, the fix was already merged there -- and some new release of libspf22 should come in the next few hours.
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=3c178fb0a6bb19511eaa55e27e2c5018ab1fd216 commit 3c178fb0a6bb19511eaa55e27e2c5018ab1fd216 Author: Kurt Jaeger <pi@FreeBSD.org> AuthorDate: 2023-10-04 18:39:36 +0000 Commit: Kurt Jaeger <pi@FreeBSD.org> CommitDate: 2023-10-04 18:40:54 +0000 security/vuxml: add entry for recent libspf2 CVE-2023-42118 PR: 274215 security/vuxml/vuln/2023.xml | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+)
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=e0ce4912961cb8fcb88ea096eef3c3f82752be0b commit e0ce4912961cb8fcb88ea096eef3c3f82752be0b Author: Po-Chuan Hsieh <sunpoet@FreeBSD.org> AuthorDate: 2023-10-05 01:55:38 +0000 Commit: Po-Chuan Hsieh <sunpoet@FreeBSD.org> CommitDate: 2023-10-05 01:58:46 +0000 mail/libspf2: Update to newer snapshot (d14abff) - Bump PORTREVISION for package change Changes: https://github.com/shevek/libspf2/commits/master PR: 274215 Reported by: pi Security: CVE-2023-42118 mail/libspf2/Makefile | 3 ++- mail/libspf2/distinfo | 6 +++--- 2 files changed, 5 insertions(+), 4 deletions(-)
A commit in branch 2023Q4 references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=bbdef08a89c2124b0c149597f23d67c39cf3a522 commit bbdef08a89c2124b0c149597f23d67c39cf3a522 Author: Po-Chuan Hsieh <sunpoet@FreeBSD.org> AuthorDate: 2023-10-05 01:55:38 +0000 Commit: Po-Chuan Hsieh <sunpoet@FreeBSD.org> CommitDate: 2023-10-05 02:08:08 +0000 mail/libspf2: Update to newer snapshot (d14abff) - Bump PORTREVISION for package change Changes: https://github.com/shevek/libspf2/commits/master PR: 274215 Reported by: pi Security: CVE-2023-42118 (cherry picked from commit e0ce4912961cb8fcb88ea096eef3c3f82752be0b) mail/libspf2/Makefile | 3 ++- mail/libspf2/distinfo | 6 +++--- 2 files changed, 5 insertions(+), 4 deletions(-)
Since upstream has merged the fix, I simply move this port to a newer snapshot. The security issue should be fixed in both main and quarterly branch now. Thanks.