Bug 274215
| Summary: | mail/libspf2: add fix for CVE-2023-42118 | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Ports & Packages | Reporter: | Kurt Jaeger <pi> | ||||
| Component: | Individual Port(s) | Assignee: | Po-Chuan Hsieh <sunpoet> | ||||
| Status: | Closed FIXED | ||||||
| Severity: | Affects Many People | CC: | bofh, fluffy, pi, ports-secteam | ||||
| Priority: | Normal | Keywords: | needs-patch, security | ||||
| Version: | Latest | Flags: | bugzilla:
maintainer-feedback?
(sunpoet) fluffy: merge-quarterly+ |
||||
| Hardware: | Any | ||||||
| OS: | Any | ||||||
| URL: | https://www.zerodayinitiative.com/advisories/ZDI-23-1472/ | ||||||
| Attachments: |
|
||||||
^Triage: needs-patch (keyword) for VuXML, <https://vuxml.freebsd.org/> Testbuilds are fine: 150 140 15i 132 124 Plase MFH to 2023Q4 Source of the patch: https://github.com/shevek/libspf2/pull/44 pi@ please commit this with proper bump and proper entry in vuxml and: Approved-by: portmgr (In reply to Muhammad Moinur Rahman from comment #6) I got in touch with upstream, the fix was already merged there -- and some new release of libspf22 should come in the next few hours. A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=3c178fb0a6bb19511eaa55e27e2c5018ab1fd216 commit 3c178fb0a6bb19511eaa55e27e2c5018ab1fd216 Author: Kurt Jaeger <pi@FreeBSD.org> AuthorDate: 2023-10-04 18:39:36 +0000 Commit: Kurt Jaeger <pi@FreeBSD.org> CommitDate: 2023-10-04 18:40:54 +0000 security/vuxml: add entry for recent libspf2 CVE-2023-42118 PR: 274215 security/vuxml/vuln/2023.xml | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=e0ce4912961cb8fcb88ea096eef3c3f82752be0b commit e0ce4912961cb8fcb88ea096eef3c3f82752be0b Author: Po-Chuan Hsieh <sunpoet@FreeBSD.org> AuthorDate: 2023-10-05 01:55:38 +0000 Commit: Po-Chuan Hsieh <sunpoet@FreeBSD.org> CommitDate: 2023-10-05 01:58:46 +0000 mail/libspf2: Update to newer snapshot (d14abff) - Bump PORTREVISION for package change Changes: https://github.com/shevek/libspf2/commits/master PR: 274215 Reported by: pi Security: CVE-2023-42118 mail/libspf2/Makefile | 3 ++- mail/libspf2/distinfo | 6 +++--- 2 files changed, 5 insertions(+), 4 deletions(-) A commit in branch 2023Q4 references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=bbdef08a89c2124b0c149597f23d67c39cf3a522 commit bbdef08a89c2124b0c149597f23d67c39cf3a522 Author: Po-Chuan Hsieh <sunpoet@FreeBSD.org> AuthorDate: 2023-10-05 01:55:38 +0000 Commit: Po-Chuan Hsieh <sunpoet@FreeBSD.org> CommitDate: 2023-10-05 02:08:08 +0000 mail/libspf2: Update to newer snapshot (d14abff) - Bump PORTREVISION for package change Changes: https://github.com/shevek/libspf2/commits/master PR: 274215 Reported by: pi Security: CVE-2023-42118 (cherry picked from commit e0ce4912961cb8fcb88ea096eef3c3f82752be0b) mail/libspf2/Makefile | 3 ++- mail/libspf2/distinfo | 6 +++--- 2 files changed, 5 insertions(+), 4 deletions(-) Since upstream has merged the fix, I simply move this port to a newer snapshot. The security issue should be fixed in both main and quarterly branch now. Thanks. |
Created attachment 245380 [details] patch-src_libspf2_spf__compile.c Add patch to files/ and rebuild.