Bug 259938 - mail/libspf2: Update to 1.2.11 (Fixes CVE-2021-20314)
Summary: mail/libspf2: Update to 1.2.11 (Fixes CVE-2021-20314)
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Many People
Assignee: Po-Chuan Hsieh
URL: https://seclists.org/oss-sec/2021/q3/94
Keywords: needs-patch, needs-qa, security
Depends on:
Blocks:
 
Reported: 2021-11-19 19:12 UTC by Dmitriy
Modified: 2022-05-13 12:01 UTC (History)
2 users (show)

See Also:
bugzilla: maintainer-feedback? (sunpoet)
koobs: merge-quarterly?


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Dmitriy 2021-11-19 19:12:32 UTC
Please see https://seclists.org/oss-sec/2021/q3/94

Stack buffer overflow in libspf2 versions below 1.2.11 when processing certain SPF macros can lead to Denial of service and potentially code execution via malicious crafted SPF explanation messages. CVE-2021-20314 has been assigned to this issue.

An updated version of libspf2 (1.2.11) which also fixes other security related issues is available from github (https://github.com/shevek/libspf2). The libspf2 website (https://www.libspf2.org/download.html) and latest release there is NOT UPDATED YET.
Comment 1 commit-hook freebsd_committer freebsd_triage 2022-05-13 11:50:27 UTC
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=97deffc5b76fc61eeef40559aa82d7999c698288

commit 97deffc5b76fc61eeef40559aa82d7999c698288
Author:     Po-Chuan Hsieh <sunpoet@FreeBSD.org>
AuthorDate: 2022-05-13 11:37:10 +0000
Commit:     Po-Chuan Hsieh <sunpoet@FreeBSD.org>
CommitDate: 2022-05-13 11:40:16 +0000

    mail/libspf2: Update to 1.2.11

    - Update MASTER_SITES

    Changes:        https://github.com/shevek/libspf2/commits/master
    Security:       CVE-2021-20314
    PR:             259938
    Reported by:    Dmitriy <supportme@ukr.net>

 mail/libspf2/Makefile | 11 ++++++-----
 mail/libspf2/distinfo |  5 +++--
 2 files changed, 9 insertions(+), 7 deletions(-)
Comment 2 commit-hook freebsd_committer freebsd_triage 2022-05-13 11:58:31 UTC
A commit in branch 2022Q2 references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=3c0e83f02f0c1f84b234ee52cdcc68f36fed301a

commit 3c0e83f02f0c1f84b234ee52cdcc68f36fed301a
Author:     Po-Chuan Hsieh <sunpoet@FreeBSD.org>
AuthorDate: 2022-05-13 11:37:10 +0000
Commit:     Po-Chuan Hsieh <sunpoet@FreeBSD.org>
CommitDate: 2022-05-13 11:57:19 +0000

    mail/libspf2: Update to 1.2.11

    - Update MASTER_SITES

    Changes:        https://github.com/shevek/libspf2/commits/master
    Security:       CVE-2021-20314
    PR:             259938
    Reported by:    Dmitriy <supportme@ukr.net>

    (cherry picked from commit 97deffc5b76fc61eeef40559aa82d7999c698288)

 mail/libspf2/Makefile | 11 ++++++-----
 mail/libspf2/distinfo |  5 +++--
 2 files changed, 9 insertions(+), 7 deletions(-)
Comment 3 Po-Chuan Hsieh freebsd_committer freebsd_triage 2022-05-13 12:01:09 UTC
Committed. Thanks!