Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 11 Aug 2021 16:41:16 +0200
From: "Philipp Jeitner (SIT)" <>
To: <>
Subject: CVE-2021-20314: Remote stack buffer overflow in libspf2

#### Description

Stack buffer overflow in libspf2 versions below 1.2.11 when processing 
certain SPF macros can lead to Denial of service and potentially code 
execution via malicious crafted SPF explanation messages. CVE-2021-20314 
has been assigned to this issue.

#### Attack type


#### Impact

(x) Code Execution (x) Denial of Service

#### Attack vector(s):

Attackers need to cause a mail server to process a malicious SPF record, 
ie. via sending an email from an attacker-controlled domain. Thus, any 
mail server accepting mails and processing them via libspf2 is vulnerable.

#### Patch

The issue has been fixed in github commit c37b7c1:

An updated version of libspf2 (1.2.11) which also fixes other security 
related issues is available from github 
( The libspf2 website 
( and latest release there is NOT 

#### Discoverer(s)/Credits

Philipp Jeitner and Haya Shulman, Fraunhofer SIT

#### Reference(s)

  - libspf2:,
  - patch:
  - Injection Attacks Reloaded: Tunneling Malicious Payloads over DNS

#### Details and information to reproduce the vulnerability

To reproduce, set the SPF record of a domain you control like listed below: 300    IN      TXT     "v=spf1"   300     IN      TXT 

Then trigger SPF processing in libspf2, ie. via the command line 
`spfquery` tool.

     # spfquery --sender -ip
     *** stack smashing detected ***: terminated
     Aborted (core dumped)

The record causes a 4-byte stack buffer overflow of local variable `buf` 
in `SPF_record_compile_macro`, which is responsible for parsing the 
potential macros included in the SPF explanation message. The overflow 
is caused by an incorrect buffer length adjustment in the 
`SPF_INIT_STRING_LITERAL` macro  which  places  a  4-byte  header of 
type `SPF_data_str` into  the  buffer inside `buf` without  decreasing 
the  available size `ds_avail` by 4. Exploiting this vulnerability 
therefore allows  the  attacker to  override  up to  4  bytes  on  the 
stack of `SPF_record_compile_macro` directly after `buf`.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.