oss-security - Re: CVE-2021-20314: Remote stack buffer overflow in libspf2

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [<thread-prev] [day] [month] [year] [list]

Date: Thu, 12 Aug 2021 00:18:46 +0100
From: Sam James <sam@...ct.info>
To: oss-security@...ts.openwall.com
Subject: Re: CVE-2021-20314: Remote stack buffer overflow in
 libspf2



> On 11 Aug 2021, at 15:41, Philipp Jeitner (SIT) <philipp.jeitner@....fraunhofer.de> wrote:
> 
> #### Description
> 
> Stack buffer overflow in libspf2 versions below 1.2.11 when processing certain SPF macros can lead to Denial of service and potentially code execution via malicious crafted SPF explanation messages. CVE-2021-20314 has been assigned to this issue.
> [...]
> #### Patch
> 
> The issue has been fixed in github commit c37b7c1:
> 
> https://github.com/shevek/libspf2/commit/c37b7c13c30e225183899364b9f2efdfa85552ef
> 
> An updated version of libspf2 (1.2.11) which also fixes other security related issues is available from github (https://github.com/shevek/libspf2). The libspf2 website (https://www.libspf2.org/download.html) and latest release there is NOT UPDATED YET.
> 

I don't see this as either a tag or a release on the GitHub repository. Possibly the maintainer forgot to run git push --tags?

Thanks for your work on this issue.

best,
sam

Download attachment "signature.asc" of type "application/pgp-signature" (619 bytes)

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.