Bug 29361

Summary: libspf2 new security issue CVE-2021-20314
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, jani.valimaa, marja11, sysadmin-bugs, tarazed25
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: libspf2-1.2.10-5.mga8.src.rpm CVE:
Status comment: Fixed upstream in 1.2.11
Bug Depends on:    
Bug Blocks: 29396    

Description David Walser 2021-08-11 22:52:18 CEST 
An advisory has been issued today (August 11):
https://www.openwall.com/lists/oss-security/2021/08/11/6

The issue is fixed upstream in 1.2.11.

Note that 1.2.11 also fixes other security-related issues, so it should be updated.

Mageia 8 is also affected.
David Walser 2021-08-11 22:52:29 CEST

Whiteboard: (none) => MGA8TOO
Status comment: (none) => Fixed upstream in 1.2.11

Comment 1 David Walser 2021-08-12 14:02:14 CEST 
Debian has issued an advisory for this on August 11:
https://www.debian.org/security/2021/dsa-4955
Comment 2 Marja Van Waes 2021-08-12 17:04:43 CEST 
Assigning to all packagers collectively, since there is no registered maintainer for this package.

CC: (none) => marja11
Assignee: bugsquad => pkg-bugs

Comment 3 Jani Välimaa 2021-08-21 20:45:53 CEST 
Fixed in cauldron with libspf2-1.2.10-6.mga9.

Whiteboard: MGA8TOO => (none)
Version: Cauldron => 8

Comment 4 Jani Välimaa 2021-08-21 20:49:06 CEST 
Pushed libspf2-1.2.10-5.1.mga8 to core/updates_testing with a patch from usptream as there's no release for 1.2.11 yet.

SRPMS:
libspf2-1.2.10-5.1.mga8

RPMS:
libspf2-1.2.10-5.1.mga8
lib64spf2_2-1.2.10-5.1.mga8
lib64spf2-devel-1.2.10-5.1.mga8
spf2-utils-1.2.10-5.1.mga8

CC: (none) => jani.valimaa
Assignee: pkg-bugs => qa-bugs

David Walser 2021-08-21 20:55:51 CEST

Blocks: (none) => 29396

Comment 5 Len Lawrence 2021-08-23 18:33:30 CEST 
mga8, x64

No man pages for spf2 or libspf2.

$ urpmq -i lib64spf2_2
    $MIRRORLIST: media/core/release/media_info/20210224-165404-info.xml.lzma
Name        : lib64spf2_2                                                      
Version     : 1.2.10
Release     : 5.mga8
Group       : System/Libraries
Size        : 170253                       Architecture: x86_64
Source RPM  : libspf2-1.2.10-5.mga8.src.rpm
URL         : http://www.libspf2.org/
Summary     : Implementation of the SPF specification
Description :
libspf2 is an implementation of the SPF (Sender Policy Framework)
specification as found at:
http://www.ietf.org/internet-drafts/draft-mengwong-spf-00.txt

SPF allows email systems to check SPF DNS records and make sure
that an email is authorized by the administrator of the domain
name that it is coming from. This prevents email forgery, commonly ....

The text document specified does not exist at the URL given and a web search turns up nothing for spf-000.txt and there is no information in /usr/share/doc so who knows what an SPF record is and where they are stored?

There is a PoC for the issue cited but it implies familiarity with spf2 and SPF records.
Note that spfquery is now spfquery2.
$ spfquery2 -h
spfquery2: option requires an argument -- 'h'
....
Examples:

spfquery -ip=11.22.33.44 -sender=user@aol.com -helo=spammer.tld
spfquery -f test_data
echo "127.0.0.1 myname@mydomain.com helohost.com" | spfquery -f -

CC: (none) => tarazed25

Comment 6 Len Lawrence 2021-08-28 20:15:03 CEST 
No idea at all what to do with this so went ahead with the update.

$ rpm -qa | grep spf2
lib64spf2_2-1.2.10-5.1.mga8
spf2-utils-1.2.10-5.1.mga8
lib64spf2-devel-1.2.10-5.1.mga8
$ ll /bin/*spf*
-rwxr-xr-x 1 root root 24104 Aug 21 19:40 /bin/spfd2*
-rwxr-xr-x 1 root root 15440 Aug 21 19:40 /bin/spf_example2*
-rwxr-xr-x 1 root root 28608 Aug 21 19:40 /bin/spfquery2*
-rwxr-xr-x 1 root root 15440 Aug 21 19:40 /bin/spftest2*
$ apropos spf2
spf2: nothing appropriate.

$ spftest2 -h
spf_compile.c:523    Debug: Parsing macro starting at Please%_see%_http://www.openspf.org/Why?id=%{S}&ip=%{C}&receiver=%{R}
spf_compile.c:1210   Debug: Compiling record v=spf1 
Usage: spftest [spf "<spf record>" | domain <domain name>
                | ip <ip address> | exp "<explanation string>"
                | version ]
$ spf_example2
Usage:

spf_example [options]

Valid data options are:
    -i <IP address>            The IP address that is sending email
    -s <email address>         The email address used as the
                               envelope-from.  If no username (local
                               part) is given, 'postmaster' will be
                               assumed.
    -r <email address>         [optional] The email address used as
                               the envelope-to email address, for
                               secondary-MX checking.
    -h <domain name>           The domain name given on the SMTP HELO
                               command.  This is only needed if the
                               -sender option is not given.
    -d [debug level]           debug level.

No information on how to create SPF records so this goes through on the basis of a clean install.

Whiteboard: (none) => MGA8-64-OK

Comment 7 Thomas Andrews 2021-08-30 02:14:07 CEST 
A valiant effort, Len. Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Thomas Backlund 2021-09-04 17:38:29 CEST

Keywords: (none) => advisory

Comment 8 Mageia Robot 2021-09-04 19:03:26 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0414.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED