| Summary: | libspf2 new security issues fixed upstream in 1.2.11 (CVE-2021-33912, CVE-2021-33913) | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | andrewsfarm, davidwhodgins, jani.valimaa, nicolas.salguero, sysadmin-bugs, tarazed25 |
| Version: | 8 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA8-64-OK | ||
| Source RPM: | libspf2-1.2.10-5.1.mga8.src.rpm | CVE: | |
| Status comment: | |||
| Bug Depends on: | 29361 | ||
| Bug Blocks: | |||
|
Description
David Walser
2021-08-21 20:55:51 CEST
David Walser
2021-08-21 20:55:59 CEST
Whiteboard:
(none) =>
MGA8TOO Fedora has issued an advisory for this today (September 26): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/CMSFT2NJDZ7PATRZSQPAOGSE7JD6ELOB/ Suggested advisory: ======================== The updated packages fix security vulnerabilities. References: https://www.openwall.com/lists/oss-security/2021/08/11/6 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/CMSFT2NJDZ7PATRZSQPAOGSE7JD6ELOB/ ======================== Updated packages in core/updates_testing: ======================== spf2-utils-1.2.11-0.git20210609.1.mga8 lib(64)spf2_2-1.2.11-0.git20210609.1.mga8 lib(64)spf2-devel-1.2.11-0.git20210609.1.mga8 from SRPM: libspf2-1.2.11-0.git20210609.1.mga8.src.rpm Whiteboard:
MGA8TOO =>
(none) mga8, x64
No man pages for spf2 or libspf2.
The three packages updated cleanly with qarepo.
$ urpmq -i lib64spf2_2
$MIRRORLIST: media/core/release/media_info/20210224-165404-info.xml.lzma
Name : lib64spf2_2
Version : 1.2.10
Release : 5.mga8
Group : System/Libraries
Size : 170253 Architecture: x86_64
Source RPM : libspf2-1.2.10-5.mga8.src.rpm
URL : http://www.libspf2.org/
Summary : Implementation of the SPF specification
Description :
libspf2 is an implementation of the SPF (Sender Policy Framework)
specification as found at:
http://www.ietf.org/internet-drafts/draft-mengwong-spf-00.txt
SPF allows email systems to check SPF DNS records and make sure
that an email is authorized by the administrator of the domain
name that it is coming from. This prevents email forgery, commonly ....
The text document specified does not exist at the URL given and a web search turns up nothing for spf-000.txt and there is no information in /usr/share/doc so who knows what an SPF record is and where they are stored?
There is a PoC for the issue cited but it implies familiarity with spf2 and SPF records.
CVE-2021-20314, Redhat bugs 199307{1,2}
<quote>
To reproduce, set the SPF record of a domain you control like listed below:
example.com. 300 IN TXT "v=spf1 exp=exp.example.com"
exp=exp.example.com. 300 IN TXT "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
Then trigger SPF processing in libspf2, ie. via the command line `spfquery` tool.
# spfquery --sender someone () example com -ip 1.2.3.4
*** stack smashing detected ***: terminated
Aborted (core dumped)
</quote>
Note that spfquery is now spfquery2. Other utilities are spfd2, spf_example2 and spftest2.
$ spfquery2 -help
<That works>
....
Examples:
spfquery -ip=11.22.33.44 -sender=user@aol.com -helo=spammer.tld
spfquery -f test_data
echo "127.0.0.1 myname@mydomain.com helohost.com" | spfquery -f -
$ spfquery2 -ip=11.22.33.44 -sender=user@aol.com -helo=spammer.tld
softfail
Please see http://www.openspf.org/Why?id=user%40aol.com&ip=11.22.33.44&receiver=spfquery : Reason: mechanism
spfquery: transitioning domain of aol.com does not designate 11.22.33.44 as permitted sender
Received-SPF: softfail (spfquery: transitioning domain of aol.com does not designate 11.22.33.44 as permitted sender) client-ip=11.22.33.44; envelope-from=user@aol.com; helo=spammer.tld;
<That is OK probably>
$ echo "127.0.0.1 lcl@localhost.localdomain mageia.com" |spfquery2 -f -
pass
spfquery: localhost is always allowed.
Received-SPF: pass (spfquery: localhost is always allowed.) client-ip=127.0.0.1; envelope-from=lcl@localhost.localdomain; helo=mageia.com;
<That looks OK as well>
Apart from self the only other application which requires this is smtp-gated. Not installed and it stays that way.
Giving this a tentative OK based on clean install and basic operations.CC:
(none) =>
tarazed25 Found a link. https://dmarcian.com/create-spf-record/ An exercise for a rainy day. Validating. Advisory in Comment 2. CC:
(none) =>
andrewsfarm, sysadmin-bugs
Dave Hodgins
2021-10-02 19:30:15 CEST
CC:
(none) =>
davidwhodgins An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0454.html Status:
ASSIGNED =>
RESOLVED These issues are CVE-2021-33912, CVE-2021-33913: https://www.debian.org/lts/security/2022/dla-2890 Summary:
libspf2 new security issues fixed upstream in 1.2.11 =>
libspf2 new security issues fixed upstream in 1.2.11 (CVE-2021-33912, CVE-2021-33913) |