Dear Salvatore,
I don't disagree with your statement. However, many have already tried
to reach ZDI and have not received clear communication. Perhaps Debain
can add to the pressure to get more clarity? While the ZDI webpage on
this CVE claims they contacted the developer, it's unclear whether they
contacted exim or libspf2 and exactly what information they shared.
However, this does not take away that the current pull request fixes a
potential RCE (whether it's part of this CVE or not) that should, with
some urgency, get packaged and released. Many other distros have already
done so, and Debian is lagging behind. This is even more serious
considering exim is the default MTA on Debian, while many other distros
opt for postfix.
Kind regards,
Bert Van de Poel
On 18/10/2023 11:56, Salvatore Bonaccorso wrote:
Hi,
On Fri, Oct 13, 2023 at 12:05:19PM +0200, Bert Van de Poel wrote:
Package: libspf2-2
Version: 1.2.10-7.1~deb11u1
Severity: critical
Tags: security patch
Justification: root security hole
X-Debbugs-Cc: Debian Security Team <t...@security.debian.org>
As already outlined on
https://security-tracker.debian.org/tracker/CVE-2023-42118 there's a
known security issue in libspf2 found through a security review of
Exim by the Zero Day Initiative. An integer underflow in libspf2 was
found which can be used to perform RCEs. A patch on
https://github.com/shevek/libspf2/pull/44 is available and has been
merged into the main repository. All relevant links are already
available on the Debian Security Tracker.
Please note that as already outlined in the security-tracker and on
the upstream issue there is still no confirmation from ZDI that the
two issues are the same. So no, we cannot consider the pull/44 from
upstream the fix for CVE-2023-42118.
Better communication on that matter from the anonymous reporter would
be very helpfull to clarify the libspf2 status.
Regards,
Salvatore
