Bert
It seems this has stalled. Most distros have already released a patched
version of libspf2. While I agree it's unclear whether the currently
available patch fixes this CVE, it does however fix an underflow that
would be relevant to release as a security fix, I think. Libspf2 has
tried to reach out to Zero Day Initiative, but it seems they never got
any clear and concrete response. I would suggest that Debian move ahead
with this patch at least, or what is the common procedure in cases like
this?