Wednesday, 18 October 2023 11:56:01 CEST, Salvatore Bonaccorso wrote: > On Fri, Oct 13, 2023 at 12:05:19PM +0200, Bert Van de Poel wrote: > > As already outlined on > > https://security-tracker.debian.org/tracker/CVE-2023-42118 there's a > > known security issue in libspf2 found through a security review of > > Exim by the Zero Day Initiative. An integer underflow in libspf2 was > > found which can be used to perform RCEs. A patch on > > https://github.com/shevek/libspf2/pull/44 is available and has been > > merged into the main repository. All relevant links are already > > available on the Debian Security Tracker. > > Please note that as already outlined in the security-tracker and on > the upstream issue there is still no confirmation from ZDI that the > two issues are the same. So no, we cannot consider the pull/44 from > upstream the fix for CVE-2023-42118.
It looks like it fixes *some* important bug, so should I make uploads with it for the time being? BTW, the same exact place in the code was the subject of CVE-2021-20314, but nobody realised that the patch applied then wasn't complete. -- Magnus Holmgren holmg...@debian.org Debian Developer
signature.asc
Description: This is a digitally signed message part.
