Hi Magnus, On Sat, Oct 21, 2023 at 08:09:35PM +0200, Magnus Holmgren wrote: > Wednesday, 18 October 2023 11:56:01 CEST, Salvatore Bonaccorso wrote: > > On Fri, Oct 13, 2023 at 12:05:19PM +0200, Bert Van de Poel wrote: > > > As already outlined on > > > https://security-tracker.debian.org/tracker/CVE-2023-42118 there's a > > > known security issue in libspf2 found through a security review of > > > Exim by the Zero Day Initiative. An integer underflow in libspf2 was > > > found which can be used to perform RCEs. A patch on > > > https://github.com/shevek/libspf2/pull/44 is available and has been > > > merged into the main repository. All relevant links are already > > > available on the Debian Security Tracker. > > > > Please note that as already outlined in the security-tracker and on > > the upstream issue there is still no confirmation from ZDI that the > > two issues are the same. So no, we cannot consider the pull/44 from > > upstream the fix for CVE-2023-42118. > > It looks like it fixes *some* important bug, so should I make uploads with it > for the time being? > > BTW, the same exact place in the code was the subject of CVE-2021-20314, but > nobody realised that the patch applied then wasn't complete.
To expose the fix for pull/44 from upstream I would suggest to upload to unstable, but do not reference the CVE (again we have no understanding if that's the same issue). And if we want to keep this bug associated for the CVE, then neither should it be closed. FWIW, it is also mentioned in by the commiter, that "I can find one integer underflow which I've fixed with #44 but I haven't been able to get it to do anything after that because another buffer fills up." We can next then discuss if/what to do about stable and oldstable. It is as well plausible that CVE-2021-20314 was "rediscovered" or its incomplete fix. But again, without further information from the anonymous reporter to ZDI we cannot know. Regards, Salvatore
