Bert
It seems this has stalled. Most distros have already released a patched
version of libspf2. While I agree it's unclear whether the currently
available patch fixes this CVE, it does however fix an underflow that
would be relevant to release as a security fix, I think. Libspf2 has
tried to reach out to Zero Day Initiative, but it seems they never got
any clear and concrete response. I would suggest that Debian move ahead
with this patch at least, or what is the common procedure in cases like
this?
- Bug#1053870: CVE-2023-42118: integer underflow in lib... Magnus Holmgren
- Bug#1053870: CVE-2023-42118: integer underflow i... Salvatore Bonaccorso
- Bug#1053870: CVE-2023-42118: integer underflow i... Bert Van de Poel
