On 2025-07-25 Moritz Orbach via Exim-users <[email protected]> wrote: > I don't trust libspf2 anymore because after almost 2 years it's still > unclear to me if CVE-2023-42118 is fixed or not (e.g. > https://bugs.gentoo.org/916493#c2). [...]
Not trying to claim that libspf2 is terribly alive but the onus for the unresolved/unclear status of CVE-2023-42118 more on the side of ZDI than libspf2 upstream. See https://www.openwall.com/lists/oss-security/2025/03/28/1 | As far as I can tell, the following happened: | * ZDI claimed to have found a security issue in libspf2, but has not | shared any details: | https://www.zerodayinitiative.com/advisories/ZDI-23-1472/ | * CVE-2023-42118 got assigned. | * An integer underflow was fixed in libspf2's repository in response: | https://github.com/shevek/libspf2/commit/d14abff4b544cfc53a8b5ef54cbc2353866b5081 | However, it is neither clear whether this is practically exploitable, | nor whether it is actually the bug ZDI found. | * No release of libspf2 has been made since then, the fix for the | Integer Underflow is not included in its latest version. Distros | should probably add it to their package if they haven't done so | already. | * ZDI never clarified what the issue they found was. (Which is, to not | mince words, reckless and dangerous.) cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure' -- ## subscription configuration (requires account): ## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/ ## unsubscribe (doesn't require an account): ## [email protected] ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
