Headline
CVE-2021-33912: GitHub - shevek/libspf2 at 8131fe140704eaae695e76b5cd09e39bd1dd220b
libspf2 before 1.2.11 has a four-byte heap-based buffer overflow that might allow remote attackers to execute arbitrary code (via an unauthenticated e-mail message from anywhere on the Internet) with a crafted SPF DNS record, because of incorrect sprintf usage in SPF_record_expand_data in spf_expand.c. The vulnerable code may be part of the supply chain of a site’s e-mail infrastructure (e.g., with additional configuration, Exim can use libspf2; the Postfix web site links to unofficial patches for use of libspf2 with Postfix; older versions of spfquery relied on libspf2) but most often is not.
/** * @file * @brief Description of libspf2 * The contents of this file is extracted by the documentation * generator, and forms the front matter and introductory text to this * manual. The documentation for this file is, therefore, apparently * empty. */
/** * @mainpage Introduction to libspf2
* @par Recipes
An example client implementation is in spf_example.c with a little more error checking. The basic cases are as follows:
The SPF server is reusable, and thread-safe. It must be freed using SPF_server_free.
@code SPF_server_t *spf_server = SPF_server_new(SPF_DNS_CACHE, 0); @endcode
Create a request, and set the relevant fields in it. Each setter method returns an SPF_errcode_t, which will inform you of error conditions, such as out-of-memory or invalid argument.
@code SPF_request_t *spf_request = SPF_request_new(spf_server); SPF_request_set_ipv4_str(spf_request, “123.45.6.7”); SPF_request_set_env_from(spf_request, “clientdomain.com”); @endcode
Now that we have built a query, we may execute it. It will use the SPF_server_t which was passed to the query constructor. As usual, the SPF_request_query_mailfrom method returns an error code, although much richer errors are returned inside the SPF_response_t - see spf_response.h for more details of that API.
@code SPF_response_t *spf_response = NULL; SPF_request_query_mailfrom(spf_request, &spf_response); printf("Result is %s\n", SPF_strresult(SPF_response_result(spf_response))); @endcode
When we have finished with the response, we must free it and the request.
@code SPF_response_free(spf_response); SPF_request_free(spf_request); @endcode
We can execute many requests in parallel threads on the same server, but before the program exits, we must free the server.
@code SPF_server_free(spf_server); @endcode
* @par Authors
- Current maintainer: Shevek [email protected]
- Contributors: Magnus Holmgren, Julian Mehnle, Scott Kitterman
- Contributors: Dan Kaminsky, Ben Chelf, Hannah Schroeter
- Contributors: Martin Braine, Manish Raje, Stuart Gathman
- Original author, 1.0 series: Wayne Schlitt [email protected]
* @par License
This program is free software; you can redistribute it and/or modify it under the terms of either:
a) the GNU Lesser General Public License as published by the Free Software Foundation; either version 2.1, or (at your option) any later version, or
OR
b) The two-clause BSD license.
Some code in the ‘replace’ subdirectory was obtained form other sources and have different, but compatible, licenses. These routines are used only when the native libraries for the OS do not contain these functions. You should review the licenses and copyright statments in these functions if you are using an OS that needs these functions.
* @par Original README from Wayne Schlitt
Libspf2 is an implementation of the SPF specification as found at http://www.ietf.org/internet-drafts/draft-mengwong-spf-00.txt or doc/draft-mengwong-spf-00.txt
Libspf2 is in beta testing and should only be used in production systems with caution. It has not been widely compiled and tested on machines with different operating systems, CPU architectures, or network configurations. It has not been audited for security errors.
While libspf2 is beta code, a lot of effort has been put into making it secure by design, and a great deal of effort has been put into the regression tests. Functions such as sprintf() are never used, things like snprintf() are used instead. There are few fixed sized buffers/arrays, instead, most data structures are dynamically allocated with the allocation sized recorded so I can check to make sure the buffer isn’t overflowed. The return values from malloc() and other system calls are checked and handled as gracefully as I can. The valgrind program is regularly run to make sure that there are no memory leaks and reads/writes to invalid memory.
This code has been compiled and passed its regression tests on Debian Linux (sid/testing) on the x86, FreeBSD 4.3 (x86), FreeBSD 4.9 (x86??), NetBSD 1.62 (x86?), SunOS 5.8 on the ultrasparc, and a few others. It uses the autotools (autoconfig, libtools, automake, etc.) to try and make things more portable, so it will likely work on other systems also.
-wayne
*/