Gentoo Archives: gentoo-announce

From: Robert Buchholz <rbu@g.o>
To: gentoo-announce@l.g.o
Cc: bugtraq@×××××××××××××.com, full-disclosure@××××××××××××××.uk, security-alerts@×××××××××××××.com
Subject: [gentoo-announce] [ GLSA 200810-03 ] libspf2: DNS response buffer overflow
Date: Thu, 30 Oct 2008 22:18:05
Message-Id: 200810302227.14456.rbu@gentoo.org
1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 Gentoo Linux Security Advisory GLSA 200810-03
3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4 http://security.gentoo.org/
5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7 Severity: High
8 Title: libspf2: DNS response buffer overflow
9 Date: October 30, 2008
10 Bugs: #242254
11 ID: 200810-03
12
13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15 Synopsis
16 ========
17
18 A memory management error in libspf2 might allow for remote execution
19 of arbitrary code.
20
21 Background
22 ==========
23
24 libspf2 is a library that implements the Sender Policy Framework,
25 allowing mail transfer agents to make sure that an email is authorized
26 by the domain name that it is coming from. Currently, only the exim MTA
27 uses libspf2 in Gentoo.
28
29 Affected packages
30 =================
31
32 -------------------------------------------------------------------
33 Package / Vulnerable / Unaffected
34 -------------------------------------------------------------------
35 1 mail-filter/libspf2 < 1.2.8 >= 1.2.8
36
37 Description
38 ===========
39
40 libspf2 uses a fixed-length buffer to receive DNS responses and does
41 not properly check the length of TXT records, leading to buffer
42 overflows.
43
44 Impact
45 ======
46
47 A remote attacker could store a specially crafted DNS entry and entice
48 a user or automated system using libspf2 to lookup that SPF entry (e.g.
49 by sending an email to the MTA), possibly allowing for the execution of
50 arbitrary code.
51
52 Workaround
53 ==========
54
55 There is no known workaround at this time.
56
57 Resolution
58 ==========
59
60 All libspf2 users should upgrade to the latest version:
61
62 # emerge --sync
63 # emerge --ask --oneshot --verbose ">=mail-filter/libspf2-1.2.8"
64
65 References
66 ==========
67
68 [ 1 ] CVE-2008-2469
69 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2469
70
71 Availability
72 ============
73
74 This GLSA and any updates to it are available for viewing at
75 the Gentoo Security Website:
76
77 http://security.gentoo.org/glsa/glsa-200810-03.xml
78
79 Concerns?
80 =========
81
82 Security is a primary focus of Gentoo Linux and ensuring the
83 confidentiality and security of our users machines is of utmost
84 importance to us. Any security concerns should be addressed to
85 security@g.o or alternatively, you may file a bug at
86 http://bugs.gentoo.org.
87
88 License
89 =======
90
91 Copyright 2008 Gentoo Foundation, Inc; referenced text
92 belongs to its owner(s).
93
94 The contents of this document are licensed under the
95 Creative Commons - Attribution / Share Alike license.
96
97 http://creativecommons.org/licenses/by-sa/2.5

Attachments

File name MIME type
signature.asc application/pgp-signature