Hi,
in the course of the current CVEs regarding Exim there is claimed to be
an issue with libspf2. We (the Exim developers) are not sure, if this
is something *we* can on our side. We're not even sure about the
details, as of now we do not have any further information.
But, it *may* be related to this PR:
https://github.com/shevek/libspf2/pull/44/files
An individual "simon" told so in the #Exim IRC channel on librachat.
Do you see any chance to check this? And, if necessary, to release a
security update too?
If it turns out to be an issue, what do you think, should we at least
notify oss-security on that, to help other distros to fixing it?
Abstract of the knowledge we have so far:
ZDI-23-1472 | ZDI-CAN-17578 | CVE-2023-42118 | Exim Bug 3032
------------------------------------------------------------
Subject: libspf2 Integer Underflow
CVSS Score: 7.5
Mitigation: Do not use the `spf` condition in your ACL
Subsystem: spf
Remark: It is debatable if this should be filed against
libspf2.
Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de ---------------------------- internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}:
+49.351.802998{1,3} -
gnupg encrypted messages are welcome --------------- key ID: F69376CE -