Skip Quicknav

• About Debian
• News
• Getting Debian
• Support
• Developers' Corner
• Site map
• Search

Debian Security Advisory

DSA-1659-1 libspf2 -- buffer overflow

Date Reported:

23 Oct 2008

Affected Packages:

libspf2

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2008-2469.

More information:

Dan Kaminsky discovered that libspf2, an implementation of the Sender Policy Framework (SPF) used by mail servers for mail filtering, handles malformed TXT records incorrectly, leading to a buffer overflow condition (CVE-2008-2469).

Note that the SPF configuration template in Debian's Exim configuration recommends to use libmail-spf-query-perl, which does not suffer from this issue.

For the stable distribution (etch), this problem has been fixed in version 1.2.5-4+etch1.

For the testing distribution (lenny), this problem has been fixed in version 1.2.5.dfsg-5+lenny1.

For the unstable distribution (sid), this problem will be fixed soon.

We recommend that you upgrade your libspf2 package.

Fixed in:

Debian GNU/Linux 4.0 (etch)

Source:

http://security.debian.org/pool/updates/main/libs/libspf2/libspf2_1.2.5.orig.tar.gz

http://security.debian.org/pool/updates/main/libs/libspf2/libspf2_1.2.5-4+etch1.dsc

http://security.debian.org/pool/updates/main/libs/libspf2/libspf2_1.2.5-4+etch1.diff.gz

Alpha:

http://security.debian.org/pool/updates/main/libs/libspf2/libspf2-2_1.2.5-4+etch1_alpha.deb

http://security.debian.org/pool/updates/main/libs/libspf2/spfquery_1.2.5-4+etch1_alpha.deb

http://security.debian.org/pool/updates/main/libs/libspf2/libspf2-dev_1.2.5-4+etch1_alpha.deb

AMD64:

http://security.debian.org/pool/updates/main/libs/libspf2/libspf2-2_1.2.5-4+etch1_amd64.deb

http://security.debian.org/pool/updates/main/libs/libspf2/libspf2-dev_1.2.5-4+etch1_amd64.deb

http://security.debian.org/pool/updates/main/libs/libspf2/spfquery_1.2.5-4+etch1_amd64.deb

ARM:

http://security.debian.org/pool/updates/main/libs/libspf2/libspf2-2_1.2.5-4+etch1_arm.deb

http://security.debian.org/pool/updates/main/libs/libspf2/spfquery_1.2.5-4+etch1_arm.deb

http://security.debian.org/pool/updates/main/libs/libspf2/libspf2-dev_1.2.5-4+etch1_arm.deb

HP Precision:

http://security.debian.org/pool/updates/main/libs/libspf2/libspf2-2_1.2.5-4+etch1_hppa.deb

http://security.debian.org/pool/updates/main/libs/libspf2/spfquery_1.2.5-4+etch1_hppa.deb

http://security.debian.org/pool/updates/main/libs/libspf2/libspf2-dev_1.2.5-4+etch1_hppa.deb

Intel IA-32:

http://security.debian.org/pool/updates/main/libs/libspf2/spfquery_1.2.5-4+etch1_i386.deb

http://security.debian.org/pool/updates/main/libs/libspf2/libspf2-dev_1.2.5-4+etch1_i386.deb

http://security.debian.org/pool/updates/main/libs/libspf2/libspf2-2_1.2.5-4+etch1_i386.deb

Intel IA-64:

http://security.debian.org/pool/updates/main/libs/libspf2/libspf2-2_1.2.5-4+etch1_ia64.deb

http://security.debian.org/pool/updates/main/libs/libspf2/spfquery_1.2.5-4+etch1_ia64.deb

http://security.debian.org/pool/updates/main/libs/libspf2/libspf2-dev_1.2.5-4+etch1_ia64.deb

Little-endian MIPS:

http://security.debian.org/pool/updates/main/libs/libspf2/spfquery_1.2.5-4+etch1_mipsel.deb

http://security.debian.org/pool/updates/main/libs/libspf2/libspf2-2_1.2.5-4+etch1_mipsel.deb

http://security.debian.org/pool/updates/main/libs/libspf2/libspf2-dev_1.2.5-4+etch1_mipsel.deb

PowerPC:

http://security.debian.org/pool/updates/main/libs/libspf2/libspf2-dev_1.2.5-4+etch1_powerpc.deb

http://security.debian.org/pool/updates/main/libs/libspf2/spfquery_1.2.5-4+etch1_powerpc.deb

http://security.debian.org/pool/updates/main/libs/libspf2/libspf2-2_1.2.5-4+etch1_powerpc.deb

IBM S/390:

http://security.debian.org/pool/updates/main/libs/libspf2/libspf2-2_1.2.5-4+etch1_s390.deb

http://security.debian.org/pool/updates/main/libs/libspf2/spfquery_1.2.5-4+etch1_s390.deb

http://security.debian.org/pool/updates/main/libs/libspf2/libspf2-dev_1.2.5-4+etch1_s390.deb

Sun Sparc:

http://security.debian.org/pool/updates/main/libs/libspf2/spfquery_1.2.5-4+etch1_sparc.deb

http://security.debian.org/pool/updates/main/libs/libspf2/libspf2-dev_1.2.5-4+etch1_sparc.deb

http://security.debian.org/pool/updates/main/libs/libspf2/libspf2-2_1.2.5-4+etch1_sparc.deb

MD5 checksums of the listed files are available in the original advisory.

This page is also available in the following languages:

dansk Deutsch français 日本語 (Nihongo) svenska

How to set the default document language