Unspecified buffer overflow

1.2.9 is released and contains both a fix and a working local exploit for testing. The fix is very intrusive. Am working with upstream and Debian for a simpler patch for the deployed releases.

1.2.9 package is prepped for Jaunty. Will upload after coordinating with Debian to make sure we have the same tarball md5.

This bug was fixed in the package libspf2 - 1.2.9-1

---------------
libspf2 (1.2.9-1) unstable; urgency=high

  * New upstream release.
    - Drops non-dfsg Free IETF internet draft, so tarball no longer needs
      repacking
    + Fixes exploitable buffer overflow (LP: #287534)
    + Multiple fixes for improved RFC 4408 compliance
    + Update libspf2-2.symbols for new symbol
   + 20_spf_dns_include_std_headers.dpatch: Updated.
  * Thanks to Scott Kitterman.

libspf2 (1.2.8~dfsg-1) unstable; urgency=low

  * Merge changes from Ubuntu.
  * Fix and tweak library dependency information (shlibs as well as
    symbols).
  * Upgrade to Standards-Version: 3.8.0. Changes needed:
    + Add debian/README.source (§ 4.9).
  * Bring debian/copyright a bit more up-to-date.

 -- Scott Kitterman <email address hidden> Wed, 05 Nov 2008 05:03:43 +0000

I'd like to suggest that for Intrepid, we push 1.2.9 in intrepid-security. It's going to be a real PITA to extract a reduced patch for this issue and 1.2.8 was uploaded very late in the development process, so we haven't undone a lot of testing.

We'll get better upstream support this was and avoid a pile of C hacking that I certainly can't do. Also the changes from 1.2.9 got a lot of review by other users of the package, so I'm reasonable confident it's in good shape. I do know it corrects at least one regression in 1.2.8.

Intrepid has been fixed with a security update to 1.2.9, thanks to ScottK! :)

Hardy

Gutsy

Dapper

Fix for 1.2.5 is based on upstream's suggestion about how to prevent the issue in a minimally invasive way. Upstream includes in 1.2.9 a test for this vulnerability in t/11. If vulnerable, the test will cause a segfault. NCommander verified for me that with these changes (he just tested Hardy, but it should be the same for all) it passes the test and fails without the update.

Building in the security queue now.