Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20250328103002.5aa4cefe@hboeck.de>
Date: Fri, 28 Mar 2025 10:30:02 +0100
From: Hanno Böck <hanno@...eck.de>
To: oss-security@...ts.openwall.com
Subject: use-after-free (maybe?) in libspf2

Hi,

I recently stumbled upon something, and by sharing it here, I'm hoping
that I can shed some light on it.

The libspf2 library appears to be the standard way of parsing SPF
records in C, but its development has mostly stalled.

In the project's github repo, there's an unmerged pull request claiming
to fix a use after free bug:
https://github.com/shevek/libspf2/pull/15

Quote: "Not sure what the intention is here, but in no case should
spf_record_exp point to a freed object. (Fixes crash on OpenBSD 5.9.)"

There has been no reaction to this report.

I looked briefly at the code (it zeros a pointer after it's been
freed), but I was unable to see a situation where this leads to a use
after free. But maybe I'm missing something.

In any case, maybe this is a warning that libspf2 appears to be
effectively unmaintained.


Unrelated to this specific issue, but there has been a somewhat
unresolved story about a security issue in libspf2 a while ago (also
with discussions on this mailing list).
As far as I can tell, the following happened:
* ZDI claimed to have found a security issue in libspf2, but has not
  shared any details:
  https://www.zerodayinitiative.com/advisories/ZDI-23-1472/
* CVE-2023-42118 got assigned.
* An integer underflow was fixed in libspf2's repository in response:
  https://github.com/shevek/libspf2/commit/d14abff4b544cfc53a8b5ef54cbc2353866b5081
  However, it is neither clear whether this is practically exploitable,
  nor whether it is actually the bug ZDI found.
* No release of libspf2 has been made since then, the fix for the
  Integer Underflow is not included in its latest version. Distros
  should probably add it to their package if they haven't done so
  already.
* ZDI never clarified what the issue they found was. (Which is, to not
  mince words, reckless and dangerous.)

-- 
Hanno Böck - Independent security researcher
https://itsec.hboeck.de/
https://badkeys.info/

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.