![]() |
|
Message-ID: <20250328103002.5aa4cefe@hboeck.de> Date: Fri, 28 Mar 2025 10:30:02 +0100 From: Hanno Böck <hanno@...eck.de> To: oss-security@...ts.openwall.com Subject: use-after-free (maybe?) in libspf2 Hi, I recently stumbled upon something, and by sharing it here, I'm hoping that I can shed some light on it. The libspf2 library appears to be the standard way of parsing SPF records in C, but its development has mostly stalled. In the project's github repo, there's an unmerged pull request claiming to fix a use after free bug: https://github.com/shevek/libspf2/pull/15 Quote: "Not sure what the intention is here, but in no case should spf_record_exp point to a freed object. (Fixes crash on OpenBSD 5.9.)" There has been no reaction to this report. I looked briefly at the code (it zeros a pointer after it's been freed), but I was unable to see a situation where this leads to a use after free. But maybe I'm missing something. In any case, maybe this is a warning that libspf2 appears to be effectively unmaintained. Unrelated to this specific issue, but there has been a somewhat unresolved story about a security issue in libspf2 a while ago (also with discussions on this mailing list). As far as I can tell, the following happened: * ZDI claimed to have found a security issue in libspf2, but has not shared any details: https://www.zerodayinitiative.com/advisories/ZDI-23-1472/ * CVE-2023-42118 got assigned. * An integer underflow was fixed in libspf2's repository in response: https://github.com/shevek/libspf2/commit/d14abff4b544cfc53a8b5ef54cbc2353866b5081 However, it is neither clear whether this is practically exploitable, nor whether it is actually the bug ZDI found. * No release of libspf2 has been made since then, the fix for the Integer Underflow is not included in its latest version. Distros should probably add it to their package if they haven't done so already. * ZDI never clarified what the issue they found was. (Which is, to not mince words, reckless and dangerous.) -- Hanno Böck - Independent security researcher https://itsec.hboeck.de/ https://badkeys.info/
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.