Vulnerability in SPF macro parsing claimed by "Anonymous" from "The Zero Day Initiative" #45
Comments
|
@nomis are you with ZDI or just doing your best to de-obfuscate their report? |
No.
They haven't even reported anything of use to the Exim maintainers. |
|
Thank you for your efforts. Appreciated! |
|
I wonder if further details were emailed to @shevek, since ZDI claims they disclosed details to the project. It would be quite nice if there was (a lot) more clarity. |
|
CVE-2023-42118 was assigned to the ZDI report, but the CVE is still in reserved state by the CNA. There doesn't seems to be any confirmation of what the ZDI advisory actually is about :( |
|
Yeah, this whole situation really sucks :/ It's also really complicating the situation over at Debian where they're not sure what to do about that CVE and the packaging of libspf2, it seems. |
|
I have sent an email to "[email protected]" asking them to provide more info. If that doesn't work, we can try contacting MITRE. They might be able to help because they grant the CNA status to ZDI and ZDI has published a CVE ID back in September but that CVE is still set as "RESERVED" on MITRE's side. |
For reference, my attempt at https://www.openwall.com/lists/oss-security/2023/10/04/7 was unfortunately not sucessfull back then. ZDI's reply: https://www.openwall.com/lists/oss-security/2023/10/04/9 |
|
I'd love the details as well, by private email is fine. I'm trying to enlist help with maintenance of this project at the moment. This whole thing has been somewhat of a shortage of information. |
|
Did anyone in the end hear anything detailed from ZDI? Things are stuck at Debian (see https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1053870 ) due to a lack of clarity. I'd really like to see this get somewhere. The lack of clarity from the anonymous reported and ZDI are really not ideal. |
|
They seemed to be only interested in reporting the vuln as a brag. They have given no details to anyone. To my knowledge, any follow-ups by the exim devs were also similarly ignored. At this point, I'm not convinced a human is behind the reporting group's email. |
|
To re-iterate as well one aspect why Debian has not done a stable or oldstable update with the mentioned commit: As per finder and fixer of the respective integer overflow
it is not clear if it can be exploited or not. The fix for the potential integer overflow is still exposed in the testing and unstable distribution already, but we won't associate it with ZDI claimed one if it is not confirmed. |
|
Is there any progress on this issue and is there any plans to fix this vulnerability? Can the fix in # 44 be considered a complete fix for the CVE-2023-42118? |
https://www.zerodayinitiative.com/advisories/ZDI-23-1472/
"The specific flaw exists within the parsing of SPF macros. When parsing SPF macros, the process does not properly validate user-supplied data, which can result in an integer underflow before writing to memory."
There are no further details and for some reason they're reporting it against Exim.
I can find one integer underflow which I've fixed with #44 but I haven't been able to get it to do anything after that because another buffer fills up.
The text was updated successfully, but these errors were encountered: