UBUNTU-CVE-2021-33913

Source
https://ubuntu.com/security/CVE-2021-33913
Import Source
https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2021/UBUNTU-CVE-2021-33913.json
JSON Data
https://api.test.osv.dev/v1/vulns/UBUNTU-CVE-2021-33913
Related
Published
2022-01-19T18:15:00Z
Modified
2022-01-19T18:15:00Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

libspf2 before 1.2.11 has a heap-based buffer overflow that might allow remote attackers to execute arbitrary code (via an unauthenticated e-mail message from anywhere on the Internet) with a crafted SPF DNS record, because of SPFrecordexpanddata in spfexpand.c. The amount of overflowed data depends on the relationship between the length of an entire domain name and the length of its leftmost label. The vulnerable code may be part of the supply chain of a site's e-mail infrastructure (e.g., with additional configuration, Exim can use libspf2; the Postfix web site links to unofficial patches for use of libspf2 with Postfix; older versions of spfquery relied on libspf2) but most often is not.

References

Affected packages

Ubuntu:Pro:16.04:LTS / libspf2

Package

Name
libspf2
Purl
pkg:deb/ubuntu/libspf2?arch=src?distro=esm-apps/xenial

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.2.10-6ubuntu0.1~esm2

Affected versions

1.*

1.2.10-6
1.2.10-6build1
1.2.10-6ubuntu0.1~esm1

Ecosystem specific

{
    "availability": "Available with Ubuntu Pro: https://ubuntu.com/pro",
    "ubuntu_priority": "medium",
    "binaries": [
        {
            "binary_version": "1.2.10-6ubuntu0.1~esm2",
            "binary_name": "libmail-spf-xs-perl"
        },
        {
            "binary_version": "1.2.10-6ubuntu0.1~esm2",
            "binary_name": "libmail-spf-xs-perl-dbgsym"
        },
        {
            "binary_version": "1.2.10-6ubuntu0.1~esm2",
            "binary_name": "libspf2-2"
        },
        {
            "binary_version": "1.2.10-6ubuntu0.1~esm2",
            "binary_name": "libspf2-2-dbg"
        },
        {
            "binary_version": "1.2.10-6ubuntu0.1~esm2",
            "binary_name": "libspf2-2-dbgsym"
        },
        {
            "binary_version": "1.2.10-6ubuntu0.1~esm2",
            "binary_name": "libspf2-dev"
        },
        {
            "binary_version": "1.2.10-6ubuntu0.1~esm2",
            "binary_name": "libspf2-dev-dbgsym"
        },
        {
            "binary_version": "1.2.10-6ubuntu0.1~esm2",
            "binary_name": "spfquery"
        },
        {
            "binary_version": "1.2.10-6ubuntu0.1~esm2",
            "binary_name": "spfquery-dbgsym"
        }
    ]
}

Ubuntu:Pro:18.04:LTS / libspf2

Package

Name
libspf2
Purl
pkg:deb/ubuntu/libspf2?arch=src?distro=esm-apps/bionic

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.2.10-7ubuntu0.18.04.1~esm1

Affected versions

1.*

1.2.10-7build2

Ecosystem specific

{
    "availability": "Available with Ubuntu Pro: https://ubuntu.com/pro",
    "ubuntu_priority": "medium",
    "binaries": [
        {
            "binary_version": "1.2.10-7ubuntu0.18.04.1~esm1",
            "binary_name": "libmail-spf-xs-perl"
        },
        {
            "binary_version": "1.2.10-7ubuntu0.18.04.1~esm1",
            "binary_name": "libspf2-2"
        },
        {
            "binary_version": "1.2.10-7ubuntu0.18.04.1~esm1",
            "binary_name": "libspf2-2-dbg"
        },
        {
            "binary_version": "1.2.10-7ubuntu0.18.04.1~esm1",
            "binary_name": "libspf2-dev"
        },
        {
            "binary_version": "1.2.10-7ubuntu0.18.04.1~esm1",
            "binary_name": "spfquery"
        }
    ]
}

Ubuntu:20.04:LTS / libspf2

Package

Name
libspf2
Purl
pkg:deb/ubuntu/libspf2?arch=src?distro=focal

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.2.10-7+deb9u2build0.20.04.1

Affected versions

1.*

1.2.10-7build3
1.2.10-7build4

Ecosystem specific

{
    "availability": "No subscription required",
    "ubuntu_priority": "medium",
    "binaries": [
        {
            "binary_version": "1.2.10-7+deb9u2build0.20.04.1",
            "binary_name": "libmail-spf-xs-perl"
        },
        {
            "binary_version": "1.2.10-7+deb9u2build0.20.04.1",
            "binary_name": "libspf2-2"
        },
        {
            "binary_version": "1.2.10-7+deb9u2build0.20.04.1",
            "binary_name": "libspf2-2-dbg"
        },
        {
            "binary_version": "1.2.10-7+deb9u2build0.20.04.1",
            "binary_name": "libspf2-dev"
        },
        {
            "binary_version": "1.2.10-7+deb9u2build0.20.04.1",
            "binary_name": "spfquery"
        }
    ]
}

Ubuntu:22.04:LTS / libspf2

Package

Name
libspf2
Purl
pkg:deb/ubuntu/libspf2?arch=src?distro=jammy

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.2.10-7.1ubuntu1

Affected versions

1.*

1.2.10-7.1

Ecosystem specific

{
    "availability": "No subscription required",
    "ubuntu_priority": "medium",
    "binaries": [
        {
            "binary_version": "1.2.10-7.1ubuntu1",
            "binary_name": "libmail-spf-xs-perl"
        },
        {
            "binary_version": "1.2.10-7.1ubuntu1",
            "binary_name": "libspf2-2"
        },
        {
            "binary_version": "1.2.10-7.1ubuntu1",
            "binary_name": "libspf2-2-dbg"
        },
        {
            "binary_version": "1.2.10-7.1ubuntu1",
            "binary_name": "libspf2-dev"
        },
        {
            "binary_version": "1.2.10-7.1ubuntu1",
            "binary_name": "spfquery"
        }
    ]
}