UBUNTU-CVE-2021-33913

See a problem?
Please try reporting it to the source first.

Source

https://ubuntu.com/security/CVE-2021-33913

Import Source

https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2021/UBUNTU-CVE-2021-33913.json

JSON Data

https://api.osv.dev/v1/vulns/UBUNTU-CVE-2021-33913

Related

Published

2022-01-19T18:15:00Z

Modified

2022-01-19T18:15:00Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

libspf2 before 1.2.11 has a heap-based buffer overflow that might allow remote attackers to execute arbitrary code (via an unauthenticated e-mail message from anywhere on the Internet) with a crafted SPF DNS record, because of SPFrecordexpanddata in spfexpand.c. The amount of overflowed data depends on the relationship between the length of an entire domain name and the length of its leftmost label. The vulnerable code may be part of the supply chain of a site's e-mail infrastructure (e.g., with additional configuration, Exim can use libspf2; the Postfix web site links to unofficial patches for use of libspf2 with Postfix; older versions of spfquery relied on libspf2) but most often is not.

References

Affected packages

Ubuntu:Pro:16.04:LTS / libspf2

Package

Name: libspf2
Purl: pkg:deb/ubuntu/libspf2?arch=src?distro=esm-apps/xenial

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.2.10-6ubuntu0.1~esm2

Affected versions

1.*

1.2.10-6

1.2.10-6build1

1.2.10-6ubuntu0.1~esm1

Ecosystem specific

{
    "availability": "Available with Ubuntu Pro: https://ubuntu.com/pro",
    "ubuntu_priority": "medium",
    "binaries": [
        {
            "binary_version": "1.2.10-6ubuntu0.1~esm2",
            "binary_name": "libmail-spf-xs-perl"
        },
        {
            "binary_version": "1.2.10-6ubuntu0.1~esm2",
            "binary_name": "libmail-spf-xs-perl-dbgsym"
        },
        {
            "binary_version": "1.2.10-6ubuntu0.1~esm2",
            "binary_name": "libspf2-2"
        },
        {
            "binary_version": "1.2.10-6ubuntu0.1~esm2",
            "binary_name": "libspf2-2-dbg"
        },
        {
            "binary_version": "1.2.10-6ubuntu0.1~esm2",
            "binary_name": "libspf2-2-dbgsym"
        },
        {
            "binary_version": "1.2.10-6ubuntu0.1~esm2",
            "binary_name": "libspf2-dev"
        },
        {
            "binary_version": "1.2.10-6ubuntu0.1~esm2",
            "binary_name": "libspf2-dev-dbgsym"
        },
        {
            "binary_version": "1.2.10-6ubuntu0.1~esm2",
            "binary_name": "spfquery"
        },
        {
            "binary_version": "1.2.10-6ubuntu0.1~esm2",
            "binary_name": "spfquery-dbgsym"
        }
    ]
}

Ubuntu:Pro:18.04:LTS / libspf2

Package

Name: libspf2
Purl: pkg:deb/ubuntu/libspf2?arch=src?distro=esm-apps/bionic

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.2.10-7ubuntu0.18.04.1~esm1

Affected versions

1.*

1.2.10-7build2

Ecosystem specific

{
    "availability": "Available with Ubuntu Pro: https://ubuntu.com/pro",
    "ubuntu_priority": "medium",
    "binaries": [
        {
            "binary_version": "1.2.10-7ubuntu0.18.04.1~esm1",
            "binary_name": "libmail-spf-xs-perl"
        },
        {
            "binary_version": "1.2.10-7ubuntu0.18.04.1~esm1",
            "binary_name": "libspf2-2"
        },
        {
            "binary_version": "1.2.10-7ubuntu0.18.04.1~esm1",
            "binary_name": "libspf2-2-dbg"
        },
        {
            "binary_version": "1.2.10-7ubuntu0.18.04.1~esm1",
            "binary_name": "libspf2-dev"
        },
        {
            "binary_version": "1.2.10-7ubuntu0.18.04.1~esm1",
            "binary_name": "spfquery"
        }
    ]
}

Ubuntu:20.04:LTS / libspf2

Package

Name: libspf2
Purl: pkg:deb/ubuntu/libspf2?arch=src?distro=focal

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.2.10-7+deb9u2build0.20.04.1

Affected versions

1.*

1.2.10-7build3

1.2.10-7build4

Ecosystem specific

{
    "availability": "No subscription required",
    "ubuntu_priority": "medium",
    "binaries": [
        {
            "binary_version": "1.2.10-7+deb9u2build0.20.04.1",
            "binary_name": "libmail-spf-xs-perl"
        },
        {
            "binary_version": "1.2.10-7+deb9u2build0.20.04.1",
            "binary_name": "libspf2-2"
        },
        {
            "binary_version": "1.2.10-7+deb9u2build0.20.04.1",
            "binary_name": "libspf2-2-dbg"
        },
        {
            "binary_version": "1.2.10-7+deb9u2build0.20.04.1",
            "binary_name": "libspf2-dev"
        },
        {
            "binary_version": "1.2.10-7+deb9u2build0.20.04.1",
            "binary_name": "spfquery"
        }
    ]
}

Ubuntu:22.04:LTS / libspf2

Package

Name: libspf2
Purl: pkg:deb/ubuntu/libspf2?arch=src?distro=jammy

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.2.10-7.1ubuntu1

Affected versions

1.*

1.2.10-7.1

Ecosystem specific

{
    "availability": "No subscription required",
    "ubuntu_priority": "medium",
    "binaries": [
        {
            "binary_version": "1.2.10-7.1ubuntu1",
            "binary_name": "libmail-spf-xs-perl"
        },
        {
            "binary_version": "1.2.10-7.1ubuntu1",
            "binary_name": "libspf2-2"
        },
        {
            "binary_version": "1.2.10-7.1ubuntu1",
            "binary_name": "libspf2-2-dbg"
        },
        {
            "binary_version": "1.2.10-7.1ubuntu1",
            "binary_name": "libspf2-dev"
        },
        {
            "binary_version": "1.2.10-7.1ubuntu1",
            "binary_name": "spfquery"
        }
    ]
}