CVE-2021-33912

libspf2 before 1.2.11 has a four-byte heap-based buffer overflow that might allow remote attackers to execute arbitrary code (via an unauthenticated e-mail message from anywhere on the Internet) with a crafted SPF DNS record, because of incorrect sprintf usage in SPF_record_expand_data in spf_expand.c. The vulnerable code may be part of the supply chain of a site's e-mail infrastructure (e.g., with additional configuration, Exim can use libspf2; the Postfix web site links to unofficial patches for use of libspf2 with Postfix; older versions of spfquery relied on libspf2) but most often is not.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 78%
VendorProductVersion
libspf2_projectlibspf2
𝑥
< 1.2.11
debiandebian_linux
9.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
libspf2
bullseye (security)
1.2.10-7.1~deb11u1
fixed
bullseye
1.2.10-7.1~deb11u1
fixed
bookworm
1.2.10-7.2
fixed
sid
1.2.10-8.2
fixed
trixie
1.2.10-8.2
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
libspf2
noble
not-affected
mantic
not-affected
lunar
not-affected
kinetic
ignored
jammy
not-affected
impish
ignored
hirsute
ignored
focal
Fixed 1.2.10-7+deb9u2build0.20.04.1
released
bionic
Fixed 1.2.10-7ubuntu0.18.04.1~esm1
released
xenial
Fixed 1.2.10-6ubuntu0.1~esm2
released
Common Weakness Enumeration
References
https://github.com/shevek/libspf2/tree/8131fe140704eaae695e76b5cd09e39bd1dd220b
https://lists.debian.org/debian-lts-announce/2022/01/msg00015.html
https://nathanielbennett.com/blog/libspf2-cve-jan-2022-disclosure
https://security.gentoo.org/glsa/202401-22
https://github.com/shevek/libspf2/tree/8131fe140704eaae695e76b5cd09e39bd1dd220b
https://lists.debian.org/debian-lts-announce/2022/01/msg00015.html
https://nathanielbennett.com/blog/libspf2-cve-jan-2022-disclosure
https://security.gentoo.org/glsa/202401-22