From d2deb0dae07843b9b1bd285cc5ed1373641598d5 Mon Sep 17 00:00:00 2001
From: Funda Wang <fundawang@yeah.net>
Date: Wed, 25 Dec 2024 11:57:25 +0800
Subject: [PATCH] fix CVE-2023-42118

(cherry picked from commit e70cbcf5d605f47a1e415d4d502f842df2e8a3ab)
---
 CVE-2023-42118-and-other-fixes.patch | 134 +++++++++++++++++++++++++++
 libspf2.spec                         |  11 ++-
 2 files changed, 140 insertions(+), 5 deletions(-)
 create mode 100644 CVE-2023-42118-and-other-fixes.patch

diff --git a/CVE-2023-42118-and-other-fixes.patch b/CVE-2023-42118-and-other-fixes.patch
new file mode 100644
index 0000000..ccbaeab
--- /dev/null
+++ b/CVE-2023-42118-and-other-fixes.patch
@@ -0,0 +1,134 @@
+From c93823faef044150e1b232928d225ff5ff297e6c Mon Sep 17 00:00:00 2001
+From: Simon Arlott <sa.me.uk>
+Date: Sat, 30 Sep 2023 12:18:51 +0100
+Subject: [PATCH] Fix integer underflow
+
+---
+ src/libspf2/spf_compile.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/src/libspf2/spf_compile.c b/src/libspf2/spf_compile.c
+index b08ffe2..d401028 100644
+--- a/src/libspf2/spf_compile.c
++++ b/src/libspf2/spf_compile.c
+@@ -455,7 +455,11 @@ SPF_c_parse_var(SPF_response_t *spf_response, SPF_data_var_t *data,
+ 			/* Magic numbers for x/Nc in gdb. */					\
+ 			data->ds.__unused0 = 0xba; data->ds.__unused1 = 0xbe;	\
+ 			dst = SPF_data_str( data );								\
+-			ds_avail = _avail - sizeof(SPF_data_t);					\
++			if ((_avail) < sizeof(SPF_data_t))						\
++				return SPF_response_add_error_ptr(spf_response,		\
++									SPF_E_BIG_STRING, NULL, src,	\
++								"Out of memory for string literal");\
++			ds_avail = (_avail) - sizeof(SPF_data_t);				\
+ 			ds_len = 0;												\
+ 		} while(0)
+ 
+From faa9e02887e20d37e112c4ce7df34366e4f2fa2f Mon Sep 17 00:00:00 2001
+From: Simon Arlott <sa.me.uk>
+Date: Mon, 2 Oct 2023 19:34:38 +0100
+Subject: [PATCH] Used a fixed size buffer for DNS responses instead of
+ doubling memory use
+
+---
+ src/libspf2/spf_dns_resolv.c | 21 +++------------------
+ 1 file changed, 3 insertions(+), 18 deletions(-)
+
+diff --git a/src/libspf2/spf_dns_resolv.c b/src/libspf2/spf_dns_resolv.c
+index 9dacafe..ec687b8 100644
+--- a/src/libspf2/spf_dns_resolv.c
++++ b/src/libspf2/spf_dns_resolv.c
+@@ -268,7 +268,7 @@ SPF_dns_resolv_lookup(SPF_dns_server_t *spf_dns_server,
+ 	}
+ #endif
+ 
+-	responselen = 2048;
++	responselen = 65536;
+ 	responsebuf = (u_char *)malloc(responselen);
+ 	if (! responsebuf)
+ 		return NULL;	/* NULL always means OOM from DNS lookup. */
+@@ -319,23 +319,8 @@ SPF_dns_resolv_lookup(SPF_dns_server_t *spf_dns_server,
+ 							domain, rr_type, 0, SPF_h_errno);
+ 		}
+ 		else if (dns_len > responselen) {
+-			void	*tmp;
+-			/* We managed a lookup but our buffer was too small. */
+-			responselen = dns_len + (dns_len >> 1);
+-#if 0
+-			/* Sanity-trap - we should never hit this. */
+-			if (responselen > 1048576) {	/* One megabyte. */
+-				free(responsebuf);
+-				return SPF_dns_rr_new_init(spf_dns_server,
+-								domain, rr_type, 0, SPF_h_errno);
+-			}
+-#endif
+-			tmp = realloc(responsebuf, responselen);
+-			if (!tmp) {
+-				free(responsebuf);
+-				return NULL;
+-			}
+-			responsebuf = tmp;
++			free(responsebuf);
++			return NULL;
+ 		}
+ 		else {
+ 			/* We managed a lookup, and our buffer was large enough. */
+From 1bd4c108b63927cd1229760e30936160d050d997 Mon Sep 17 00:00:00 2001
+From: Simon Arlott <sa.me.uk>
+Date: Mon, 2 Oct 2023 19:37:00 +0100
+Subject: [PATCH] Allocate memory for string when the buffer is NULL
+
+These can't ever be NULL but scan-build complains about them.
+---
+ src/libspf2/spf_dns_cache.c | 2 +-
+ src/libspf2/spf_get_exp.c   | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/libspf2/spf_dns_cache.c b/src/libspf2/spf_dns_cache.c
+index 16c9819..50d2660 100644
+--- a/src/libspf2/spf_dns_cache.c
++++ b/src/libspf2/spf_dns_cache.c
+@@ -327,7 +327,7 @@ SPF_dns_cache_rr_fixup(SPF_dns_cache_config_t *spfhook,
+ 		char	*new_domain;
+ 		size_t	 new_len = strlen(domain) + 1;
+ 
+-		if (cached_rr->domain_buf_len < new_len) {
++		if (cached_rr->domain == NULL || cached_rr->domain_buf_len < new_len) {
+ 			new_domain = realloc(cached_rr->domain, new_len);
+ 			if (new_domain == NULL)
+ 				return SPF_E_NO_MEMORY;
+diff --git a/src/libspf2/spf_get_exp.c b/src/libspf2/spf_get_exp.c
+index f4b5055..4a663e4 100644
+--- a/src/libspf2/spf_get_exp.c
++++ b/src/libspf2/spf_get_exp.c
+@@ -62,7 +62,7 @@ SPF_server_get_default_explanation(SPF_server_t *spf_server,
+ 	}
+ 	else {
+ 		size_t	len = sizeof(SPF_LAME_EXP) + 1;
+-		if (*buflenp < len) {
++		if (*bufp == NULL || *buflenp < len) {
+ 			char	*tmp = realloc(*bufp, len);
+ 			if (tmp == NULL)
+ 				return SPF_E_NO_MEMORY;
+From 36c3af1dcfeb6c987dac00161f2ed57c6a42ed03 Mon Sep 17 00:00:00 2001
+From: Simon Arlott <sa.me.uk>
+Date: Sat, 30 Sep 2023 11:40:47 +0100
+Subject: [PATCH] Use correct integer size for format string
+
+---
+ src/libspf2/spf_compile.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/libspf2/spf_compile.c b/src/libspf2/spf_compile.c
+index b08ffe2..ba3d804 100644
+--- a/src/libspf2/spf_compile.c
++++ b/src/libspf2/spf_compile.c
+@@ -604,7 +604,7 @@ SPF_c_parse_macro(SPF_server_t *spf_server,
+ 
+ 		default:
+ 			if (spf_server->debug > 3)
+-				SPF_debugf("Adding illegal %%-follower '%c' at %d",
++				SPF_debugf("Adding illegal %%-follower '%c' at %zu",
+ 				src[idx], idx);
+ 			/* SPF spec says to treat it as a literal, not
+ 			 * SPF_E_INVALID_ESC */
diff --git a/libspf2.spec b/libspf2.spec
index 12a54a2..afa3ce1 100644
--- a/libspf2.spec
+++ b/libspf2.spec
@@ -5,13 +5,14 @@
 
 Name:		libspf2
 Version:	1.2.11
-Release:	1
+Release:	2
 Summary:	An implementation of the SPF specification
 License:	BSD or LGPLv2+
 Url:		http://www.libspf2.org/
 
 Source0:	libspf2-%{version}-%{git}.tar.xz
 Patch1:	0001-remove-libreplace-unneeded-on-Linux.patch
+Patch2: CVE-2023-42118-and-other-fixes.patch
 
 BuildRequires:	gcc
 BuildRequires:	automake autoconf libtool
@@ -80,8 +81,7 @@ Requires(postun): /usr/sbin/alternatives, /usr/bin/readlink
 Programs for making SPF queries and checking their results using libspf2.
 
 %prep
-%setup -q -n libspf2-%{version}-%{git}
-%patch1 -p1
+%autosetup -p1 -n libspf2-%{version}-%{git}
 
 
 %build
@@ -123,8 +123,6 @@ make -C tests check
 LD_PRELOAD=$(pwd)/src/libspf2/.libs/libspf2.so make -C perl test
 %endif
 
-%ldconfig_scriptlets
-
 %post progs
 /usr/sbin/alternatives --install %{_bindir}/spfquery spf %{_bindir}/spfquery.libspf2 20 \
 	--slave %{_bindir}/spfd spf-daemon %{_bindir}/spfd.libspf2
@@ -169,5 +167,8 @@ exit 0
 %{_mandir}/man3/Mail::SPF_XS.3pm*
 
 %changelog
+* Wed Dec 25 2024 Funda Wang <fundawang@yeah.net> - 1.2.11-2
+- fix CVE-2023-42118
+
 * Tue Oct 18 2022 openEuler Application <dev@openeuler.org> - 1.2.11-1
 - DESC:Package init
-- 
Gitee