toddr
commented
9 months ago @nomis are you with ZDI or just doing your best to de-obfuscate their report?
Open nomis opened 9 months ago
toddr
commented
9 months ago @nomis are you with ZDI or just doing your best to de-obfuscate their report?
nomis
commented
9 months ago @nomis are you with ZDI
No.
de-obfuscate their report?
They haven't even reported anything of use to the Exim maintainers.
toddr
commented
9 months ago Thank you for your efforts. Appreciated!
bertvandepoel
commented
9 months ago I wonder if further details were emailed to @shevek, since ZDI claims they disclosed details to the project. It would be quite nice if there was (a lot) more clarity.
samueloph
commented
8 months ago CVE-2023-42118 was assigned to the ZDI report, but the CVE is still in reserved state by the CNA.
There doesn't seems to be any confirmation of what the ZDI advisory actually is about :(
bertvandepoel
commented
8 months ago Yeah, this whole situation really sucks :/ It's also really complicating the situation over at Debian where they're not sure what to do about that CVE and the packaging of libspf2, it seems.
samueloph
commented
8 months ago I have sent an email to "zdi@trendmicro.com" asking them to provide more info.
If that doesn't work, we can try contacting MITRE. They might be able to help because they grant the CNA status to ZDI and ZDI has published a CVE ID back in September but that CVE is still set as "RESERVED" on MITRE's side.
carnil
commented
8 months ago I have sent an email to "zdi@trendmicro.com" asking them to provide more info.
If that doesn't work, we can try contacting MITRE. They might be able to help because they grant the CNA status to ZDI and ZDI has published a CVE ID back in September but that CVE is still set as "RESERVED" on MITRE's side.
For reference, my attempt at https://www.openwall.com/lists/oss-security/2023/10/04/7 was unfortunately not sucessfull back then.
ZDI's reply: https://www.openwall.com/lists/oss-security/2023/10/04/9
shevek
commented
8 months ago I'd love the details as well, by private email is fine. I'm trying to enlist help with maintenance of this project at the moment. This whole thing has been somewhat of a shortage of information.
bertvandepoel
commented
7 months ago Did anyone in the end hear anything detailed from ZDI? Things are stuck at Debian (see https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1053870 ) due to a lack of clarity. I'd really like to see this get somewhere. The lack of clarity from the anonymous reported and ZDI are really not ideal.
toddr
commented
7 months ago They seemed to be only interested in reporting the vuln as a brag. They have given no details to anyone. To my knowledge, any follow-ups by the exim devs were also similarly ignored. At this point, I'm not convinced a human is behind the reporting group's email.
carnil
commented
7 months ago To re-iterate as well one aspect why Debian has not done a stable or oldstable update with the mentioned commit: As per finder and fixer of the respective integer overflow
I can find one integer underflow which I've fixed with https://github.com/shevek/libspf2/pull/44 but I haven't been able to get it to do anything after that because another buffer fills up.
it is not clear if it can be exploited or not. The fix for the potential integer overflow is still exposed in the testing and unstable distribution already, but we won't associate it with ZDI claimed one if it is not confirmed.
Sanches13
https://www.zerodayinitiative.com/advisories/ZDI-23-1472/
"The specific flaw exists within the parsing of SPF macros. When parsing SPF macros, the process does not properly validate user-supplied data, which can result in an integer underflow before writing to memory."
There are no further details and for some reason they're reporting it against Exim.
I can find one integer underflow which I've fixed with #44 but I haven't been able to get it to do anything after that because another buffer fills up.