On 2021/08/12 04:58, wen heping wrote: > Hi, ports@: > > Here is a patch from upstream for mail/libspf2 to > fix CVE-2021-20314. More details please visit: > https://security-tracker.debian.org/tracker/CVE-2021-20314
I've used this for -stable, and updated to a git checkout in -current, some other security problems were fixed too. https://seclists.org/oss-sec/2021/q3/94 > Index: Makefile > =================================================================== > RCS file: /cvs/ports/mail/libspf2/Makefile,v > retrieving revision 1.16 > diff -u -p -r1.16 Makefile > --- Makefile 19 Mar 2021 13:09:13 -0000 1.16 > +++ Makefile 12 Aug 2021 04:55:33 -0000 > @@ -3,7 +3,7 @@ > COMMENT= SPF library > > DISTNAME= libspf2-1.2.10 > -REVISION= 6 > +REVISION= 7 > > SHARED_LIBS += spf2 4.0 # 3.0 > > Index: patches/patch-src_libspf2_spf_compile_c > =================================================================== > RCS file: /cvs/ports/mail/libspf2/patches/patch-src_libspf2_spf_compile_c,v > retrieving revision 1.4 > diff -u -p -r1.4 patch-src_libspf2_spf_compile_c > --- patches/patch-src_libspf2_spf_compile_c 19 Apr 2017 16:56:04 -0000 > 1.4 > +++ patches/patch-src_libspf2_spf_compile_c 12 Aug 2021 04:55:33 -0000 > @@ -1,6 +1,16 @@ > $OpenBSD: patch-src_libspf2_spf_compile_c,v 1.4 2017/04/19 16:56:04 jca Exp $ > ---- src/libspf2/spf_compile.c.orig Mon Feb 20 08:26:43 2012 > -+++ src/libspf2/spf_compile.c Wed Apr 19 18:53:10 2017 > +Index: src/libspf2/spf_compile.c > +--- src/libspf2/spf_compile.c.orig > ++++ src/libspf2/spf_compile.c > +@@ -455,7 +455,7 @@ SPF_c_parse_var(SPF_response_t *spf_response, SPF_data > + /* Magic numbers for x/Nc in gdb. */ > \ > + data->ds.__unused0 = 0xba; data->ds.__unused1 = 0xbe; > \ > + dst = SPF_data_str( data ); > \ > +- ds_avail = _avail; > \ > ++ ds_avail = _avail - sizeof(SPF_data_t); > \ > + ds_len = 0; > \ > + } while(0) > + > @@ -577,7 +577,7 @@ SPF_c_parse_macro(SPF_server_t *spf_server, > switch (src[idx]) { > case '%':
