Mailing List Archive: New libspf2 release

New libspf2 release

Oct 15, 2008, 9:59 AM

Post #1 of 13 (12315 views)

There is (at last) a new libspf2 release. All the patches that I had
collected from people were looked at and the issues addressed either by that
patch or with an alternative solution (the maintainer had patches from
multiple sources and sometimes they overlapped). All of you who contributed,
thank you.

In addition to the run of the mill bugfixes, this release also includes a
security fix for a buffer overflow. I understand a CVE will be published
soon at http://cve.mitre.org/cgi-bin/cvename.cgi?name=2008-2469

Because of the large numer of fixes for significant bugs (a number of memory
leaks are fixed in addition to the overflow), anyone using libspf2 should
seriously consider upgrading very soon.

The upstream release announcement is here:

http://libspf2.org/index.html

The new version can be downloaded from here:

http://libspf2.org/download.html

A number of vendors and distributors that provide libspf2 were contacted and
are in varying states of providing updates.

For Ubuntu Linux a patch to correct the buffer overflow has been uploaded for
all supported releases and will be published soon. I intend to upload the
new 1.2.8 to the current development release and will explore backporting it
to earlier releases.

Scott K

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/1007/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1007/
Powered by Listbox: http://www.listbox.com

Re: New libspf2 release [ In reply to ]

crosser at average

Oct 15, 2008, 1:10 PM

Post #2 of 13 (12072 views)

Permalink

Scott Kitterman wrote:
> There is (at last) a new libspf2 release.

This does not look good to me.

The old one:

$ /usr/local/libspf2-1.2.5/bin/spfquery -ip 127.0.0.1 -sender
crosser@average.org
pass

spfquery: localhost is always allowed.
Received-SPF: pass (spfquery: localhost is always allowed.)
client-ip=127.0.0.1; envelope-from=crosser@average.org;

but the new one:

$ /usr/local/libspf2-1.2.8/bin/spfquery -ip 127.0.0.1 -sender
crosser@average.org
spf_interpret.c:60 Error: spf_record is NULL
Aborted

Am I missing something? Is there any kind of changelog anywhere?

Eugene

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/1007/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1007/
Powered by Listbox: http://www.listbox.com

Re: New libspf2 release [ In reply to ]

scott at kitterman

Oct 15, 2008, 1:25 PM

Post #3 of 13 (12100 views)

Permalink

On Wednesday 15 October 2008 16:10, Eugene Crosser wrote:
> Scott Kitterman wrote:
> > There is (at last) a new libspf2 release.
>
> This does not look good to me.
>
> The old one:
>
> $ /usr/local/libspf2-1.2.5/bin/spfquery -ip 127.0.0.1 -sender
> crosser@average.org
> pass
>
> spfquery: localhost is always allowed.
> Received-SPF: pass (spfquery: localhost is always allowed.)
> client-ip=127.0.0.1; envelope-from=crosser@average.org;
>
> but the new one:
>
> $ /usr/local/libspf2-1.2.8/bin/spfquery -ip 127.0.0.1 -sender
> crosser@average.org
> spf_interpret.c:60 Error: spf_record is NULL
> Aborted
>
> Am I missing something? Is there any kind of changelog anywhere?
>
No. I don't think you're missing anything. I get the same error here.

Shevek?

Scott K

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/1007/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1007/
Powered by Listbox: http://www.listbox.com

Re: New libspf2 release [ In reply to ]

shevek at anarres

Oct 15, 2008, 3:22 PM

Post #4 of 13 (12076 views)

Permalink

On Wed, 2008-10-15 at 16:25 -0400, Scott Kitterman wrote:
> On Wednesday 15 October 2008 16:10, Eugene Crosser wrote:
> > Scott Kitterman wrote:

> > The old one:
> >
> > $ /usr/local/libspf2-1.2.5/bin/spfquery -ip 127.0.0.1 -sender
> > crosser@average.org
> > pass
> >
> > spfquery: localhost is always allowed.
> > Received-SPF: pass (spfquery: localhost is always allowed.)
> > client-ip=127.0.0.1; envelope-from=crosser@average.org;
> >
> > but the new one:
> >
> > $ /usr/local/libspf2-1.2.8/bin/spfquery -ip 127.0.0.1 -sender
> > crosser@average.org
> > spf_interpret.c:60 Error: spf_record is NULL
> > Aborted
> >
> > Am I missing something? Is there any kind of changelog anywhere?
> >
> No. I don't think you're missing anything. I get the same error here.
>
> Shevek?

No, I see it, you're right, this is an unfortunate interaction between
my refactoring and Hannah's.

Give me 30 minutes or so, this isn't trivial.

S.

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/1007/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1007/
Powered by Listbox: http://www.listbox.com

Re: New libspf2 release [ In reply to ]

scott at kitterman

Oct 15, 2008, 3:34 PM

Post #5 of 13 (12070 views)

Permalink

One of the Ubuntu devs should have just mailed you a patch. I haven't seen
it.

Scott K

...... Original Message .......
On Wed, 15 Oct 2008 23:22:44 +0100 Shevek <shevek@anarres.org> wrote:
>On Wed, 2008-10-15 at 16:25 -0400, Scott Kitterman wrote:
>> On Wednesday 15 October 2008 16:10, Eugene Crosser wrote:
>> > Scott Kitterman wrote:
>
>> > The old one:
>> >
>> > $ /usr/local/libspf2-1.2.5/bin/spfquery -ip 127.0.0.1 -sender
>> > crosser@average.org
>> > pass
>> >
>> > spfquery: localhost is always allowed.
>> > Received-SPF: pass (spfquery: localhost is always allowed.)
>> > client-ip=127.0.0.1; envelope-from=crosser@average.org;
>> >
>> > but the new one:
>> >
>> > $ /usr/local/libspf2-1.2.8/bin/spfquery -ip 127.0.0.1 -sender
>> > crosser@average.org
>> > spf_interpret.c:60 Error: spf_record is NULL
>> > Aborted
>> >
>> > Am I missing something? Is there any kind of changelog anywhere?
>> >
>> No. I don't think you're missing anything. I get the same error here.
>>
>> Shevek?
>
>No, I see it, you're right, this is an unfortunate interaction between
>my refactoring and Hannah's.
>
>Give me 30 minutes or so, this isn't trivial.
>
>S.
>
>

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/1007/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1007/
Powered by Listbox: http://www.listbox.com

Re: New libspf2 release [ In reply to ]

spf at anarres

Oct 15, 2008, 3:45 PM

Post #6 of 13 (12074 views)

Permalink

On Wed, 2008-10-15 at 18:34 -0400, Scott Kitterman wrote:
> One of the Ubuntu devs should have just mailed you a patch. I haven't seen
> it.

While his patch prevented the abort(), it didn't fix the bug.

I believe that I have fixed the bug, and I have taken the unusual step
of replacing the 1.2.8 tarball on the web site, rather than updating to
1.2.9, all users please note.

New md5sum: 824d62a83e76108f8e21a39e1ae2ad62 libspf2-1.2.8.tar.gz

S.

> ...... Original Message .......
> On Wed, 15 Oct 2008 23:22:44 +0100 Shevek <shevek@anarres.org> wrote:
> >On Wed, 2008-10-15 at 16:25 -0400, Scott Kitterman wrote:
> >> On Wednesday 15 October 2008 16:10, Eugene Crosser wrote:
> >> > Scott Kitterman wrote:
> >
> >> > The old one:
> >> >
> >> > $ /usr/local/libspf2-1.2.5/bin/spfquery -ip 127.0.0.1 -sender
> >> > crosser@average.org
> >> > pass
> >> >
> >> > spfquery: localhost is always allowed.
> >> > Received-SPF: pass (spfquery: localhost is always allowed.)
> >> > client-ip=127.0.0.1; envelope-from=crosser@average.org;
> >> >
> >> > but the new one:
> >> >
> >> > $ /usr/local/libspf2-1.2.8/bin/spfquery -ip 127.0.0.1 -sender
> >> > crosser@average.org
> >> > spf_interpret.c:60 Error: spf_record is NULL
> >> > Aborted
> >> >
> >> > Am I missing something? Is there any kind of changelog anywhere?
> >> >
> >> No. I don't think you're missing anything. I get the same error here.
> >>
> >> Shevek?
> >
> >No, I see it, you're right, this is an unfortunate interaction between
> >my refactoring and Hannah's.
> >
> >Give me 30 minutes or so, this isn't trivial.
> >
> >S.
> >
> >
>
>

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/1007/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1007/
Powered by Listbox: http://www.listbox.com

Re: New libspf2 release [ In reply to ]

spf at anarres

Oct 15, 2008, 3:54 PM

Post #7 of 13 (12080 views)

Permalink

On Thu, 2008-10-16 at 00:10 +0400, Eugene Crosser wrote:
> Scott Kitterman wrote:
> > There is (at last) a new libspf2 release.
>
> This does not look good to me.
[SNIP]
> but the new one:
>
> $ /usr/local/libspf2-1.2.8/bin/spfquery -ip 127.0.0.1 -sender
> crosser@average.org
> spf_interpret.c:60 Error: spf_record is NULL
> Aborted
>
> Am I missing something? Is there any kind of changelog anywhere?

No, I did. This was a consequence of my code executing the wrong
instructions in the wrong order, and was a little more subtle than I
realised. The tarball has been replaced, thank you for your report.

I took advantage of the chance to replace the tarball to include two
other minor fixes contributed by the community.

Please have another poke at it, and we'll see if we've managed to make
the world a wonderful place yet.

Thank you.

S.

P.S. Julian, test suite case?

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/1007/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1007/
Powered by Listbox: http://www.listbox.com

Re: New libspf2 release [ In reply to ]

scott at kitterman

Oct 15, 2008, 4:16 PM

Post #8 of 13 (12071 views)

Permalink

On Wed, 15 Oct 2008 23:54:44 +0100 Shevek <spf@anarres.org> wrote:
>On Thu, 2008-10-16 at 00:10 +0400, Eugene Crosser wrote:
>> Scott Kitterman wrote:
>> > There is (at last) a new libspf2 release.
>>
>> This does not look good to me.
>[SNIP]
>> but the new one:
>>
>> $ /usr/local/libspf2-1.2.8/bin/spfquery -ip 127.0.0.1 -sender
>> crosser@average.org
>> spf_interpret.c:60 Error: spf_record is NULL
>> Aborted
>>
>> Am I missing something? Is there any kind of changelog anywhere?
>
>No, I did. This was a consequence of my code executing the wrong
>instructions in the wrong order, and was a little more subtle than I
>realised. The tarball has been replaced, thank you for your report.
>
>I took advantage of the chance to replace the tarball to include two
>other minor fixes contributed by the community.
>
>Please have another poke at it, and we'll see if we've managed to make
>the world a wonderful place yet.
>
It works now here.

Thanks,

Scott K

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/1007/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1007/
Powered by Listbox: http://www.listbox.com

Re: New libspf2 release [ In reply to ]

scott at kitterman

Oct 15, 2008, 5:13 PM

Post #9 of 13 (12072 views)

Permalink

On Wed, 15 Oct 2008 23:54:44 +0100 Shevek <spf@anarres.org> wrote:
>On Thu, 2008-10-16 at 00:10 +0400, Eugene Crosser wrote:
>> Scott Kitterman wrote:
>> > There is (at last) a new libspf2 release.
>>
>> This does not look good to me.
>[SNIP]
>> but the new one:
>>
>> $ /usr/local/libspf2-1.2.8/bin/spfquery -ip 127.0.0.1 -sender
>> crosser@average.org
>> spf_interpret.c:60 Error: spf_record is NULL
>> Aborted
>>
>> Am I missing something? Is there any kind of changelog anywhere?
>
>No, I did. This was a consequence of my code executing the wrong
>instructions in the wrong order, and was a little more subtle than I
>realised. The tarball has been replaced, thank you for your report.
>
>I took advantage of the chance to replace the tarball to include two
>other minor fixes contributed by the community.
>
>Please have another poke at it, and we'll see if we've managed to make
>the world a wonderful place yet.
>
>Thank you.
>
>S.
>
>P.S. Julian, test suite case?

I think the presence of special processing for localhost is a anachronism
that should be deprecated and eventually removed. There is nothing in RFC
4408 that says to give special treatment for localhost addresses.

We removed the equivalent from pyspf two or three years ago and the
released Mail::SPF never supported it.

Scott K

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/1007/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1007/
Powered by Listbox: http://www.listbox.com

Re: New libspf2 release [ In reply to ]

crosser at average

Oct 15, 2008, 10:19 PM

Post #10 of 13 (12060 views)

Permalink

After the fix, I don't see problems so far. Will put the thing into
"production" environment later today.

Scott Kitterman wrote:

>> P.S. Julian, test suite case?

Speaking of which, this looks unfortunate (and has always been this way
afaik):

$ make check
[...]
====================================
6 of 7 tests failed
Please report to libspf2@anarres.org
====================================

> I think the presence of special processing for localhost is a anachronism
> that should be deprecated and eventually removed. There is nothing in RFC
> 4408 that says to give special treatment for localhost addresses.

I for one have nothing against removal.

Thanks,

Eugene

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/1007/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1007/
Powered by Listbox: http://www.listbox.com

Re: New libspf2 release [ In reply to ]

hannah at schlund

Oct 16, 2008, 10:52 AM

Post #11 of 13 (12071 views)

Permalink

Hi!

On Thu, Oct 16, 2008 at 09:19:35AM +0400, Eugene Crosser wrote:
>[...]

>> I think the presence of special processing for localhost is a anachronism
>> that should be deprecated and eventually removed. There is nothing in RFC
>> 4408 that says to give special treatment for localhost addresses.

>I for one have nothing against removal.

Dito for me.

Kind regards,

Hannah.

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/1007/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1007/
Powered by Listbox: http://www.listbox.com

Re: [spf-discuss] Re: New libspf2 release [ In reply to ]

stuart at bmsi

Oct 16, 2008, 11:20 AM

Post #12 of 13 (12062 views)

Permalink

On Wed, 15 Oct 2008, Scott Kitterman wrote:

> I think the presence of special processing for localhost is a anachronism
> that should be deprecated and eventually removed. There is nothing in RFC
> 4408 that says to give special treatment for localhost addresses.
>
> We removed the equivalent from pyspf two or three years ago and the
> released Mail::SPF never supported it.

You can reuse the SPF machinery for recognizing local addresses if the
SPF library supports passing a policy without looking it up (as does pyspf).
At connect, pass a policy like "v=spf1 ip4:127.0.0.0/8 ip4:192.168.0.0/16"
and treat the connection as "local" on a Pass (and skip normal SPF
checking). The "local" policy should be configurable. You could
also reject on fail for the local policy for a consistent and configurable
blacklist (e.g. use -exists: on selected ip blacklists).

--
Stuart D. Gathman <stuart@bmsi.com>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flammis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/1007/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1007/
Powered by Listbox: http://www.listbox.com

Re: New libspf2 release [ In reply to ]

shevek at anarres

Oct 16, 2008, 4:06 PM

Post #13 of 13 (12064 views)

Permalink

On Thu, 2008-10-16 at 09:19 +0400, Eugene Crosser wrote:
> Scott Kitterman wrote:
>
> >> P.S. Julian, test suite case?
>
> Speaking of which, this looks unfortunate (and has always been this way
> afaik):
>
> $ make check
> [...]
> ====================================
> 6 of 7 tests failed
> Please report to libspf2@anarres.org
> ====================================

Bleh, I should remove that test suite entirely, it's utterly superceded
by the one in the perl/ subdirectory. I forgot it was still there.

S.

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/1007/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1007/
Powered by Listbox: http://www.listbox.com

Mailing List Archive

Attached Files:

Attached Files: