CVE-2021-33912

Name of the Vulnerable Software and Affected Versions libspf2 versions prior to 1.2.11

Description The issue is related to a four-byte heap-based buffer overflow that might allow remote attackers to execute arbitrary code via an unauthenticated e-mail message from anywhere on the Internet with a crafted SPF DNS record. This is due to incorrect sprintf usage in SPF record expand data in spf expand.c. The vulnerable code may be part of the supply chain of a site's e-mail infrastructure, but most often it is not.

Recommendations For versions prior to 1.2.11, update to version 1.2.11 or later to resolve the issue. As a temporary workaround, consider restricting the use of libspf2 in e-mail infrastructure configurations until a patch is applied. Avoid using libspf2 with additional configuration in Exim or with unofficial patches for Postfix until the issue is resolved.