Vulnerability Note VU#183657

libspf2 DNS TXT record parsing buffer overflow

Original Release date: 30 Oct 2008 | Last revised: 22 Jul 2011


libspf2 contains a buffer overflow vulnerability in code that parses DNS TXT records.


libspf2 is a widely-deployed implementation of the Sender Policy Framework. According to RFC 4408:

    An SPF record is a DNS Resource Record (RR) that declares which hosts are, and are not, authorized to use a domain name for the "HELO" and "MAIL FROM" identities. Loosely, the record partitions all hosts into permitted and not-permitted sets (though some hosts might fall into neither category).

libspf2 contins a buffer overflow in DNS TXT record parsing. According to Doxpara Research:
    DNS TXT records have long been a little tricky to parse, due to them containing two length fields. First, there is the length field of the record as a whole. Then, there is a sublength field, from 0 to 255, that describes the length of a particular character string inside the larger record. There is nothing that links the two values, and DNS servers to not themselves enforce sanity checks here. As such, there is always a risk that when receiving a DNS TXT record, the outer record length will be the amount allocated, but the inner length will be copied.
This issue is similar to VU#814627 "Sendmail vulnerable to buffer overflow when DNS map is specified using TXT records."


This vulnerability could allow an unauthenticated, remote attacker to execute arbitrary code on a system running libspf2.


Vendors and those who directly use libspf2 should upgrade to version 1.2.8.

Users that run a mail server or anti-spam products should consult their vendor for an appropriate patch.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
BlueCat Networks, Inc.Affected18 Sep 200830 Oct 2008
McAfeeAffected16 Sep 200816 Oct 2008
Process SoftwareAffected16 Sep 200816 Oct 2008
SecPointAffected24 Sep 200816 Oct 2008
BizangaNot Affected17 Sep 200816 Oct 2008
Cisco Systems, Inc.Not Affected16 Sep 200807 Nov 2008
Eland SystemsNot Affected17 Sep 200816 Oct 2008
Extreme NetworksNot Affected16 Sep 200830 Apr 2009
Force10 Networks, Inc.Not Affected16 Sep 200822 Jul 2011
MailFoundryNot Affected18 Sep 200823 Oct 2008
Openwall GNU/*/LinuxNot Affected16 Sep 200816 Oct 2008
ProofpointNot Affected18 Sep 200816 Oct 2008
Roaring Penguin Software Inc.Not Affected17 Sep 200816 Oct 2008
SecurenceNot Affected19 Sep 200816 Oct 2008
Sun Microsystems, Inc.Not Affected16 Sep 200816 Oct 2008
If you are a vendor and your product is affected, let us know.View More »

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A



This issue was reported by Dan Kaminsky of Doxpara Research.

This document was written by Chris Taschner.

Other Information

  • CVE IDs: CVE-2008-2469
  • Date Public: 21 Oct 2008
  • Date First Published: 30 Oct 2008
  • Date Last Updated: 22 Jul 2011
  • Severity Metric: 9.00
  • Document Revision: 23


If you have feedback, comments, or additional information about this vulnerability, please send us email.