CVE-2021-20314: 
NixOS vulnerability analysis and mitigation

CVE-2021-20314 is a stack buffer overflow vulnerability discovered in libspf2 versions below 1.2.11. The vulnerability was discovered by Philipp Jeitner and Haya Shulman from Fraunhofer SIT and was disclosed on August 11, 2021. The vulnerability affects the SPF (Sender Policy Framework) implementation in libspf2 when processing certain SPF macros (OpenWall, NVD).

The vulnerability occurs in the SPF_record_compile_macro function when processing SPF explanation messages. The buffer overflow is caused by an incorrect buffer length adjustment in the SPF_INIT_STRING_LITERAL macro, which places a 4-byte header of type SPF_data_str into the buffer inside buf without decreasing the available size ds_avail by 4. This allows an attacker to override up to 4 bytes on the stack. The vulnerability has been assigned a CVSS v3.1 base score of 9.8 (CRITICAL) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (OpenWall, NVD).

The vulnerability can lead to denial of service and potentially remote code execution via maliciously crafted SPF explanation messages. Any mail server accepting emails and processing them via libspf2 is vulnerable to this attack (OpenWall, Gentoo Security).

The vulnerability has been fixed in libspf2 version 1.2.11. Users are advised to upgrade to this version or later. The fix was implemented in GitHub commit c37b7c13c30e225183899364b9f2efdfa85552ef. Various Linux distributions have also released security updates to address this vulnerability (OpenWall, Fedora Update).