From 7e69f1b0c0ac05f66a7a79829efb0a55f13d1cbc Mon Sep 17 00:00:00 2001
From: Tim Biermann <tbier@posteo.de>
Date: Wed, 10 Jul 2024 20:43:01 +0200
Subject: [PATCH] libspf2: initial commit, version 1.2.11

---
 libspf2/.footprint                            |  25 ++++
 libspf2/.signature                            |   8 ++
 ...-remove-libreplace-unneeded-on-Linux.patch |  61 ++++++++
 .../0002-add-include-string-for-memset.patch  |  17 +++
 libspf2/CVE-2023-42118-and-other-fixes.patch  | 134 ++++++++++++++++++
 libspf2/Pkgfile                               |  28 ++++
 6 files changed, 273 insertions(+)
 create mode 100644 libspf2/.footprint
 create mode 100644 libspf2/.signature
 create mode 100644 libspf2/0001-remove-libreplace-unneeded-on-Linux.patch
 create mode 100644 libspf2/0002-add-include-string-for-memset.patch
 create mode 100644 libspf2/CVE-2023-42118-and-other-fixes.patch
 create mode 100644 libspf2/Pkgfile

diff --git a/libspf2/.footprint b/libspf2/.footprint
new file mode 100644
index 000000000..cd1a172c1
--- /dev/null
+++ b/libspf2/.footprint
@@ -0,0 +1,25 @@
+drwxr-xr-x	root/root	usr/
+drwxr-xr-x	root/root	usr/bin/
+-rwxr-xr-x	root/root	usr/bin/spfquery
+drwxr-xr-x	root/root	usr/include/
+drwxr-xr-x	root/root	usr/include/spf2/
+-rw-r--r--	root/root	usr/include/spf2/spf.h
+-rw-r--r--	root/root	usr/include/spf2/spf_dns.h
+-rw-r--r--	root/root	usr/include/spf2/spf_dns_cache.h
+-rw-r--r--	root/root	usr/include/spf2/spf_dns_null.h
+-rw-r--r--	root/root	usr/include/spf2/spf_dns_resolv.h
+-rw-r--r--	root/root	usr/include/spf2/spf_dns_rr.h
+-rw-r--r--	root/root	usr/include/spf2/spf_dns_test.h
+-rw-r--r--	root/root	usr/include/spf2/spf_dns_zone.h
+-rw-r--r--	root/root	usr/include/spf2/spf_lib_version.h
+-rw-r--r--	root/root	usr/include/spf2/spf_log.h
+-rw-r--r--	root/root	usr/include/spf2/spf_record.h
+-rw-r--r--	root/root	usr/include/spf2/spf_request.h
+-rw-r--r--	root/root	usr/include/spf2/spf_response.h
+-rw-r--r--	root/root	usr/include/spf2/spf_server.h
+drwxr-xr-x	root/root	usr/lib/
+-rw-r--r--	root/root	usr/lib/libspf2.a
+-rwxr-xr-x	root/root	usr/lib/libspf2.la
+lrwxrwxrwx	root/root	usr/lib/libspf2.so -> libspf2.so.2.1.0
+lrwxrwxrwx	root/root	usr/lib/libspf2.so.2 -> libspf2.so.2.1.0
+-rwxr-xr-x	root/root	usr/lib/libspf2.so.2.1.0
diff --git a/libspf2/.signature b/libspf2/.signature
new file mode 100644
index 000000000..12475ae11
--- /dev/null
+++ b/libspf2/.signature
@@ -0,0 +1,8 @@
+untrusted comment: verify with /etc/ports/contrib.pub
+RWSagIOpLGJF36VZBCg77Gx5m18DzhcBKMu7l6xlAKcYe2jIaluEcQgoPgJhnapGRe+x80c8xbCVDwvNGGyzCYXbrX5rXfbqfQs=
+SHA256 (Pkgfile) = 5a8731b079d9ad1c6baf80eb2a817776e989f12a0e2bf4efbd8dedae6b085694
+SHA256 (.footprint) = 8586fdef4d7ec9aa154d10fe89480156f072d31c7b4aa0bd69304fa87b5a38fc
+SHA256 (libspf2-1.2.11.tar.gz) = 2ba3dc7ea380a72646f5b2fbc1fff0d9a10d5c844a998621f8dd410afc50553a
+SHA256 (0001-remove-libreplace-unneeded-on-Linux.patch) = 443fe0924f6adb02fa90a02c177c06ab31d6c4e5eb085f8533743231a641052e
+SHA256 (0002-add-include-string-for-memset.patch) = 145d014a469a6c14ecbcd6ddf3bbd64d7db24c1df3f2d0af4b3e07af4fb5e566
+SHA256 (CVE-2023-42118-and-other-fixes.patch) = 2712f95e98ce9bf9870ce30c4638bb2988fdab9be834d8381d279b0036152afd
diff --git a/libspf2/0001-remove-libreplace-unneeded-on-Linux.patch b/libspf2/0001-remove-libreplace-unneeded-on-Linux.patch
new file mode 100644
index 000000000..fae0021f6
--- /dev/null
+++ b/libspf2/0001-remove-libreplace-unneeded-on-Linux.patch
@@ -0,0 +1,61 @@
+From d559339883f61bfb44188c4fe92851a2905e8a8e Mon Sep 17 00:00:00 2001
+From: Matt Domsch <mdomsch@fedoraproject.org>
+Date: Thu, 23 Jan 2014 10:51:07 -0600
+Subject: [PATCH 1/2] remove libreplace, unneeded on Linux
+
+---
+ configure.ac            | 3 ---
+ src/Makefile.am         | 2 +-
+ src/libspf2/Makefile.am | 4 ----
+ 3 files changed, 1 insertion(+), 8 deletions(-)
+
+diff --git a/configure.ac b/configure.ac
+index 63e398c..63e5392 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -273,8 +273,6 @@ AC_CHECK_FUNCS([strchr strcspn strdup strerror])
+ AC_CHECK_FUNCS([strcasecmp strncasecmp strspn strtoul])
+ AC_CHECK_FUNCS([gethostbyname inet_ntoa select strrchr strstr strtol])
+ 
+-AC_REPLACE_FUNCS([getopt_long_only strncasecmp])
+-AC_REPLACE_FUNCS([__ns_initparse __ns_name_uncompress __ns_msg_getflag])
+ dnl Magnus Holmgren says this avoids linking a private function
+ AC_LIBOBJ([__ns_get16])
+ 
+@@ -282,7 +280,6 @@ AC_CONFIG_FILES([Makefile
+                  Doxyfile
+                  src/Makefile
+                  src/include/Makefile
+-                 src/libreplace/Makefile
+                  src/libspf2/Makefile
+                  src/spfquery/Makefile
+                  src/spftest/Makefile
+diff --git a/src/Makefile.am b/src/Makefile.am
+index 307bf10..02f09b4 100644
+--- a/src/Makefile.am
++++ b/src/Makefile.am
+@@ -4,5 +4,5 @@ AUTOMAKE_OPTIONS = foreign
+ # Attempt to disable parallel processing.
+ .NOTPARALLEL:
+ .NO_PARALLEL:
+-SUBDIRS =	include libreplace libspf2 spfquery spftest spfd spf_example
++SUBDIRS =	include libspf2 spfquery spftest spfd spf_example
+ TARGETS =
+diff --git a/src/libspf2/Makefile.am b/src/libspf2/Makefile.am
+index 6b5a147..77ef3b9 100644
+--- a/src/libspf2/Makefile.am
++++ b/src/libspf2/Makefile.am
+@@ -34,10 +34,6 @@ libspf2_la_SOURCES	= \
+ 	spf_utils.c \
+ 	spf_win32.c
+ 
+-libspf2_la_LIBADD	= $(top_builddir)/src/libreplace/libreplace.la
+-
+-
+-
+ libspf2_la_LDFLAGS	= -version-info 3:0:1
+ 
+ # Copied from the libtool info file:
+-- 
+1.8.4.2
+
diff --git a/libspf2/0002-add-include-string-for-memset.patch b/libspf2/0002-add-include-string-for-memset.patch
new file mode 100644
index 000000000..0fa053d7c
--- /dev/null
+++ b/libspf2/0002-add-include-string-for-memset.patch
@@ -0,0 +1,17 @@
+Add missing include of string.h for memset in spf_utils.c
+https://github.com/shevek/libspf2/issues/41
+
+diff --git a/src/libspf2/spf_utils.c b/src/libspf2/spf_utils.c
+index 54878fa..892cea5 100644
+--- a/src/libspf2/spf_utils.c
++++ b/src/libspf2/spf_utils.c
+@@ -25,6 +25,9 @@
+ #include <memory.h>
+ #endif
+ 
++#ifdef HAVE_STRING_H
++# include <string.h>       /* memset */
++#endif
+ 
+ 
+ #include "spf.h"
diff --git a/libspf2/CVE-2023-42118-and-other-fixes.patch b/libspf2/CVE-2023-42118-and-other-fixes.patch
new file mode 100644
index 000000000..ccbaeabf4
--- /dev/null
+++ b/libspf2/CVE-2023-42118-and-other-fixes.patch
@@ -0,0 +1,134 @@
+From c93823faef044150e1b232928d225ff5ff297e6c Mon Sep 17 00:00:00 2001
+From: Simon Arlott <sa.me.uk>
+Date: Sat, 30 Sep 2023 12:18:51 +0100
+Subject: [PATCH] Fix integer underflow
+
+---
+ src/libspf2/spf_compile.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/src/libspf2/spf_compile.c b/src/libspf2/spf_compile.c
+index b08ffe2..d401028 100644
+--- a/src/libspf2/spf_compile.c
++++ b/src/libspf2/spf_compile.c
+@@ -455,7 +455,11 @@ SPF_c_parse_var(SPF_response_t *spf_response, SPF_data_var_t *data,
+ 			/* Magic numbers for x/Nc in gdb. */					\
+ 			data->ds.__unused0 = 0xba; data->ds.__unused1 = 0xbe;	\
+ 			dst = SPF_data_str( data );								\
+-			ds_avail = _avail - sizeof(SPF_data_t);					\
++			if ((_avail) < sizeof(SPF_data_t))						\
++				return SPF_response_add_error_ptr(spf_response,		\
++									SPF_E_BIG_STRING, NULL, src,	\
++								"Out of memory for string literal");\
++			ds_avail = (_avail) - sizeof(SPF_data_t);				\
+ 			ds_len = 0;												\
+ 		} while(0)
+ 
+From faa9e02887e20d37e112c4ce7df34366e4f2fa2f Mon Sep 17 00:00:00 2001
+From: Simon Arlott <sa.me.uk>
+Date: Mon, 2 Oct 2023 19:34:38 +0100
+Subject: [PATCH] Used a fixed size buffer for DNS responses instead of
+ doubling memory use
+
+---
+ src/libspf2/spf_dns_resolv.c | 21 +++------------------
+ 1 file changed, 3 insertions(+), 18 deletions(-)
+
+diff --git a/src/libspf2/spf_dns_resolv.c b/src/libspf2/spf_dns_resolv.c
+index 9dacafe..ec687b8 100644
+--- a/src/libspf2/spf_dns_resolv.c
++++ b/src/libspf2/spf_dns_resolv.c
+@@ -268,7 +268,7 @@ SPF_dns_resolv_lookup(SPF_dns_server_t *spf_dns_server,
+ 	}
+ #endif
+ 
+-	responselen = 2048;
++	responselen = 65536;
+ 	responsebuf = (u_char *)malloc(responselen);
+ 	if (! responsebuf)
+ 		return NULL;	/* NULL always means OOM from DNS lookup. */
+@@ -319,23 +319,8 @@ SPF_dns_resolv_lookup(SPF_dns_server_t *spf_dns_server,
+ 							domain, rr_type, 0, SPF_h_errno);
+ 		}
+ 		else if (dns_len > responselen) {
+-			void	*tmp;
+-			/* We managed a lookup but our buffer was too small. */
+-			responselen = dns_len + (dns_len >> 1);
+-#if 0
+-			/* Sanity-trap - we should never hit this. */
+-			if (responselen > 1048576) {	/* One megabyte. */
+-				free(responsebuf);
+-				return SPF_dns_rr_new_init(spf_dns_server,
+-								domain, rr_type, 0, SPF_h_errno);
+-			}
+-#endif
+-			tmp = realloc(responsebuf, responselen);
+-			if (!tmp) {
+-				free(responsebuf);
+-				return NULL;
+-			}
+-			responsebuf = tmp;
++			free(responsebuf);
++			return NULL;
+ 		}
+ 		else {
+ 			/* We managed a lookup, and our buffer was large enough. */
+From 1bd4c108b63927cd1229760e30936160d050d997 Mon Sep 17 00:00:00 2001
+From: Simon Arlott <sa.me.uk>
+Date: Mon, 2 Oct 2023 19:37:00 +0100
+Subject: [PATCH] Allocate memory for string when the buffer is NULL
+
+These can't ever be NULL but scan-build complains about them.
+---
+ src/libspf2/spf_dns_cache.c | 2 +-
+ src/libspf2/spf_get_exp.c   | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/libspf2/spf_dns_cache.c b/src/libspf2/spf_dns_cache.c
+index 16c9819..50d2660 100644
+--- a/src/libspf2/spf_dns_cache.c
++++ b/src/libspf2/spf_dns_cache.c
+@@ -327,7 +327,7 @@ SPF_dns_cache_rr_fixup(SPF_dns_cache_config_t *spfhook,
+ 		char	*new_domain;
+ 		size_t	 new_len = strlen(domain) + 1;
+ 
+-		if (cached_rr->domain_buf_len < new_len) {
++		if (cached_rr->domain == NULL || cached_rr->domain_buf_len < new_len) {
+ 			new_domain = realloc(cached_rr->domain, new_len);
+ 			if (new_domain == NULL)
+ 				return SPF_E_NO_MEMORY;
+diff --git a/src/libspf2/spf_get_exp.c b/src/libspf2/spf_get_exp.c
+index f4b5055..4a663e4 100644
+--- a/src/libspf2/spf_get_exp.c
++++ b/src/libspf2/spf_get_exp.c
+@@ -62,7 +62,7 @@ SPF_server_get_default_explanation(SPF_server_t *spf_server,
+ 	}
+ 	else {
+ 		size_t	len = sizeof(SPF_LAME_EXP) + 1;
+-		if (*buflenp < len) {
++		if (*bufp == NULL || *buflenp < len) {
+ 			char	*tmp = realloc(*bufp, len);
+ 			if (tmp == NULL)
+ 				return SPF_E_NO_MEMORY;
+From 36c3af1dcfeb6c987dac00161f2ed57c6a42ed03 Mon Sep 17 00:00:00 2001
+From: Simon Arlott <sa.me.uk>
+Date: Sat, 30 Sep 2023 11:40:47 +0100
+Subject: [PATCH] Use correct integer size for format string
+
+---
+ src/libspf2/spf_compile.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/libspf2/spf_compile.c b/src/libspf2/spf_compile.c
+index b08ffe2..ba3d804 100644
+--- a/src/libspf2/spf_compile.c
++++ b/src/libspf2/spf_compile.c
+@@ -604,7 +604,7 @@ SPF_c_parse_macro(SPF_server_t *spf_server,
+ 
+ 		default:
+ 			if (spf_server->debug > 3)
+-				SPF_debugf("Adding illegal %%-follower '%c' at %d",
++				SPF_debugf("Adding illegal %%-follower '%c' at %zu",
+ 				src[idx], idx);
+ 			/* SPF spec says to treat it as a literal, not
+ 			 * SPF_E_INVALID_ESC */
diff --git a/libspf2/Pkgfile b/libspf2/Pkgfile
new file mode 100644
index 000000000..e6de7a886
--- /dev/null
+++ b/libspf2/Pkgfile
@@ -0,0 +1,28 @@
+# Description: Sender Policy Framework record checking library
+# URL: https://www.libspf2.org/
+# Maintainer: Tim Biermann, tbier at posteo dot de
+# Depends on: libnsl libmilter
+
+name=libspf2
+version=1.2.11
+release=1
+_commit=8131fe140704eaae695e76b5cd09e39bd1dd220b
+source=(https://github.com/shevek/libspf2/archive/$_commit/$name-$version.tar.gz
+  0001-remove-libreplace-unneeded-on-Linux.patch
+  0002-add-include-string-for-memset.patch
+  CVE-2023-42118-and-other-fixes.patch)
+
+build() {
+  cd $name-$_commit
+
+  patch -Np1 -i $SRC/0001-remove-libreplace-unneeded-on-Linux.patch
+  patch -Np1 -i $SRC/0002-add-include-string-for-memset.patch
+  patch -Np1 -i $SRC/CVE-2023-42118-and-other-fixes.patch
+
+  autoreconf -vfi
+  ./configure --prefix=/usr
+  make
+  make DESTDIR=$PKG install
+
+  rm $PKG/usr/bin/*_static $PKG/usr/bin/spfd $PKG/usr/bin/spf_example $PKG/usr/bin/spftest
+}