Bug 1185471 - /usr/lib/python2.7/site-packages/spf.py crashes on IPv6 addresses
Summary: /usr/lib/python2.7/site-packages/spf.py crashes on IPv6 addresses
Status: CLOSED ERRATA
Alias: None
Product: Fedora EPEL
Classification: Fedora
Component: python-pyspf
Version: epel7
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: ---
Assignee: Paul Wouters
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Keywords:
Depends On: 1208811
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-01-23 20:51 UTC by Peter Bieringer
Modified: 2017-11-16 15:49 UTC (History)
6 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2017-11-16 15:49:09 UTC


Attachments (Terms of Use)

Description Peter Bieringer 2015-01-23 20:51:04 UTC
Description of problem:
While working for IPv4 the spf.py has issues with IPv6

Version-Release number of selected component (if applicable):
python-pyspf-2.0.8-2.el7.noarch
also tested spf.py version 2.0.11 from upstream

How reproducible:
always

Steps to Reproduce:

cat <<END | /usr/libexec/postfix/policyd-spf
request=smtpd_access_policy
protocol_state=RCPT
protocol_name=SMTP
helo_name=client.domain.example
queue_id=8045F2AB23
instance=12345.6789
sender=pb@bieringer.de
recipient=pb@bieringer.biz
client_address=2001:a60:143c:4501:0000:1234:5678:9abc
client_name=client.domain.example

END


Actual results:
Traceback (most recent call last):
  File "/usr/libexec/postfix/policyd-spf", line 680, in <module>
    instance_dict, configData, peruser)
  File "/usr/libexec/postfix/policyd-spf", line 517, in _spfcheck
    res = spf.check2(ip, sender, helo, querytime=configData.get('Lookup_Time'))
  File "/usr/lib/python2.7/site-packages/spf.py", line 297, in check2
    receiver=receiver,timeout=timeout,verbose=verbose,querytime=querytime).check()
  File "/usr/lib/python2.7/site-packages/spf.py", line 547, in check
    rc = self.check1(spf, self.d, 0)
  File "/usr/lib/python2.7/site-packages/spf.py", line 586, in check1
    return self.check0(spf, recursion)
  File "/usr/lib/python2.7/site-packages/spf.py", line 900, in check0
    if self.cidrmatch(self.dns_mx(arg), cidrlength):
  File "/usr/lib/python2.7/site-packages/spf.py", line 1194, in dns_mx
    return [a for mx in mxnames[:max] for a in self.dns_a(mx[1],self.A)]
  File "/usr/lib/python2.7/site-packages/spf.py", line 1206, in dns_a
    return [ipaddress.Bytes(ip) for ip in r]
AttributeError: 'module' object has no attribute 'Bytes'


Probably the in the code mentioned workaround is broken:

        if A == 'AAAA' and bytes is str:
          # work around pydns inconsistency plus python2 bytes/str ambiguity
          return [ipaddress.Bytes(ip) for ip in r]
        return r

Expected results:
Proper working as for IPv4


Additional Information:

SPF record for bieringer.de was validated using http://www.kitterman.com/spf/validate.html and is currently:

v=spf1 ip4:85.214.252.130 ip4:85.214.250.30 ip6:2001:a60:9002::/48 ip6:2001:4dd0:ff00:834::2 ip6:2a01:238:423d:8800:85b3:9e6b:3019:8909 ip4:85.214.150.73 ip4:85.214.153.25 ip6:2a01:238:4281:8600:812a:5915:8d24:58f3 mx -all


# dig +short MX bieringer.de
10 st1.bieringer.de.

# dig +short AAAA st1.bieringer.de
2a01:238:423d:8800:85b3:9e6b:3019:8909
2001:4dd0:ff00:834::2

# dig +short A st1.bieringer.de
85.214.252.130

Comment 1 Peter Bieringer 2015-01-25 22:56:35 UTC
after some investigations it looks like the code was not proper tested with 

# rpm -q python-ipaddr.noarch
python-ipaddr-2.1.9-5.el7.noarch
(which is included in the base repo)

and is included by

try:
    # Python standard libarary as of python3.3
    import ipaddress
except ImportError:
    try:
        import ipaddr as ipaddress
    except ImportError:
        print('ipaddr module required: http://code.google.com/p/ipaddr-py/')

the python-ipaddr has simply no method for Bytes() included

Python on CentOS7 is 2.7

A short test with pyspf-2.0.7.tar.gz shows that this version is working...so either RPM needs to be downgraded to lower version or code must be fixed somehow to get the consistency back.

Comment 2 Peter Bieringer 2015-01-27 05:47:35 UTC
Same issue with 2.0.11 which was pushed to EPEL now:

# LC_ALL=C rpm -qa --last|grep pyspf
python-pyspf-2.0.11-1.el7.noarch              Tue Jan 27 00:02:18 2015

# rpm -V python-pyspf
(no output)

    return [ipaddress.Bytes(ip) for ip in r]
AttributeError: 'module' object has no attribute 'Bytes'

Comment 3 George Notaras 2015-04-03 09:41:44 UTC
The problem is with python-ipaddr. I rebuilt the current rawhide package (2.1.10-2) for CentOS 7 and I confirm it resolves the issue.

Also monitor #1208811 and update this this issue accordingly.

Comment 4 George Notaras 2017-01-17 22:42:51 UTC
According to my experiments, the solution to this problem involves the following steps:

1. Completely removing the python-ipaddress package from the system.
2. Upgrading python-ipaddr to version 2.1.10 or newer.

pyspf does not work correctly with python-ipaddress under Python 2. I also had problems with some scripts of mine which tried to use this module under Python 2.

Instead, everything works fine with the python-ipaddr module, which by the way seems to have the same internal api as the ipaddress module.

Under the current conditions, the removal of the python-ipaddress package and the addition of an exclusion about it in yum.conf, so as to prevent it from being installed as a dependency by some other package, seems to be the way to go.

Comment 5 Dimitris 2017-04-22 07:50:59 UTC
Hello,

I hit this bug with both CentOS 7.3 and Fedora 25, while running SPF checks with policyd-spf.

For example, running the following under both CentOS and Fedora causes a Traceback:

python /usr/lib/python2.7/site-packages/spf.py 2600:3c00::f03c:91ff:fedf:57ab forum-admin@linode.com mail2.linode.com


Apparently, the python-ipaddr-2.1.9-5.el7.noarch package in CentOS 7.3 is too old and causes the Traceback, as already reported by others.

I found another relevant bug report here:
https://bugzilla.redhat.com/show_bug.cgi?id=1417701

But so far there has been no fix in EPEL.


The fix for Fedora 25 is slightly different, because it uses the python-ipaddress package, which is an entirely different thing.

Comment 6 Fabian Arrotin 2017-04-22 07:58:29 UTC
Dimitris : as we had the same issue for CentOS infra , I built and deployed an updated version of python-ipaddr : https://cbs.centos.org/koji/packageinfo?packageID=5152
That's what we use currently (even on our CentOS 6 nodes that do SPF checks)

Hope that it helps

Comment 7 Fedora Update System 2017-10-30 16:57:26 UTC
python-pyspf-2.0.11-3.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-aded0ed528

Comment 8 Fedora Update System 2017-10-31 02:35:43 UTC
pypolicyd-spf-1.3.2-3.el7 python-pyspf-2.0.11-4.el7 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-aded0ed528

Comment 9 Fedora Update System 2017-11-01 17:13:10 UTC
pypolicyd-spf-1.3.2-3.el7, python-pyspf-2.0.11-4.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-aded0ed528

Comment 10 Fedora Update System 2017-11-01 19:28:06 UTC
pypolicyd-spf-1.3.2-5.el7 python-pyspf-2.0.11-5.el7 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-aded0ed528

Comment 11 Fedora Update System 2017-11-03 14:10:56 UTC
pypolicyd-spf-1.3.2-5.el7, python-pyspf-2.0.11-5.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-aded0ed528

Comment 12 Fedora Update System 2017-11-16 15:49:09 UTC
pypolicyd-spf-1.3.2-5.el7, python-pyspf-2.0.11-5.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.