Your message dated Sun, 21 Apr 2024 19:24:53 +0000 with message-id <e1ryco1-000e6v...@fasolo.debian.org> and subject line Bug#1068818: fixed in sngrep 1.8.1-1 has caused the Debian Bug report #1068818, regarding sngrep: CVE-2024-3119 CVE-2024-3120 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1068818: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068818 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: sngrep X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerabilities were published for sngrep. CVE-2024-3119[0]: | A buffer overflow vulnerability exists in all versions of sngrep | since v0.4.2, due to improper handling of 'Call-ID' and 'X-Call-ID' | SIP headers. The functions sip_get_callid and sip_get_xcallid in | sip.c use the strncpy function to copy header contents into fixed- | size buffers without checking the data length. This flaw allows | remote attackers to execute arbitrary code or cause a denial of | service (DoS) through specially crafted SIP messages. https://github.com/irontec/sngrep/commit/dd5fec92730562af6f96891291cd4e102b80bfcc (v1.8.1) CVE-2024-3120[1]: | A stack-buffer overflow vulnerability exists in all versions of | sngrep since v1.4.1. The flaw is due to inadequate bounds checking | when copying 'Content-Length' and 'Warning' headers into fixed-size | buffers in the sip_validate_packet and sip_parse_extra_headers | functions within src/sip.c. This vulnerability allows remote | attackers to execute arbitrary code or cause a denial of service | (DoS) via crafted SIP messages. https://github.com/irontec/sngrep/commit/f3f8ed8ef38748e6d61044b39b0dabd7e37c6809 (v1.8.1) If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-3119 https://www.cve.org/CVERecord?id=CVE-2024-3119 [1] https://security-tracker.debian.org/tracker/CVE-2024-3120 https://www.cve.org/CVERecord?id=CVE-2024-3120 Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---Source: sngrep Source-Version: 1.8.1-1 Done: Victor Seva <vs...@debian.org> We believe that the bug you reported is fixed in the latest version of sngrep, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1068...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Victor Seva <vs...@debian.org> (supplier of updated sngrep package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 21 Apr 2024 21:00:43 +0200 Source: sngrep Architecture: source Version: 1.8.1-1 Distribution: unstable Urgency: high Maintainer: Debian VoIP Team <pkg-voip-maintain...@lists.alioth.debian.org> Changed-By: Victor Seva <vs...@debian.org> Closes: 1068818 Changes: sngrep (1.8.1-1) unstable; urgency=high . * New upstream version 1.8.1 * fixes for CVE-2024-3119 and CVE-2024-3120 (Closes: #1068818) Checksums-Sha1: 077c2ddfa42c284a462c8a4c11781e311313ac9b 1670 sngrep_1.8.1-1.dsc 88c61d7184ef1ad1c76f986bbe8f12bd2269367a 254097 sngrep_1.8.1.orig.tar.gz 683f8cdbd90707ddfcc4059919050aa1d649a243 488 sngrep_1.8.1.orig.tar.gz.asc 2f8e4703d0ee3063a294e97d41ca66a78e992b03 5072 sngrep_1.8.1-1.debian.tar.xz 1a104d726f2a4f3bc7d9c62e3578bc22572f82ea 6781 sngrep_1.8.1-1_amd64.buildinfo Checksums-Sha256: 254c2a5d27c3230321b791dfb98275110cbabdfb35f5ab05273524b662e6518f 1670 sngrep_1.8.1-1.dsc 678875d44c6fdacb533f2d9e1b8db33ee8252723bb95653368fd43fae58969fe 254097 sngrep_1.8.1.orig.tar.gz 771e34ff50b00945313a0183df18cf2eda0a7b2ce89214e4a61e2a731ac782a5 488 sngrep_1.8.1.orig.tar.gz.asc d4dbebae8c12af38985c9622115e9d25a5cb4f44046acb18721d9370216d4713 5072 sngrep_1.8.1-1.debian.tar.xz 99ebb79656660f6fc8248688029a692bd8a8e16e7bed7dfc64848e6f87ca1db8 6781 sngrep_1.8.1-1_amd64.buildinfo Files: 5a7f39576373f783865fdaf78e95497d 1670 comm optional sngrep_1.8.1-1.dsc 1c1fb7e5a6ede73e86fa319d096ff552 254097 comm optional sngrep_1.8.1.orig.tar.gz 76e1710ace45c59f4a35af1d0ef7c337 488 comm optional sngrep_1.8.1.orig.tar.gz.asc 4178034dadbe6e0d60e859a3ef0837b9 5072 comm optional sngrep_1.8.1-1.debian.tar.xz ff61388ddb6e64eef76b16fd8cd75d9f 6781 comm optional sngrep_1.8.1-1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iIcEARYKAC8WIQQq6AO8RS0zF4SC1vh9e2XEKg7IsgUCZiVi/BEcdnNldmFAZGVi aWFuLm9yZwAKCRB9e2XEKg7Isn8pAQCswQtSqm01L7C0C5Dr4MQXRdVh5Yu0094Q pCxPrAxbhQD/TohKdVJOulcWl2XjJwCnVnSIFpE28YeSPU+v/r28eAU= =nXKA -----END PGP SIGNATURE-----pgpiMe6LWjc2z.pgp
Description: PGP signature
--- End Message ---