Package: libosip2 Version: 4.1.0-2 Severity: normal Tags: patch pending Dear maintainer,
I've prepared an NMU for libosip2 (versioned as 4.1.0-2.1) and uploaded it to DELAYED/3. Please feel free to tell me if I should delay it longer. Regards. --
diff -Nru libosip2-4.1.0/debian/changelog libosip2-4.1.0/debian/changelog --- libosip2-4.1.0/debian/changelog 2014-06-25 07:55:15.000000000 -0400 +++ libosip2-4.1.0/debian/changelog 2017-04-14 16:23:31.000000000 -0400 @@ -1,3 +1,23 @@ +libosip2 (4.1.0-2.1) unstable; urgency=medium + + * Non-maintainer upload. + * CVE-2016-10324: In libosip2 in GNU oSIP 4.1.0, a malformed SIP message + can lead to a heap buffer overflow in the osip_clrncpy() function + defined in osipparser2/osip_port.c. + * CVE-2016-10325: In libosip2 in GNU oSIP 4.1.0, a malformed SIP message + can lead to a heap buffer overflow in the _osip_message_to_str() + function defined in osipparser2/osip_message_to_str.c, resulting in a + remote DoS. + * CVE-2016-10326: In libosip2 in GNU oSIP 4.1.0, a malformed SIP message + can lead to a heap buffer overflow in the osip_body_to_str() function + defined in osipparser2/osip_body.c, resulting in a remote DoS. + * CVE-2017-7853: In libosip2 in GNU oSIP 5.0.0, a malformed SIP message + can lead to a heap buffer overflow in the msg_osip_body_parse() + function defined in osipparser2/osip_message_parse.c, resulting in a + remote DoS. + + -- Antoine Beaupré <anar...@debian.org> Fri, 14 Apr 2017 16:21:21 -0400 + libosip2 (4.1.0-2) unstable; urgency=low * Upload to unstable - coordinated through debian-release diff -Nru libosip2-4.1.0/debian/patches/CVE-2016-10324.patch libosip2-4.1.0/debian/patches/CVE-2016-10324.patch --- libosip2-4.1.0/debian/patches/CVE-2016-10324.patch 1969-12-31 19:00:00.000000000 -0500 +++ libosip2-4.1.0/debian/patches/CVE-2016-10324.patch 2017-04-14 16:26:51.000000000 -0400 @@ -0,0 +1,24 @@ +From 7e0793e15e21f68337e130c67b031ca38edf055f Mon Sep 17 00:00:00 2001 +From: Aymeric Moizard <amoiz...@gmail.com> +Date: Mon, 5 Sep 2016 15:01:53 +0200 +Subject: * fix bug report: sr #109133: Heap buffer overflow in utility + function *osip_clrncpy* https://savannah.gnu.org/support/?109133 + +--- + src/osipparser2/osip_port.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/src/osipparser2/osip_port.c ++++ b/src/osipparser2/osip_port.c +@@ -1462,8 +1462,10 @@ osip_clrncpy (char *dst, const char *src + char *p; + size_t spaceless_length; + +- if (src == NULL) ++ if (src == NULL || len == 0) { ++ *dst = '\0'; + return NULL; ++ } + + /* find the start of relevant text */ + pbeg = src; diff -Nru libosip2-4.1.0/debian/patches/CVE-2016-10325.patch libosip2-4.1.0/debian/patches/CVE-2016-10325.patch --- libosip2-4.1.0/debian/patches/CVE-2016-10325.patch 1969-12-31 19:00:00.000000000 -0500 +++ libosip2-4.1.0/debian/patches/CVE-2016-10325.patch 2017-04-14 16:26:54.000000000 -0400 @@ -0,0 +1,26 @@ +From 1d9fb1d3a71cc85ef95352e549b140c706cf8696 Mon Sep 17 00:00:00 2001 +From: Aymeric Moizard <amoiz...@gmail.com> +Date: Sat, 3 Sep 2016 15:29:34 +0200 +Subject: * fix bug report: sr #109131: Heap buffer overflow in + `_osip_message_to_str` https://savannah.gnu.org/support/?109131 + +--- + src/osipparser2/osip_message_to_str.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/src/osipparser2/osip_message_to_str.c ++++ b/src/osipparser2/osip_message_to_str.c +@@ -378,6 +378,13 @@ _osip_message_to_str (osip_message_t * s + /* A start-line isn't required for message/sipfrag parts. */ + } + else { ++ size_t message_len = strlen(tmp); ++ if (_osip_message_realloc (&message, dest, message_len + 3, &malloc_size) < 0) { ++ osip_free (tmp); ++ *dest = NULL; ++ return OSIP_NOMEM; ++ } ++ + message = osip_str_append (message, tmp); + osip_free (tmp); + message = osip_strn_append (message, CRLF, 2); diff -Nru libosip2-4.1.0/debian/patches/CVE-2016-10326.patch libosip2-4.1.0/debian/patches/CVE-2016-10326.patch --- libosip2-4.1.0/debian/patches/CVE-2016-10326.patch 1969-12-31 19:00:00.000000000 -0500 +++ libosip2-4.1.0/debian/patches/CVE-2016-10326.patch 2017-04-14 16:26:56.000000000 -0400 @@ -0,0 +1,27 @@ +From b9dd097b5b24f5ee54b0a8739e59641cd51b6ead Mon Sep 17 00:00:00 2001 +From: Aymeric Moizard <amoiz...@gmail.com> +Date: Sat, 3 Sep 2016 15:58:06 +0200 +Subject: * fix bug report: sr #109132: Heap buffer overflow in + *osip_body_to_str* https://savannah.gnu.org/support/index.php?109132 + +--- + src/osipparser2/osip_body.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/src/osipparser2/osip_body.c ++++ b/src/osipparser2/osip_body.c +@@ -417,6 +417,14 @@ osip_body_to_str (const osip_body_t * bo + } + + if ((osip_list_size (body->headers) > 0) || (body->content_type != NULL)) { ++ if (length < tmp_body - ptr + 3) { ++ size_t len; ++ ++ len = tmp_body - ptr; ++ length = length + 3 + body->length; /* add body->length, to avoid calling realloc often */ ++ ptr = osip_realloc (ptr, length); ++ tmp_body = ptr + len; ++ } + tmp_body = osip_strn_append (tmp_body, CRLF, 2); + } + if (length < tmp_body - ptr + body->length + 4) { diff -Nru libosip2-4.1.0/debian/patches/CVE-2017-7853.patch libosip2-4.1.0/debian/patches/CVE-2017-7853.patch --- libosip2-4.1.0/debian/patches/CVE-2017-7853.patch 1969-12-31 19:00:00.000000000 -0500 +++ libosip2-4.1.0/debian/patches/CVE-2017-7853.patch 2017-04-14 16:26:59.000000000 -0400 @@ -0,0 +1,26 @@ +From 1ae06daf3b2375c34af23083394a6f010be24a45 Mon Sep 17 00:00:00 2001 +From: Aymeric Moizard <amoiz...@gmail.com> +Date: Tue, 21 Feb 2017 17:16:26 +0100 +Subject: * fix bug report: sr #109265: SIP message body length underflow in + libosip2-4.1.0 https://savannah.gnu.org/support/?109265 also applicable + to current latest version + +--- + src/osipparser2/osip_message_parse.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/src/osipparser2/osip_message_parse.c ++++ b/src/osipparser2/osip_message_parse.c +@@ -812,6 +812,12 @@ msg_osip_body_parse (osip_message_t * si + if ('\n' == start_of_body[0] || '\r' == start_of_body[0]) + start_of_body++; + ++ /* if message body is empty or contains a single CR/LF */ ++ if (end_of_body <= start_of_body) { ++ osip_free (sep_boundary); ++ return OSIP_SYNTAXERROR; ++ } ++ + body_len = end_of_body - start_of_body; + + /* Skip CR before end boundary. */ diff -Nru libosip2-4.1.0/debian/patches/series libosip2-4.1.0/debian/patches/series --- libosip2-4.1.0/debian/patches/series 1969-12-31 19:00:00.000000000 -0500 +++ libosip2-4.1.0/debian/patches/series 2017-04-14 16:21:03.000000000 -0400 @@ -0,0 +1,4 @@ +CVE-2016-10324.patch +CVE-2016-10325.patch +CVE-2016-10326.patch +CVE-2017-7853.patch