Bug#1016974: sofia-sip: CVE-2022-31001 CVE-2022-31002 CVE-2022-31003
control -1 tags patch Hi, I'm not quite sure which is the preferred form to supply a patch, so I'll attach a `git format-patch` based on my `wip/cve` branch on salsa [0]. If for further discussions should be needed before this can be uploaded or the patch in a different form is preffered, please give me a shout. [0] https://salsa.debian.org/devrtz/sofia-sip/-/tree/wip/cve -- Cheers, Evangelos PGP: B938 6554 B7DD 266B CB8E 29A9 90F0 C9B1 8A6B 4A19 From 3687228cab738c9819bd82f6e171180e19b50c19 Mon Sep 17 00:00:00 2001 From: Evangelos Ribeiro Tzaras Date: Sat, 13 Aug 2022 04:24:34 +0200 Subject: [PATCH 1/2] Add patches to fix reported CVEs; add copyright of patches MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit closes: bug#1016974, thanks Moritz Mühlenhoff! For further information see: - CVE-2022-31001[0]: - CVE-2022-31002[1]: - CVE-2022-31003[2]: [0] https://security-tracker.debian.org/tracker/CVE-2022-31001 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31001 [1] https://security-tracker.debian.org/tracker/CVE-2022-31002 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31002 [2] https://security-tracker.debian.org/tracker/CVE-2022-31003 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31003 --- debian/copyright | 18 .../1003-cve-fix-oob-read-sip_method_d.patch | 28 .../1004-cve-fix-oob-read-url_canonize.patch | 45 +++ .../1005-cve-fix-heap-overflow-by-two.patch | 39 debian/patches/series | 3 ++ 5 files changed, 133 insertions(+) create mode 100644 debian/patches/1003-cve-fix-oob-read-sip_method_d.patch create mode 100644 debian/patches/1004-cve-fix-oob-read-url_canonize.patch create mode 100644 debian/patches/1005-cve-fix-heap-overflow-by-two.patch diff --git a/debian/copyright b/debian/copyright index e9c3efcf..a6b1642e 100644 --- a/debian/copyright +++ b/debian/copyright @@ -245,6 +245,24 @@ License-Grant: License: GPL-3+ Reference: debian/copyright +Files: + debian/patches/1003* + debian/patches/1004* + debian/patches/1005* +Copyright: + 2022 Andrey Volk +License-Grant: + This library is free software; + you can redistribute it and/or modify it + under the terms of the GNU Lesser General Public License + as published by the Free Software Foundation; + either version 2.1 of the License, + or (at your option) any later version. +License-Grant: + Licensed under LGPL. + See file COPYING. +License: LGPL-2.1+ + License: BSD-3-clause Redistribution and use in source and binary forms, with or without modification, diff --git a/debian/patches/1003-cve-fix-oob-read-sip_method_d.patch b/debian/patches/1003-cve-fix-oob-read-sip_method_d.patch new file mode 100644 index ..d6e12d1d --- /dev/null +++ b/debian/patches/1003-cve-fix-oob-read-sip_method_d.patch @@ -0,0 +1,28 @@ +From: Andrey Volk +Commit: e96b4b89fc37a074bc95fc8fc24bb4b5297048ad +Date: Mon, 18 Apr 2022 17:11:26 +0300 +Subject: Fix Out-of-bound read in sip_method_d + +Bug: https://security-tracker.debian.org/tracker/CVE-2022-31001 +Bug-Debian: https://bugs.debian.org/1016974 + +Last-Update: 2022-08-13 +--- + libsofia-sip-ua/sip/sip_parser.c | 4 + 1 file changed, 4 insertions(+) + +diff --git a/libsofia-sip-ua/sip/sip_parser.c b/libsofia-sip-ua/sip/sip_parser.c +index 3a4593d..b94be9b 100644 +--- a/libsofia-sip-ua/sip/sip_parser.c b/libsofia-sip-ua/sip/sip_parser.c +@@ -413,6 +413,10 @@ sip_method_t sip_method_d(char **ss, char const **return_name) + + #undef MATCH + ++ if (strlen(s) < n) { ++return sip_method_invalid; ++ } ++ + if (IS_NON_WS(s[n])) + /* Unknown method */ + code = sip_method_unknown; diff --git a/debian/patches/1004-cve-fix-oob-read-url_canonize.patch b/debian/patches/1004-cve-fix-oob-read-url_canonize.patch new file mode 100644 index ..46a3b030 --- /dev/null +++ b/debian/patches/1004-cve-fix-oob-read-url_canonize.patch @@ -0,0 +1,45 @@ +From: Andrey Volk +Commit: 32a209f00763d4e506ed68ab68ffea3ead9cc8de +Date: Mon, 18 Apr 2022 17:22:55 +0300 +Subject: Fix Out-of-bound read in url_canonize2 and url_canonize3 + +Bug: https://security-tracker.debian.org/tracker/CVE-2022-31002 +Bug-Debian: https://bugs.debian.org/1016974 + +Last-Update: 2022-08-13 +--- + libsofia-sip-ua/url/url.c | 14 -- + 1 file changed, 12 insertions(+), 2 deletions(-) + +diff --git a/libsofia-sip-ua/url/url.c b/libsofia-sip-ua/url/url.c +index 7df6ab0..b379562 100644 +--- a/libsofia-sip-ua/url/url.c b/libsofia-sip-ua/url/url.c +@@ -364,7 +364,12 @@ char *url_canonize2(char *d, char const * const s, size_t n, + continue; + } + +-h1 = s[i + 1], h2 = s[i + 2]; ++h1 = s[i + 1]; ++if (!h1) { ++*d = '\0'; ++return NULL; ++} ++h2 = s[i + 2]; + + if (!IS_HEX(h1) || !IS_HEX(h2)) { + *d = '\0'; +@@ -422,7 +427,12 @@ char *url_canonize3(char
Bug#1016974: sofia-sip: CVE-2022-31001 CVE-2022-31002 CVE-2022-31003
control -1 tags pending Hi again, On Thu, 2022-08-11 at 23:52 +0200, Moritz Muehlenhoff wrote: > On Thu, Aug 11, 2022 at 11:08:49PM +0200, Evangelos Ribeiro Tzaras wrote: > > > > > If you fix the vulnerabilities please also make sure to include the > > > CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. > > > > ACK. > > Is there a specific format needed when referencing the CVE? > > Not really, just mention them in debian/changelog :-) alright, so the patches apply cleanly and d/changelog mentions the CVEs (and closes this bug). > In addition we'll keep security-tracker.debian.org updated when the upload > reaches unstable. > > Once the fix is in unstable (and if there are issues reported after a few > days) we can sort out an update for bullseye-security. Sounds good to me! I think bullseye-security would be great, because I'm certain it is also vulnerable (oldstable potentially too - haven't checked) -- Cheers, Evangelos PGP: B938 6554 B7DD 266B CB8E 29A9 90F0 C9B1 8A6B 4A19 signature.asc Description: This is a digitally signed message part
Bug#1016974: sofia-sip: CVE-2022-31001 CVE-2022-31002 CVE-2022-31003
On Thu, Aug 11, 2022 at 11:08:49PM +0200, Evangelos Ribeiro Tzaras wrote: > Hi Moritz, > > On Wed, 2022-08-10 at 22:08 +0200, Moritz Mühlenhoff wrote: > > Source: sofia-sip > > X-Debbugs-CC: t...@security.debian.org > > Severity: grave > > Tags: security > > > > Hi, > > > > The following vulnerabilities were published for sofia-sip. > > I will try to apply the patches and prepare a release! > > > CVE-2022-31001[0]: > ... > > CVE-2022-31002[1]: > ... > > CVE-2022-31003[2]: > ... > > > > > If you fix the vulnerabilities please also make sure to include the > > CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. > > ACK. > Is there a specific format needed when referencing the CVE? Not really, just mention them in debian/changelog :-) In addition we'll keep security-tracker.debian.org updated when the upload reaches unstable. Once the fix is in unstable (and if there are issues reported after a few days) we can sort out an update for bullseye-security. Cheers, Moritz
Bug#1016974: sofia-sip: CVE-2022-31001 CVE-2022-31002 CVE-2022-31003
Hi Moritz, On Wed, 2022-08-10 at 22:08 +0200, Moritz Mühlenhoff wrote: > Source: sofia-sip > X-Debbugs-CC: t...@security.debian.org > Severity: grave > Tags: security > > Hi, > > The following vulnerabilities were published for sofia-sip. I will try to apply the patches and prepare a release! > CVE-2022-31001[0]: ... > CVE-2022-31002[1]: ... > CVE-2022-31003[2]: ... > > If you fix the vulnerabilities please also make sure to include the > CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. ACK. Is there a specific format needed when referencing the CVE? > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2022-31001 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31001 > [1] https://security-tracker.debian.org/tracker/CVE-2022-31002 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31002 > [2] https://security-tracker.debian.org/tracker/CVE-2022-31003 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31003 > Please adjust the affected versions in the BTS as needed. Will do once I've checked in some detail. -- Cheers, Evangelos PGP: B938 6554 B7DD 266B CB8E 29A9 90F0 C9B1 8A6B 4A19 signature.asc Description: This is a digitally signed message part
Bug#1016974: sofia-sip: CVE-2022-31001 CVE-2022-31002 CVE-2022-31003
Source: sofia-sip X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerabilities were published for sofia-sip. CVE-2022-31001[0]: | Sofia-SIP is an open-source Session Initiation Protocol (SIP) User- | Agent library. Prior to version 1.13.8, an attacker can send a message | with evil sdp to FreeSWITCH, which may cause crash. This type of crash | may be caused by `#define MATCH(s, m) (strncmp(s, m, n = sizeof(m) - | 1) == 0)`, which will make `n` bigger and trigger out-of-bound access | when `IS_NON_WS(s[n])`. Version 1.13.8 contains a patch for this | issue. https://github.com/freeswitch/sofia-sip/security/advisories/GHSA-79jq-hh82-cv9g https://github.com/freeswitch/sofia-sip/commit/a99804b336d0e16d26ab7119d56184d2d7110a36 (v1.13.8) CVE-2022-31002[1]: | Sofia-SIP is an open-source Session Initiation Protocol (SIP) User- | Agent library. Prior to version 1.13.8, an attacker can send a message | with evil sdp to FreeSWITCH, which may cause a crash. This type of | crash may be caused by a URL ending with `%`. Version 1.13.8 contains | a patch for this issue. https://github.com/freeswitch/sofia-sip/security/advisories/GHSA-g3x6-p824-x6hm https://github.com/freeswitch/sofia-sip/commit/51841eb53679434a386fb2dcbca925dcc48d58ba (v1.13.8) CVE-2022-31003[2]: | Sofia-SIP is an open-source Session Initiation Protocol (SIP) User- | Agent library. Prior to version 1.13.8, when parsing each line of a | sdp message, `rest = record + 2` will access the memory behind `\0` | and cause an out-of-bounds write. An attacker can send a message with | evil sdp to FreeSWITCH, causing a crash or more serious consequence, | such as remote code execution. Version 1.13.8 contains a patch for | this issue. https://github.com/freeswitch/sofia-sip/security/advisories/GHSA-8w5j-6g2j-pxcp https://github.com/freeswitch/sofia-sip/commit/907f2ac0ee504c93ebfefd676b4632a3575908c9 (v1.13.8) If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-31001 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31001 [1] https://security-tracker.debian.org/tracker/CVE-2022-31002 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31002 [2] https://security-tracker.debian.org/tracker/CVE-2022-31003 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31003 Please adjust the affected versions in the BTS as needed.