Bug#1016974: sofia-sip: CVE-2022-31001 CVE-2022-31002 CVE-2022-31003
control -1 tags patch
Hi,
I'm not quite sure which is the preferred form to supply a patch,
so I'll attach a `git format-patch` based on my `wip/cve` branch on salsa [0].
If for further discussions should be needed before this can be uploaded
or the patch in a different form is preffered, please give me a shout.
[0] https://salsa.debian.org/devrtz/sofia-sip/-/tree/wip/cve
--
Cheers,
Evangelos
PGP: B938 6554 B7DD 266B CB8E 29A9 90F0 C9B1 8A6B 4A19
From 3687228cab738c9819bd82f6e171180e19b50c19 Mon Sep 17 00:00:00 2001
From: Evangelos Ribeiro Tzaras
Date: Sat, 13 Aug 2022 04:24:34 +0200
Subject: [PATCH 1/2] Add patches to fix reported CVEs; add copyright of
patches
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
closes: bug#1016974, thanks Moritz Mühlenhoff!
For further information see:
- CVE-2022-31001[0]:
- CVE-2022-31002[1]:
- CVE-2022-31003[2]:
[0] https://security-tracker.debian.org/tracker/CVE-2022-31001
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31001
[1] https://security-tracker.debian.org/tracker/CVE-2022-31002
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31002
[2] https://security-tracker.debian.org/tracker/CVE-2022-31003
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31003
---
debian/copyright | 18
.../1003-cve-fix-oob-read-sip_method_d.patch | 28
.../1004-cve-fix-oob-read-url_canonize.patch | 45 +++
.../1005-cve-fix-heap-overflow-by-two.patch | 39
debian/patches/series | 3 ++
5 files changed, 133 insertions(+)
create mode 100644 debian/patches/1003-cve-fix-oob-read-sip_method_d.patch
create mode 100644 debian/patches/1004-cve-fix-oob-read-url_canonize.patch
create mode 100644 debian/patches/1005-cve-fix-heap-overflow-by-two.patch
diff --git a/debian/copyright b/debian/copyright
index e9c3efcf..a6b1642e 100644
--- a/debian/copyright
+++ b/debian/copyright
@@ -245,6 +245,24 @@ License-Grant:
License: GPL-3+
Reference: debian/copyright
+Files:
+ debian/patches/1003*
+ debian/patches/1004*
+ debian/patches/1005*
+Copyright:
+ 2022 Andrey Volk
+License-Grant:
+ This library is free software;
+ you can redistribute it and/or modify it
+ under the terms of the GNU Lesser General Public License
+ as published by the Free Software Foundation;
+ either version 2.1 of the License,
+ or (at your option) any later version.
+License-Grant:
+ Licensed under LGPL.
+ See file COPYING.
+License: LGPL-2.1+
+
License: BSD-3-clause
Redistribution and use in source and binary forms,
with or without modification,
diff --git a/debian/patches/1003-cve-fix-oob-read-sip_method_d.patch b/debian/patches/1003-cve-fix-oob-read-sip_method_d.patch
new file mode 100644
index ..d6e12d1d
--- /dev/null
+++ b/debian/patches/1003-cve-fix-oob-read-sip_method_d.patch
@@ -0,0 +1,28 @@
+From: Andrey Volk
+Commit: e96b4b89fc37a074bc95fc8fc24bb4b5297048ad
+Date: Mon, 18 Apr 2022 17:11:26 +0300
+Subject: Fix Out-of-bound read in sip_method_d
+
+Bug: https://security-tracker.debian.org/tracker/CVE-2022-31001
+Bug-Debian: https://bugs.debian.org/1016974
+
+Last-Update: 2022-08-13
+---
+ libsofia-sip-ua/sip/sip_parser.c | 4
+ 1 file changed, 4 insertions(+)
+
+diff --git a/libsofia-sip-ua/sip/sip_parser.c b/libsofia-sip-ua/sip/sip_parser.c
+index 3a4593d..b94be9b 100644
+--- a/libsofia-sip-ua/sip/sip_parser.c
b/libsofia-sip-ua/sip/sip_parser.c
+@@ -413,6 +413,10 @@ sip_method_t sip_method_d(char **ss, char const **return_name)
+
+ #undef MATCH
+
++ if (strlen(s) < n) {
++return sip_method_invalid;
++ }
++
+ if (IS_NON_WS(s[n]))
+ /* Unknown method */
+ code = sip_method_unknown;
diff --git a/debian/patches/1004-cve-fix-oob-read-url_canonize.patch b/debian/patches/1004-cve-fix-oob-read-url_canonize.patch
new file mode 100644
index ..46a3b030
--- /dev/null
+++ b/debian/patches/1004-cve-fix-oob-read-url_canonize.patch
@@ -0,0 +1,45 @@
+From: Andrey Volk
+Commit: 32a209f00763d4e506ed68ab68ffea3ead9cc8de
+Date: Mon, 18 Apr 2022 17:22:55 +0300
+Subject: Fix Out-of-bound read in url_canonize2 and url_canonize3
+
+Bug: https://security-tracker.debian.org/tracker/CVE-2022-31002
+Bug-Debian: https://bugs.debian.org/1016974
+
+Last-Update: 2022-08-13
+---
+ libsofia-sip-ua/url/url.c | 14 --
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+diff --git a/libsofia-sip-ua/url/url.c b/libsofia-sip-ua/url/url.c
+index 7df6ab0..b379562 100644
+--- a/libsofia-sip-ua/url/url.c
b/libsofia-sip-ua/url/url.c
+@@ -364,7 +364,12 @@ char *url_canonize2(char *d, char const * const s, size_t n,
+ continue;
+ }
+
+-h1 = s[i + 1], h2 = s[i + 2];
++h1 = s[i + 1];
++if (!h1) {
++*d = '\0';
++return NULL;
++}
++h2 = s[i + 2];
+
+ if (!IS_HEX(h1) || !IS_HEX(h2)) {
+ *d = '\0';
+@@ -422,7 +427,12 @@ char *url_canonize3(char
Bug#1016974: sofia-sip: CVE-2022-31001 CVE-2022-31002 CVE-2022-31003
control -1 tags pending Hi again, On Thu, 2022-08-11 at 23:52 +0200, Moritz Muehlenhoff wrote: > On Thu, Aug 11, 2022 at 11:08:49PM +0200, Evangelos Ribeiro Tzaras wrote: > > > > > If you fix the vulnerabilities please also make sure to include the > > > CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. > > > > ACK. > > Is there a specific format needed when referencing the CVE? > > Not really, just mention them in debian/changelog :-) alright, so the patches apply cleanly and d/changelog mentions the CVEs (and closes this bug). > In addition we'll keep security-tracker.debian.org updated when the upload > reaches unstable. > > Once the fix is in unstable (and if there are issues reported after a few > days) we can sort out an update for bullseye-security. Sounds good to me! I think bullseye-security would be great, because I'm certain it is also vulnerable (oldstable potentially too - haven't checked) -- Cheers, Evangelos PGP: B938 6554 B7DD 266B CB8E 29A9 90F0 C9B1 8A6B 4A19 signature.asc Description: This is a digitally signed message part
Bug#1016974: sofia-sip: CVE-2022-31001 CVE-2022-31002 CVE-2022-31003
On Thu, Aug 11, 2022 at 11:08:49PM +0200, Evangelos Ribeiro Tzaras wrote: > Hi Moritz, > > On Wed, 2022-08-10 at 22:08 +0200, Moritz Mühlenhoff wrote: > > Source: sofia-sip > > X-Debbugs-CC: t...@security.debian.org > > Severity: grave > > Tags: security > > > > Hi, > > > > The following vulnerabilities were published for sofia-sip. > > I will try to apply the patches and prepare a release! > > > CVE-2022-31001[0]: > ... > > CVE-2022-31002[1]: > ... > > CVE-2022-31003[2]: > ... > > > > > If you fix the vulnerabilities please also make sure to include the > > CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. > > ACK. > Is there a specific format needed when referencing the CVE? Not really, just mention them in debian/changelog :-) In addition we'll keep security-tracker.debian.org updated when the upload reaches unstable. Once the fix is in unstable (and if there are issues reported after a few days) we can sort out an update for bullseye-security. Cheers, Moritz
Bug#1016974: sofia-sip: CVE-2022-31001 CVE-2022-31002 CVE-2022-31003
Hi Moritz, On Wed, 2022-08-10 at 22:08 +0200, Moritz Mühlenhoff wrote: > Source: sofia-sip > X-Debbugs-CC: t...@security.debian.org > Severity: grave > Tags: security > > Hi, > > The following vulnerabilities were published for sofia-sip. I will try to apply the patches and prepare a release! > CVE-2022-31001[0]: ... > CVE-2022-31002[1]: ... > CVE-2022-31003[2]: ... > > If you fix the vulnerabilities please also make sure to include the > CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. ACK. Is there a specific format needed when referencing the CVE? > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2022-31001 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31001 > [1] https://security-tracker.debian.org/tracker/CVE-2022-31002 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31002 > [2] https://security-tracker.debian.org/tracker/CVE-2022-31003 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31003 > Please adjust the affected versions in the BTS as needed. Will do once I've checked in some detail. -- Cheers, Evangelos PGP: B938 6554 B7DD 266B CB8E 29A9 90F0 C9B1 8A6B 4A19 signature.asc Description: This is a digitally signed message part
Bug#1016974: sofia-sip: CVE-2022-31001 CVE-2022-31002 CVE-2022-31003
Source: sofia-sip X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerabilities were published for sofia-sip. CVE-2022-31001[0]: | Sofia-SIP is an open-source Session Initiation Protocol (SIP) User- | Agent library. Prior to version 1.13.8, an attacker can send a message | with evil sdp to FreeSWITCH, which may cause crash. This type of crash | may be caused by `#define MATCH(s, m) (strncmp(s, m, n = sizeof(m) - | 1) == 0)`, which will make `n` bigger and trigger out-of-bound access | when `IS_NON_WS(s[n])`. Version 1.13.8 contains a patch for this | issue. https://github.com/freeswitch/sofia-sip/security/advisories/GHSA-79jq-hh82-cv9g https://github.com/freeswitch/sofia-sip/commit/a99804b336d0e16d26ab7119d56184d2d7110a36 (v1.13.8) CVE-2022-31002[1]: | Sofia-SIP is an open-source Session Initiation Protocol (SIP) User- | Agent library. Prior to version 1.13.8, an attacker can send a message | with evil sdp to FreeSWITCH, which may cause a crash. This type of | crash may be caused by a URL ending with `%`. Version 1.13.8 contains | a patch for this issue. https://github.com/freeswitch/sofia-sip/security/advisories/GHSA-g3x6-p824-x6hm https://github.com/freeswitch/sofia-sip/commit/51841eb53679434a386fb2dcbca925dcc48d58ba (v1.13.8) CVE-2022-31003[2]: | Sofia-SIP is an open-source Session Initiation Protocol (SIP) User- | Agent library. Prior to version 1.13.8, when parsing each line of a | sdp message, `rest = record + 2` will access the memory behind `\0` | and cause an out-of-bounds write. An attacker can send a message with | evil sdp to FreeSWITCH, causing a crash or more serious consequence, | such as remote code execution. Version 1.13.8 contains a patch for | this issue. https://github.com/freeswitch/sofia-sip/security/advisories/GHSA-8w5j-6g2j-pxcp https://github.com/freeswitch/sofia-sip/commit/907f2ac0ee504c93ebfefd676b4632a3575908c9 (v1.13.8) If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-31001 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31001 [1] https://security-tracker.debian.org/tracker/CVE-2022-31002 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31002 [2] https://security-tracker.debian.org/tracker/CVE-2022-31003 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31003 Please adjust the affected versions in the BTS as needed.
