Source: libosip2 Version: 4.1.0-2 Severity: grave Tags: upstream security patch Justification: user security hole
Hi, the following vulnerabilities were published for libosip2. CVE-2016-10324[0]: | In libosip2 in GNU oSIP 4.1.0, a malformed SIP message can lead to a | heap buffer overflow in the osip_clrncpy() function defined in | osipparser2/osip_port.c. CVE-2016-10325[1]: | In libosip2 in GNU oSIP 4.1.0, a malformed SIP message can lead to a | heap buffer overflow in the _osip_message_to_str() function defined in | osipparser2/osip_message_to_str.c, resulting in a remote DoS. CVE-2016-10326[2]: | In libosip2 in GNU oSIP 4.1.0, a malformed SIP message can lead to a | heap buffer overflow in the osip_body_to_str() function defined in | osipparser2/osip_body.c, resulting in a remote DoS. CVE-2017-7853[3]: | In libosip2 in GNU oSIP 5.0.0, a malformed SIP message can lead to a | heap buffer overflow in the msg_osip_body_parse() function defined in | osipparser2/osip_message_parse.c, resulting in a remote DoS. The references to the security-tracker contain both respective upstream report and fixing commits. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2016-10324 [1] https://security-tracker.debian.org/tracker/CVE-2016-10325 [2] https://security-tracker.debian.org/tracker/CVE-2016-10326 [3] https://security-tracker.debian.org/tracker/CVE-2017-7853 Regards, Salvatore
