control -1 tags patch
Hi, I'm not quite sure which is the preferred form to supply a patch, so I'll attach a `git format-patch` based on my `wip/cve` branch on salsa [0]. If for further discussions should be needed before this can be uploaded or the patch in a different form is preffered, please give me a shout. [0] https://salsa.debian.org/devrtz/sofia-sip/-/tree/wip/cve -- Cheers, Evangelos PGP: B938 6554 B7DD 266B CB8E 29A9 90F0 C9B1 8A6B 4A19
From 3687228cab738c9819bd82f6e171180e19b50c19 Mon Sep 17 00:00:00 2001 From: Evangelos Ribeiro Tzaras <dev...@fortysixandtwo.eu> Date: Sat, 13 Aug 2022 04:24:34 +0200 Subject: [PATCH 1/2] Add patches to fix reported CVEs; add copyright of patches MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit closes: bug#1016974, thanks Moritz Mühlenhoff! For further information see: - CVE-2022-31001[0]: - CVE-2022-31002[1]: - CVE-2022-31003[2]: [0] https://security-tracker.debian.org/tracker/CVE-2022-31001 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31001 [1] https://security-tracker.debian.org/tracker/CVE-2022-31002 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31002 [2] https://security-tracker.debian.org/tracker/CVE-2022-31003 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31003 --- debian/copyright | 18 ++++++++ .../1003-cve-fix-oob-read-sip_method_d.patch | 28 ++++++++++++ .../1004-cve-fix-oob-read-url_canonize.patch | 45 +++++++++++++++++++ .../1005-cve-fix-heap-overflow-by-two.patch | 39 ++++++++++++++++ debian/patches/series | 3 ++ 5 files changed, 133 insertions(+) create mode 100644 debian/patches/1003-cve-fix-oob-read-sip_method_d.patch create mode 100644 debian/patches/1004-cve-fix-oob-read-url_canonize.patch create mode 100644 debian/patches/1005-cve-fix-heap-overflow-by-two.patch diff --git a/debian/copyright b/debian/copyright index e9c3efcf..a6b1642e 100644 --- a/debian/copyright +++ b/debian/copyright @@ -245,6 +245,24 @@ License-Grant: License: GPL-3+ Reference: debian/copyright +Files: + debian/patches/1003* + debian/patches/1004* + debian/patches/1005* +Copyright: + 2022 Andrey Volk <andyw...@gmail.com> +License-Grant: + This library is free software; + you can redistribute it and/or modify it + under the terms of the GNU Lesser General Public License + as published by the Free Software Foundation; + either version 2.1 of the License, + or (at your option) any later version. +License-Grant: + Licensed under LGPL. + See file COPYING. +License: LGPL-2.1+ + License: BSD-3-clause Redistribution and use in source and binary forms, with or without modification, diff --git a/debian/patches/1003-cve-fix-oob-read-sip_method_d.patch b/debian/patches/1003-cve-fix-oob-read-sip_method_d.patch new file mode 100644 index 00000000..d6e12d1d --- /dev/null +++ b/debian/patches/1003-cve-fix-oob-read-sip_method_d.patch @@ -0,0 +1,28 @@ +From: Andrey Volk <andyw...@gmail.com> +Commit: e96b4b89fc37a074bc95fc8fc24bb4b5297048ad +Date: Mon, 18 Apr 2022 17:11:26 +0300 +Subject: Fix Out-of-bound read in sip_method_d + +Bug: https://security-tracker.debian.org/tracker/CVE-2022-31001 +Bug-Debian: https://bugs.debian.org/1016974 + +Last-Update: 2022-08-13 +--- + libsofia-sip-ua/sip/sip_parser.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/libsofia-sip-ua/sip/sip_parser.c b/libsofia-sip-ua/sip/sip_parser.c +index 3a4593d..b94be9b 100644 +--- a/libsofia-sip-ua/sip/sip_parser.c ++++ b/libsofia-sip-ua/sip/sip_parser.c +@@ -413,6 +413,10 @@ sip_method_t sip_method_d(char **ss, char const **return_name) + + #undef MATCH + ++ if (strlen(s) < n) { ++ return sip_method_invalid; ++ } ++ + if (IS_NON_WS(s[n])) + /* Unknown method */ + code = sip_method_unknown; diff --git a/debian/patches/1004-cve-fix-oob-read-url_canonize.patch b/debian/patches/1004-cve-fix-oob-read-url_canonize.patch new file mode 100644 index 00000000..46a3b030 --- /dev/null +++ b/debian/patches/1004-cve-fix-oob-read-url_canonize.patch @@ -0,0 +1,45 @@ +From: Andrey Volk <andyw...@gmail.com> +Commit: 32a209f00763d4e506ed68ab68ffea3ead9cc8de +Date: Mon, 18 Apr 2022 17:22:55 +0300 +Subject: Fix Out-of-bound read in url_canonize2 and url_canonize3 + +Bug: https://security-tracker.debian.org/tracker/CVE-2022-31002 +Bug-Debian: https://bugs.debian.org/1016974 + +Last-Update: 2022-08-13 +--- + libsofia-sip-ua/url/url.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +diff --git a/libsofia-sip-ua/url/url.c b/libsofia-sip-ua/url/url.c +index 7df6ab0..b379562 100644 +--- a/libsofia-sip-ua/url/url.c ++++ b/libsofia-sip-ua/url/url.c +@@ -364,7 +364,12 @@ char *url_canonize2(char *d, char const * const s, size_t n, + continue; + } + +- h1 = s[i + 1], h2 = s[i + 2]; ++ h1 = s[i + 1]; ++ if (!h1) { ++ *d = '\0'; ++ return NULL; ++ } ++ h2 = s[i + 2]; + + if (!IS_HEX(h1) || !IS_HEX(h2)) { + *d = '\0'; +@@ -422,7 +427,12 @@ char *url_canonize3(char *d, char const * const s, size_t n, + continue; + } + +- h1 = s[i + 1], h2 = s[i + 2]; ++ h1 = s[i + 1]; ++ if (!h1) { ++ *d = '\0'; ++ return NULL; ++ } ++ h2 = s[i + 2]; + + if (!IS_HEX(h1) || !IS_HEX(h2)) { + *d = '\0'; diff --git a/debian/patches/1005-cve-fix-heap-overflow-by-two.patch b/debian/patches/1005-cve-fix-heap-overflow-by-two.patch new file mode 100644 index 00000000..af47e39f --- /dev/null +++ b/debian/patches/1005-cve-fix-heap-overflow-by-two.patch @@ -0,0 +1,39 @@ +From: Andrey Volk <andyw...@gmail.com> +Commit: c07f05a4d1655fa3481ba0c5aed5026b38cef50c +Date: Mon, 18 Apr 2022 17:27:28 +0300 +Subject: Fix Heap-buffer-overflow in parse_descs and parse_message + +Bug: https://security-tracker.debian.org/tracker/CVE-2022-31003 +Bug-Debian: https://bugs.debian.org/1016974 + +Last-Update: 2022-08-13 +--- + libsofia-sip-ua/sdp/sdp_parse.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/libsofia-sip-ua/sdp/sdp_parse.c b/libsofia-sip-ua/sdp/sdp_parse.c +index 37055fc..fb0c3a9 100644 +--- a/libsofia-sip-ua/sdp/sdp_parse.c ++++ b/libsofia-sip-ua/sdp/sdp_parse.c +@@ -392,6 +392,10 @@ static void parse_message(sdp_parser_t *p) + record = next(&message, CRLF, strip)) { + field = record[0]; + ++ if (strlen(record) < 2) { ++ return; ++ } ++ + rest = record + 2; rest += strspn(rest, strip); + + if (record[1] != '=') { +@@ -1733,6 +1737,10 @@ static void parse_descs(sdp_parser_t *p, + record = next(&message, CRLF, strip)) { + char field = record[0]; + ++ if (strlen(record) < 2) { ++ return; ++ } ++ + rest = record + 2; rest += strspn(rest, strip); + + if (record[1] == '=') switch (field) { diff --git a/debian/patches/series b/debian/patches/series index de169082..034c177c 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,2 +1,5 @@ 1001_fix_undefined_behaviour_accessing_msg_mclass_s_members.patch 1002-Let-openSSL-negotiate-SSL-TLS-method.patch +1003-cve-fix-oob-read-sip_method_d.patch +1004-cve-fix-oob-read-url_canonize.patch +1005-cve-fix-heap-overflow-by-two.patch -- 2.36.1
From e9a5feb249fe29bb4dd0c38c672358d35799131e Mon Sep 17 00:00:00 2001 From: Evangelos Ribeiro Tzaras <dev...@fortysixandtwo.eu> Date: Sat, 13 Aug 2022 04:44:57 +0200 Subject: [PATCH 2/2] prepare for release: update changelog --- debian/changelog | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/debian/changelog b/debian/changelog index 3c329f44..9fbc81df 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,20 @@ +sofia-sip (1.12.11+20110422.1+1e14eea~dfsg-3) unstable; urgency=medium + + * Add patches to fix reported CVEs. + For further information see: + - CVE-2022-31001[0]: + - CVE-2022-31002[1]: + - CVE-2022-31003[2]: + [0] https://security-tracker.debian.org/tracker/CVE-2022-31001 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31001 + [1] https://security-tracker.debian.org/tracker/CVE-2022-31002 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31002 + [2] https://security-tracker.debian.org/tracker/CVE-2022-31003 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31003 + closes: bug#1016974, thanks to Moritz Mühlenhoff + + -- Evangelos Ribeiro Tzaras <devrtz-deb...@fortysixandtwo.eu> Sat, 13 Aug 2022 04:34:27 +0200 + sofia-sip (1.12.11+20110422.1+1e14eea~dfsg-2) unstable; urgency=medium [ Evangelos Ribeiro Tzaras ] -- 2.36.1
signature.asc
Description: This is a digitally signed message part
