Your message dated Mon, 29 May 2023 10:04:33 +0000 with message-id <e1q3zjt-004bcy...@fasolo.debian.org> and subject line Bug#1036847: fixed in sofia-sip 1.12.11+20110422.1+1e14eea~dfsg-6 has caused the Debian Bug report #1036847, regarding sofia-sip: CVE-2023-32307: heap-over-flow and integer-overflow in stun_parse_attr_error_code and stun_parse_attr_uint32 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1036847: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036847 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: sofia-sip Version: 1.12.11+20110422.1+1e14eea~dfsg-5 Severity: grave Tags: security upstream Forwarded: https://github.com/freeswitch/sofia-sip/pull/214 X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Hi, The following vulnerability was published for sofia-sip. CVE-2023-32307[0]: | Sofia-SIP is an open-source SIP User-Agent library, compliant with the | IETF RFC3261 specification. Referring to [GHSA-8599-x7rq- | fr54](https://github.com/freeswitch/sofia- | sip/security/advisories/GHSA-8599-x7rq-fr54), several other potential | heap-over-flow and integer-overflow in stun_parse_attr_error_code and | stun_parse_attr_uint32 were found because the lack of attributes | length check when Sofia-SIP handles STUN packets. The previous patch | of [GHSA-8599-x7rq-fr54](https://github.com/freeswitch/sofia- | sip/security/advisories/GHSA-8599-x7rq-fr54) fixed the vulnerability | when attr_type did not match the enum value, but there are also | vulnerabilities in the handling of other valid cases. The OOB read and | integer-overflow made by attacker may lead to crash, high consumption | of memory or even other more serious consequences. These issue have | been addressed in version 1.13.15. Users are advised to upgrade. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-32307 https://www.cve.org/CVERecord?id=CVE-2023-32307 [1] https://github.com/freeswitch/sofia-sip/pull/214 [2] https://github.com/freeswitch/sofia-sip/security/advisories/GHSA-rm4c-ccvf-ff9c [3] https://github.com/freeswitch/sofia-sip/commit/c3bbc50c88d168065de34ca01b9b1d98c1b0e810 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: sofia-sip Source-Version: 1.12.11+20110422.1+1e14eea~dfsg-6 Done: Evangelos Ribeiro Tzaras <devrtz-deb...@fortysixandtwo.eu> We believe that the bug you reported is fixed in the latest version of sofia-sip, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1036...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Evangelos Ribeiro Tzaras <devrtz-deb...@fortysixandtwo.eu> (supplier of updated sofia-sip package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Mon, 29 May 2023 11:36:38 +0200 Source: sofia-sip Architecture: source Version: 1.12.11+20110422.1+1e14eea~dfsg-6 Distribution: unstable Urgency: medium Maintainer: Debian VoIP Team <pkg-voip-maintain...@lists.alioth.debian.org> Changed-By: Evangelos Ribeiro Tzaras <devrtz-deb...@fortysixandtwo.eu> Closes: 1036847 Changes: sofia-sip (1.12.11+20110422.1+1e14eea~dfsg-6) unstable; urgency=medium . * Add patch to fix reported CVE-2023-32307. For further information see: - CVE-2023-32307[0] [0] https://security-tracker.debian.org/tracker/CVE-2023-32307 https://www.cve.org/CVERecord?id=CVE-2023-32307 (closes: bug#1036847) Checksums-Sha1: 46a987774725bfa5d77cbcffcc0516b914ab8338 2675 sofia-sip_1.12.11+20110422.1+1e14eea~dfsg-6.dsc 38a98525619ecc53fef59dc48347b0e5afe1dd47 1172172 sofia-sip_1.12.11+20110422.1+1e14eea~dfsg.orig.tar.xz 783bf57318256b73dcf3877f30694bf16493bd40 32216 sofia-sip_1.12.11+20110422.1+1e14eea~dfsg-6.debian.tar.xz 36e2b5e009db9d85cd99fc4c5c47b084d45a8bcf 7697 sofia-sip_1.12.11+20110422.1+1e14eea~dfsg-6_source.buildinfo Checksums-Sha256: 3a2f76739c816736aa7de81c26ea4913130f546b61780e25fce26848a165a239 2675 sofia-sip_1.12.11+20110422.1+1e14eea~dfsg-6.dsc 9aedd1f013d705488a77fcdf19b949906f542cdd9830a7847da8075b3164db09 1172172 sofia-sip_1.12.11+20110422.1+1e14eea~dfsg.orig.tar.xz b2cefb7aa21460711221b23a9f3f077465438cf9d68fcf67bfbc86fdc1107648 32216 sofia-sip_1.12.11+20110422.1+1e14eea~dfsg-6.debian.tar.xz d62c05da51cabaf2a8d9f0edccb615b6fc712b5f4d2dfb3e0803cbabcfe284b1 7697 sofia-sip_1.12.11+20110422.1+1e14eea~dfsg-6_source.buildinfo Files: 4e5cc1a3a14355bf4ac398928235ef90 2675 net optional sofia-sip_1.12.11+20110422.1+1e14eea~dfsg-6.dsc 4c6e371ce4b1acb195d0a5069f90dfd3 1172172 net optional sofia-sip_1.12.11+20110422.1+1e14eea~dfsg.orig.tar.xz c076fdbc75b559fe552dc01c7ccff262 32216 net optional sofia-sip_1.12.11+20110422.1+1e14eea~dfsg-6.debian.tar.xz c9c2868f68b04152138b5b789cb3dcdd 7697 net optional sofia-sip_1.12.11+20110422.1+1e14eea~dfsg-6_source.buildinfo -----BEGIN PGP SIGNATURE----- iQJUBAEBCgA+FiEEuThlVLfdJmvLjimpkPDJsYprShkFAmR0dLEgHGRldnJ0ei1k ZWJpYW5AZm9ydHlzaXhhbmR0d28uZXUACgkQkPDJsYprShm4UQ//RZNHyOm82yiy u0k0idd7spnKfvDVa3sGG2FdMOjIDSDE/uwsVaiix7Pvq7iE9T1mJ7aDmYtn6XBS jJjFnz1x0gi2+biPA5GuTvukOgxj0SEDA3r1IrWywPn4HvR/tP5qbJpFvGUrPX8v 0VrzGd8jvKQugS12vZ2EIxl9n5iXQK3zL8vddExfcoDB1yIYLMTZWHmn+dQNoKTv 63sj/9uej6kJgpudgfDHcoKFSCG2Jc8XHkC8ALgB/oB7wJQaURPbszxyrc1CKRrY RDgqw2/4Y93ZgDrhLTNgCT6quduGiKV55fhlrj3+WT/X8nGTgbUDFFeOb4z8ljH4 AXOn4dPnQgSylQcsoxcvMUUhfw4EEc1aRReHf/nAnzlBTQipDOhqyeGVHAAsm5m3 1J8cN9wnDhXNILDEs9/V0UoL/BMs0e3I1BrN/YeZ1rlZaCgjDtBOquKnhBvpvCl3 KEDDXflx/8jDhxCMOB9MGG0aBcTvN3taXPXk2Fy37QcVoKXMqGTKYBZttMCXxvIz 5ET8NtNVfxj8HQioUA8eHyMznvl8e4OQgciUraGqbLKdKQoYANZZ73cBAIEhkp6a BkL2dxkHLrzLHpL6F+G28bqMZg8zLVBhGi7+sPZK6Nz6zZSdIkAq+Zrj08IcRDl5 ZiwHL2pcQS6OZTDLvJBERtRwTkb1Y54= =vfAZ -----END PGP SIGNATURE-----
--- End Message ---
