Your message dated Fri, 16 Jun 2023 19:47:24 +0000
with message-id <e1qafpo-003fli...@fasolo.debian.org>
and subject line Bug#1036847: fixed in sofia-sip 1.12.11+20110422.1-2.1+deb11u2
has caused the Debian Bug report #1036847,
regarding sofia-sip: CVE-2023-32307: heap-over-flow and integer-overflow in
stun_parse_attr_error_code and stun_parse_attr_uint32
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1036847: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036847
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: sofia-sip
Version: 1.12.11+20110422.1+1e14eea~dfsg-5
Severity: grave
Tags: security upstream
Forwarded: https://github.com/freeswitch/sofia-sip/pull/214
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi,
The following vulnerability was published for sofia-sip.
CVE-2023-32307[0]:
| Sofia-SIP is an open-source SIP User-Agent library, compliant with the
| IETF RFC3261 specification. Referring to [GHSA-8599-x7rq-
| fr54](https://github.com/freeswitch/sofia-
| sip/security/advisories/GHSA-8599-x7rq-fr54), several other potential
| heap-over-flow and integer-overflow in stun_parse_attr_error_code and
| stun_parse_attr_uint32 were found because the lack of attributes
| length check when Sofia-SIP handles STUN packets. The previous patch
| of [GHSA-8599-x7rq-fr54](https://github.com/freeswitch/sofia-
| sip/security/advisories/GHSA-8599-x7rq-fr54) fixed the vulnerability
| when attr_type did not match the enum value, but there are also
| vulnerabilities in the handling of other valid cases. The OOB read and
| integer-overflow made by attacker may lead to crash, high consumption
| of memory or even other more serious consequences. These issue have
| been addressed in version 1.13.15. Users are advised to upgrade.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-32307
https://www.cve.org/CVERecord?id=CVE-2023-32307
[1] https://github.com/freeswitch/sofia-sip/pull/214
[2]
https://github.com/freeswitch/sofia-sip/security/advisories/GHSA-rm4c-ccvf-ff9c
[3]
https://github.com/freeswitch/sofia-sip/commit/c3bbc50c88d168065de34ca01b9b1d98c1b0e810
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: sofia-sip
Source-Version: 1.12.11+20110422.1-2.1+deb11u2
Done: Moritz Mühlenhoff <j...@debian.org>
We believe that the bug you reported is fixed in the latest version of
sofia-sip, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1036...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Moritz Mühlenhoff <j...@debian.org> (supplier of updated sofia-sip package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 11 Jun 2023 17:15:07 +0200
Source: sofia-sip
Architecture: source
Version: 1.12.11+20110422.1-2.1+deb11u2
Distribution: bullseye-security
Urgency: medium
Maintainer: Ron Lee <r...@debian.org>
Changed-By: Moritz Mühlenhoff <j...@debian.org>
Closes: 1036847
Changes:
sofia-sip (1.12.11+20110422.1-2.1+deb11u2) bullseye-security; urgency=medium
.
* CVE-2023-32307 (Closes: #1036847)
Checksums-Sha1:
276e2068bf820fb9e06d933bf26af6b09f403197 2405
sofia-sip_1.12.11+20110422.1-2.1+deb11u2.dsc
ee789c4a2d35ee9ad0e519ebd5a276ef72b2fff6 28195
sofia-sip_1.12.11+20110422.1-2.1+deb11u2.diff.gz
1231d942b57dbb1c74f9987a4e57f7510a9c3235 11935
sofia-sip_1.12.11+20110422.1-2.1+deb11u2_amd64.buildinfo
Checksums-Sha256:
4965e60747b15de5a5b9a55df7dd7ec2aa0f5543b80d5016abe6d027b138a4d1 2405
sofia-sip_1.12.11+20110422.1-2.1+deb11u2.dsc
37797e1ad6de53af5ae0f5306483160eee95bb3f2f56d23ca51eb80264b985e5 28195
sofia-sip_1.12.11+20110422.1-2.1+deb11u2.diff.gz
b11e77f6ceb0ddbac73b7f304debc2e01c8d68cfa9ae4b514c6cbccbcd84bd7f 11935
sofia-sip_1.12.11+20110422.1-2.1+deb11u2_amd64.buildinfo
Files:
9ea0875df5ae2d1ed8b2d82032d3ae2e 2405 net optional
sofia-sip_1.12.11+20110422.1-2.1+deb11u2.dsc
d528f6eb1fc824c5b17a17d36d7f7eeb 28195 net optional
sofia-sip_1.12.11+20110422.1-2.1+deb11u2.diff.gz
27683cee51bf01b61c8dfc027bb72b69 11935 net optional
sofia-sip_1.12.11+20110422.1-2.1+deb11u2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmSF6qEACgkQEMKTtsN8
TjZOYQ/9ER+AY+LgupIcuwXUzIzKoOG3Rjy80nmR4ej0moPqXCs3PoOkanvyk2DK
ueiJboMEo+Bu1w9CuWuccX6cXMMrD8qFnDtpslntylrnK57B8v+bS5jE/nvGyPN7
lHzOvc1tDaVubupok5CvW6Xcx9m+FmbOHP5VxTzWIqt92O+LQDJrO/DTuwnvtl8w
ATcorBWc+X+Ns3igQxwVCmKxXP6qrHXjVrA91t121IBG5yHT4QlQ6e4jpd5uUb0h
KAAvpz6yi3bFyQsKdE2Dc+pFcUje3K1CO3dmBQQFkD9F1RBibzMOOLZU8S5/aMru
kgrnPG1XvOBrod9txdS7cqb0khKjvRz07zoKXnoc2khQP+OTF5uD9Gi19RI7pATq
1JmrKITC9G0BrGe3wJp6jYl2Z1EvSQf4BZwv55GiLYHE6cQVCjI9yZVKIPxST6PT
mmcOgYKG4kvDVNN0yJT82dz/ZRu2zf+W7sPPFcmgS8TYWISkQf6aFAtFIgpa9O31
NgyqKC6RtNrJxDFtNRxq0bvaiqIrx6eQxhqXDb9eZ6w1XF7kMvJJ2F5IokJDpJe0
EYWKtegqXBHi2AScQ0pVHmshJPipg/9n52ATJWkD40DKlOzSQrJVem/aPgBDfgL3
CrNPG80ktqgJWt6zk5HwEOEfri4YfJqAPsGu71kawuEV0ccJU90=
=rwqy
-----END PGP SIGNATURE-----
--- End Message ---
