Your message dated Fri, 24 May 2024 09:02:51 +0000
with message-id <e1saqp9-007iht...@fasolo.debian.org>
and subject line Bug#1069679: fixed in ofono 1.31-4
has caused the Debian Bug report #1069679,
regarding ofono: CVE-2023-2794
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1069679: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1069679
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: ofono
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerability was published for ofono.
CVE-2023-2794[0]:
| A flaw was found in ofono, an Open Source Telephony on Linux. A
| stack overflow bug is triggered within the decode_deliver() function
| during the SMS decoding. It is assumed that the attack scenario is
| accessible from a compromised modem, a malicious base station, or
| just SMS. There is a bound check for this memcpy length in
| decode_submit(), but it was forgotten in decode_deliver().
https://bugzilla.redhat.com/show_bug.cgi?id=2255387
https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=a90421d8e45d63b304dc010baba24633e7869682
https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=7f2adfa22fbae824f8e2c3ae86a3f51da31ee400
https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=07f48b23e3877ef7d15a7b0b8b79d32ad0a3607e
https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=8fa1fdfcb54e1edb588c6a5e2688880b065a39c9
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-2794
https://www.cve.org/CVERecord?id=CVE-2023-2794
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: ofono
Source-Version: 1.31-4
Done: Mike Gabriel <sunwea...@debian.org>
We believe that the bug you reported is fixed in the latest version of
ofono, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1069...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Mike Gabriel <sunwea...@debian.org> (supplier of updated ofono package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 24 May 2024 10:12:08 +0200
Source: ofono
Architecture: source
Version: 1.31-4
Distribution: unstable
Urgency: medium
Maintainer: Debian Telepathy maintainers
<pkg-telepathy-maintain...@lists.alioth.debian.org>
Changed-By: Mike Gabriel <sunwea...@debian.org>
Closes: 1060578 1069679
Changes:
ofono (1.31-4) unstable; urgency=medium
.
* debian/control:
+ Bump Standards-Version to 4.7.0. No changes needed.
+ Add myself to Uploaders:.
* debian/control:
+ Add to B-D: systemd-dev [linux-any]. (Closes: #1060578).
* CVE-2023-2794, debian/patches:
+ Add CVE-2023-2794_p{1,2,3,4}.patch. Fix SMS decoder stack-based buffer
overflow (remote code execution vulnerability within the decode_deliver()
function). (Closes: #1069679).
Checksums-Sha1:
5cc35a1d61a01af986d476dfb5c9542e3212e571 2221 ofono_1.31-4.dsc
15cdea9e7ef4925e1032b5caab9f206be68835b6 13768 ofono_1.31-4.debian.tar.xz
edd553438be671ade31b426760f7c58994e85209 8065 ofono_1.31-4_source.buildinfo
Checksums-Sha256:
ca5583e16d8bb5412437cc87dd46f56e94fa625abdf83aea0951d290962cf23e 2221
ofono_1.31-4.dsc
d12bb6a0c2ca7ed8af101071cd282dad7923be533a6465c81c339c7366daf66c 13768
ofono_1.31-4.debian.tar.xz
48796014ee81f39feaf42866e5d3c6d8b2358b5df9afa5b62f4953dfa1d0bc66 8065
ofono_1.31-4_source.buildinfo
Files:
2bb8749db5d211fc97bd2edec1e67731 2221 admin optional ofono_1.31-4.dsc
543f4cfde2487519ad60e4aef092f494 13768 admin optional
ofono_1.31-4.debian.tar.xz
79cff2e3d794e4335543a7238125aef0 8065 admin optional
ofono_1.31-4_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJJBAEBCAAzFiEEm/uu6GwKpf+/IgeCmvRrMCV3GzEFAmZQTo0VHHN1bndlYXZl
ckBkZWJpYW4ub3JnAAoJEJr0azAldxsxViYP/johi8UNKeOKrxbZdfuabnpvE1MF
Qlr4sMzF4f/SCL4zUqZsf3g5iC7Zg4eAMgUpQsXg1AhsVVt2OMvTFcCm1Ury9VYr
Y+3fCkzTQTuKKNDvt4Vp0oLuGEEMsmR77iwQqjSR3GtzSo2wLtZzoVW52rrtOkjA
b4MuLiQrivf9FkUMolfsbDWHhUQFNlPgFPJ+YjnlGAGexoSwEW+f6eGEeZofQ0ZU
Vj+iFePWAXPYzUpuJV/brbkka/VZqb2//DC5qzoTkxd37lvLNr9KxGiY2Sf9MPjG
x36+cwofOe7G8rOTO+S9aqedSzok20f46QWhwJmu6Cvo8ui81V3yo/nFxADk6qV3
eCC08zasEyELvPA2Uxi7OnwqwyqpkaMTs2opICjF1QF6pQmdv5I8Ss7RW0g8JkrH
e95ToNRJazngBO+iJj9oXNweyHGvMSI0TY4Q6sNv1Bik+Gnd2CVqVe9VfCjOhakV
hgh+QIqp7IS3EC/uX5+4Ly2gL8P1+sObfRFnazOv9WQQ4BmGjKcS5rmJ26p25ZTU
tJaeWbnZyEvp2idL9A0FLEKHsPvaQ+7nIm7wD13sRQl2y0rCUMDT/dHEdogMhJ9d
SFUkqz5DQ3C/bErGrjsuW7VSeTayP1Edgd7dXlYMP3c2nbVjBbUZVYqy8ODJ8/Yo
MWSgyHkm8bk/2NLU
=AOcf
-----END PGP SIGNATURE-----
pgpJzA6pew2cO.pgp
Description: PGP signature
--- End Message ---
