Version in base suite: 20230206.0~ds2-1.1 Base version: ring_20230206.0~ds2-1.1 Target version: ring_20230206.0~ds2-1.1+deb12u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/r/ring/ring_20230206.0~ds2-1.1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/r/ring/ring_20230206.0~ds2-1.1+deb12u1.dsc changelog | 8 +++++ patches/CVE-2023-27585_ring.patch | 52 ++++++++++++++++++++++++++++++++++++++ patches/series | 1 3 files changed, 61 insertions(+) diff -Nru ring-20230206.0~ds2/debian/changelog ring-20230206.0~ds2/debian/changelog --- ring-20230206.0~ds2/debian/changelog 2023-03-01 05:05:32.000000000 +0000 +++ ring-20230206.0~ds2/debian/changelog 2025-07-02 07:29:21.000000000 +0000 @@ -1,3 +1,11 @@ +ring (20230206.0~ds2-1.1+deb12u1) bookworm-security; urgency=high + + * Non-maintainer upload by the Security Team. + * CVE-2023-27585: Embedded copy of PJSIP library has a buffer overflow in + the DNS implementation. + + -- Aron Xu Wed, 02 Jul 2025 15:29:21 +0800 + ring (20230206.0~ds2-1.1) unstable; urgency=medium * Upload to unstable. diff -Nru ring-20230206.0~ds2/debian/patches/CVE-2023-27585_ring.patch ring-20230206.0~ds2/debian/patches/CVE-2023-27585_ring.patch --- ring-20230206.0~ds2/debian/patches/CVE-2023-27585_ring.patch 1970-01-01 00:00:00.000000000 +0000 +++ ring-20230206.0~ds2/debian/patches/CVE-2023-27585_ring.patch 2025-07-02 07:29:21.000000000 +0000 @@ -0,0 +1,52 @@ +From: Sauw Ming +Reviewed-by: Aron Xu +Forwarded: not-needed + +Index: ring-20230206.0~ds2/daemon/contrib/tarballs-unpacked/pjproject-3b78ef1c48732d238ba284cdccb04dc6de79c54f.tar.gz/pjproject-3b78ef1c48732d238ba284cdccb04dc6de79c54f/pjlib-util/src/pjlib-util/dns.c +=================================================================== +--- ring-20230206.0~ds2.orig/daemon/contrib/tarballs-unpacked/pjproject-3b78ef1c48732d238ba284cdccb04dc6de79c54f.tar.gz/pjproject-3b78ef1c48732d238ba284cdccb04dc6de79c54f/pjlib-util/src/pjlib-util/dns.c ++++ ring-20230206.0~ds2/daemon/contrib/tarballs-unpacked/pjproject-3b78ef1c48732d238ba284cdccb04dc6de79c54f.tar.gz/pjproject-3b78ef1c48732d238ba284cdccb04dc6de79c54f/pjlib-util/src/pjlib-util/dns.c +@@ -128,6 +128,9 @@ static pj_status_t get_name_len(int rec_ + return PJLIB_UTIL_EDNSINNAMEPTR; + } + ++ if (start >= max) ++ return PJLIB_UTIL_EDNSINNAMEPTR; ++ + *name_len = *parsed_len = 0; + p = start; + while (*p) { +@@ -200,6 +203,9 @@ static pj_status_t get_name(int rec_coun + return PJLIB_UTIL_EDNSINNAMEPTR; + } + ++ if (start >= max) ++ return PJLIB_UTIL_EDNSINNAMEPTR; ++ + p = start; + while (*p) { + if ((*p & 0xc0) == 0xc0) { +@@ -360,10 +366,14 @@ static pj_status_t parse_rr(pj_dns_parse + + /* Parse some well known records */ + if (rr->type == PJ_DNS_TYPE_A) { ++ if (p + 4 > max) ++ return PJLIB_UTIL_EDNSINSIZE; + pj_memcpy(&rr->rdata.a.ip_addr, p, 4); + p += 4; + + } else if (rr->type == PJ_DNS_TYPE_AAAA) { ++ if (p + 16 > max) ++ return PJLIB_UTIL_EDNSINSIZE; + pj_memcpy(&rr->rdata.aaaa.ip_addr, p, 16); + p += 16; + +@@ -389,6 +399,8 @@ static pj_status_t parse_rr(pj_dns_parse + p += name_part_len; + + } else if (rr->type == PJ_DNS_TYPE_SRV) { ++ if (p + 6 > max) ++ return PJLIB_UTIL_EDNSINSIZE; + + /* Priority */ + pj_memcpy(&rr->rdata.srv.prio, p, 2); diff -Nru ring-20230206.0~ds2/debian/patches/series ring-20230206.0~ds2/debian/patches/series --- ring-20230206.0~ds2/debian/patches/series 2023-02-26 15:37:15.000000000 +0000 +++ ring-20230206.0~ds2/debian/patches/series 2025-07-02 07:29:21.000000000 +0000 @@ -3,3 +3,4 @@ 2000-jsoncpp-rename.patch 2010-dont-build-gnutls.patch 2020-dont-build-msgpack.patch +CVE-2023-27585_ring.patch