Version in base suite: 1.12.11+20110422.1-2.1 Base version: sofia-sip_1.12.11+20110422.1-2.1 Target version: sofia-sip_1.12.11+20110422.1-2.1+deb11u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/s/sofia-sip/sofia-sip_1.12.11+20110422.1-2.1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/s/sofia-sip/sofia-sip_1.12.11+20110422.1-2.1+deb11u1.dsc libsofia-sip-ua/sdp/sdp_parse.c | 8 ++++++++ libsofia-sip-ua/sip/sip_parser.c | 4 ++++ libsofia-sip-ua/stun/sofia-sip/stun_common.h | 2 +- libsofia-sip-ua/stun/stun_common.c | 21 +++++++++++++++++---- libsofia-sip-ua/tport/tport.c | 2 -- libsofia-sip-ua/url/url.c | 14 ++++++++++++-- sofia-sip-1.12.11+20110422.1/debian/changelog | 22 ++++++++++++++++++++++ 7 files changed, 64 insertions(+), 9 deletions(-) diff -u sofia-sip-1.12.11+20110422.1/debian/changelog sofia-sip-1.12.11+20110422.1/debian/changelog --- sofia-sip-1.12.11+20110422.1/debian/changelog +++ sofia-sip-1.12.11+20110422.1/debian/changelog @@ -1,3 +1,25 @@ +sofia-sip (1.12.11+20110422.1-2.1+deb11u1) bullseye-security; urgency=medium + + * Apply patches to fix reported CVEs. + For further information see: + - CVE-2022-31001[0]: + - CVE-2022-31002[1]: + - CVE-2022-31003[2]: + - CVE-2023-22741[3]: + - CVE-2022-47516[4]: + [0] https://security-tracker.debian.org/tracker/CVE-2022-31001 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31001 + [1] https://security-tracker.debian.org/tracker/CVE-2022-31002 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31002 + [2] https://security-tracker.debian.org/tracker/CVE-2022-31003 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31003 + [3] https://security-tracker.debian.org/tracker/CVE-2023-22741 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22741 + [4] https://security-tracker.debian.org/tracker/CVE-2022-47516 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-47516 + + -- Evangelos Ribeiro Tzaras Tue, 23 May 2023 06:01:51 +0200 + sofia-sip (1.12.11+20110422.1-2.1) unstable; urgency=medium * Non-maintainer upload. only in patch2: unchanged: --- sofia-sip-1.12.11+20110422.1.orig/libsofia-sip-ua/sdp/sdp_parse.c +++ sofia-sip-1.12.11+20110422.1/libsofia-sip-ua/sdp/sdp_parse.c @@ -392,6 +392,10 @@ record = next(&message, CRLF, strip)) { field = record[0]; + if (strlen(record) < 2) { + return; + } + rest = record + 2; rest += strspn(rest, strip); if (record[1] != '=') { @@ -1733,6 +1737,10 @@ record = next(&message, CRLF, strip)) { char field = record[0]; + if (strlen(record) < 2) { + return; + } + rest = record + 2; rest += strspn(rest, strip); if (record[1] == '=') switch (field) { only in patch2: unchanged: --- sofia-sip-1.12.11+20110422.1.orig/libsofia-sip-ua/sip/sip_parser.c +++ sofia-sip-1.12.11+20110422.1/libsofia-sip-ua/sip/sip_parser.c @@ -413,6 +413,10 @@ #undef MATCH + if (strlen(s) < n) { + return sip_method_invalid; + } + if (IS_NON_WS(s[n])) /* Unknown method */ code = sip_method_unknown; only in patch2: unchanged: --- sofia-sip-1.12.11+20110422.1.orig/libsofia-sip-ua/stun/sofia-sip/stun_common.h +++ sofia-sip-1.12.11+20110422.1/libsofia-sip-ua/stun/sofia-sip/stun_common.h @@ -192,7 +192,7 @@ /* Common functions */ int stun_parse_message(stun_msg_t *msg); -int stun_parse_attribute(stun_msg_t *msg, unsigned char *p); +int stun_parse_attribute(stun_msg_t *msg, unsigned char *p, size_t left_len); int stun_parse_attr_address(stun_attr_t *attr, const unsigned char *p, unsigned len); int stun_parse_attr_error_code(stun_attr_t *attr, const unsigned char *p, unsigned len); int stun_parse_attr_unknown_attributes(stun_attr_t *attr, const unsigned char *p, unsigned len); only in patch2: unchanged: --- sofia-sip-1.12.11+20110422.1.orig/libsofia-sip-ua/stun/stun_common.c +++ sofia-sip-1.12.11+20110422.1/libsofia-sip-ua/stun/stun_common.c @@ -87,6 +87,13 @@ /* parse header first */ p = msg->enc_buf.data; + + if (get16(p, 2) > (msg->enc_buf.size - 20)) + { + SU_DEBUG_3(("%s: Error STUN Message Length is too big.\n", __func__)); + return -1; + } + msg->stun_hdr.msg_type = get16(p, 0); msg->stun_hdr.msg_len = get16(p, 2); memcpy(msg->stun_hdr.tran_id, p + 4, STUN_TID_BYTES); @@ -98,9 +105,9 @@ len = msg->stun_hdr.msg_len; p = msg->enc_buf.data + 20; msg->stun_attr = NULL; - while (len > 0) { - i = stun_parse_attribute(msg, p); - if (i <= 0) { + while (len >= 4) { // Type (2) + Length (2) + Value (variable) min attribute size + i = stun_parse_attribute(msg, p, len); + if (i <= 0 || i > len) { SU_DEBUG_3(("%s: Error parsing attribute.\n", __func__)); return -1; } @@ -111,7 +118,7 @@ return 0; } -int stun_parse_attribute(stun_msg_t *msg, unsigned char *p) +int stun_parse_attribute(stun_msg_t *msg, unsigned char *p, size_t left_len) { int len; uint16_t attr_type; @@ -120,6 +127,12 @@ attr_type = get16(p, 0); len = get16(p, 2); + if ((left_len - 4) < len) // make sure we have enough space for attribute + { + SU_DEBUG_3(("%s: Error STUN attr len is too big.\n", __func__)); + return -1; + } + SU_DEBUG_5(("%s: received attribute: Type %02X, Length %d - %s\n", __func__, attr_type, len, stun_attr_phrase(attr_type))); only in patch2: unchanged: --- sofia-sip-1.12.11+20110422.1.orig/libsofia-sip-ua/tport/tport.c +++ sofia-sip-1.12.11+20110422.1/libsofia-sip-ua/tport/tport.c @@ -3309,8 +3309,6 @@ tp_name_t tpn[1]; struct sigcomp_compartment *cc; - assert(self); - if (!self || !msg || !_tpn) { msg_set_errno(msg, EINVAL); return NULL; only in patch2: unchanged: --- sofia-sip-1.12.11+20110422.1.orig/libsofia-sip-ua/url/url.c +++ sofia-sip-1.12.11+20110422.1/libsofia-sip-ua/url/url.c @@ -364,7 +364,12 @@ continue; } - h1 = s[i + 1], h2 = s[i + 2]; + h1 = s[i + 1]; + if (!h1) { + *d = '\0'; + return NULL; + } + h2 = s[i + 2]; if (!IS_HEX(h1) || !IS_HEX(h2)) { *d = '\0'; @@ -422,7 +427,12 @@ continue; } - h1 = s[i + 1], h2 = s[i + 2]; + h1 = s[i + 1]; + if (!h1) { + *d = '\0'; + return NULL; + } + h2 = s[i + 2]; if (!IS_HEX(h1) || !IS_HEX(h2)) { *d = '\0';