[Pkg-telepathy-maintainers] Bug#1069679: ofono: CVE-2023-2794
Moritz Mühlenhoff
jmm at inutil.org
Mon Apr 22 15:44:38 BST 2024
Source: ofono
X-Debbugs-CC: team at security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerability was published for ofono.
CVE-2023-2794[0]:
| A flaw was found in ofono, an Open Source Telephony on Linux. A
| stack overflow bug is triggered within the decode_deliver() function
| during the SMS decoding. It is assumed that the attack scenario is
| accessible from a compromised modem, a malicious base station, or
| just SMS. There is a bound check for this memcpy length in
| decode_submit(), but it was forgotten in decode_deliver().
https://bugzilla.redhat.com/show_bug.cgi?id=2255387
https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=a90421d8e45d63b304dc010baba24633e7869682
https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=7f2adfa22fbae824f8e2c3ae86a3f51da31ee400
https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=07f48b23e3877ef7d15a7b0b8b79d32ad0a3607e
https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=8fa1fdfcb54e1edb588c6a5e2688880b065a39c9
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-2794
https://www.cve.org/CVERecord?id=CVE-2023-2794
Please adjust the affected versions in the BTS as needed.
More information about the Pkg-telepathy-maintainers
mailing list