[Pkg-telepathy-maintainers] Bug#1069679: Debian Bugs information: logs for Bug#1069679

Mike Gabriel sunweaver at debian.org
Fri May 24 07:52:07 BST 2024 

Hi Emilio, Laurent, Hector, et al.

On  Fr 24 Mai 2024 08:48:04 CEST, Debian Bug Tracking System wrote:

> Source: ofono
> X-Debbugs-CC: team at security.debian.org
> Severity: grave
> Tags: security
>
> Hi,
>
> The following vulnerability was published for ofono.
>
> CVE-2023-2794[0]:
> | A flaw was found in ofono, an Open Source Telephony on Linux. A
> | stack overflow bug is triggered within the decode_deliver() function
> | during the SMS decoding. It is assumed that the attack scenario is
> | accessible from a compromised modem, a malicious base station, or
> | just SMS. There is a bound check for this memcpy length in
> | decode_submit(), but it was forgotten in decode_deliver().
>
> https://bugzilla.redhat.com/show_bug.cgi?id=2255387
> https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=a90421d8e45d63
> b304dc010baba24633e7869682
> https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=7f2adfa22fbae8
> 24f8e2c3ae86a3f51da31ee400
> https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=07f48b23e3877e
> f7d15a7b0b8b79d32ad0a3607e
> https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=8fa1fdfcb54e1e
> db588c6a5e2688880b065a39c9
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2023-2794
>     https://www.cve.org/CVERecord?id=CVE-2023-2794
>
> Please adjust the affected versions in the BTS as needed.

Is any of you guys planning to fix ofono in Debian unstable anytime  
soon? Ofono is a direct dependency of the Lomiri Operating Environment  
and currently two RC bugs in ofono are endangering Lomiri to be  
removed from testing.

If noone plans to fix Ofono in Debian within the next 1-2 weeks, I'd  
like to do a team upload. In that case, could any of you give me  
access to
https://salsa.debian.org/telepathy-team (or just the ofono repo in there).

Thanks+Greets,
Mike
-- 

mike gabriel aka sunweaver (Debian Developer)
mobile: +49 (1520) 1976 148
landline: +49 (4351) 486 14 27

GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22  0782 9AF4 6B30 2577 1B31
mail: sunweaver at debian.org, http://sunweavers.net

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 851 bytes
Desc: Digitale PGP-Signatur
URL: <http://alioth-lists.debian.net/pipermail/pkg-telepathy-maintainers/attachments/20240524/7dde4f03/attachment.sig>

More information about the Pkg-telepathy-maintainers mailing list