[Pkg-telepathy-maintainers] Bug#1078555: ofono: CVE-2024-7537 CVE-2024-7538 CVE-2024-7539 CVE-2024-7540 CVE-2024-7541 CVE-2024-7542 CVE-2024-7543 CVE-2024-7544 CVE-2024-7545 CVE-2024-7546 CVE-2024-7547
Mike Gabriel
sunweaver at debian.org
Mon Mar 10 15:38:56 GMT 2025
Hi Moritz,
On Mi 05 Mär 2025 22:55:49 CET, Moritz Mühlenhoff wrote:
> On Sat, Mar 01, 2025 at 02:23:29PM +0100, Mike Gabriel wrote:
>> Control: clone -1 -2
>> Control: retitle -1 ofono CVE-2024-7538 CVE-2024-7539 CVE-2024-7540
>> CVE-2024-7541 CVE-2024-7542 CVE-2024-7543 CVE-2024-7544
>> CVE-2024-7545 CVE-2024-7546 CVE-2024-7547
>> Control: retitle -2 ofono: CVE-2024-7537
>> >
>> > CVE-2024-7538[1]:
>> > | oFono CUSD AT Command Stack-based Buffer Overflow Code Execution
>> > | Vulnerability. This vulnerability allows local attackers to execute
>> > | arbitrary code on affected installations of oFono. An attacker must
>> > | first obtain the ability to execute code on the target modem in
>> > | order to exploit this vulnerability. The specific flaw exists
>> > | within the parsing of responses from AT Commands. The issue results
>> > | from the lack of proper validation of the length of user-supplied
>> > | data prior to copying it to a stack-based buffer. An attacker can
>> > | leverage this vulnerability to execute code in the context of root.
>> > | Was ZDI-CAN-23190.
>>
>> We think that CVE-2024-7538 has been fixed alongside the fix of
>> CVE-2024-7539.
>>
>> See:
>> https://salsa.debian.org/telepathy-team/ofono/-/commit/f11771ba52b3597302d7f3472d96034ee4e17dba
>> (uploaded to Debian with ofono 2.14-1).
>>
>> With this in mind, I'd like to see #1078555 closed after the factoring out.
>>
>> @Debian sec team:
>> * Please provide feedback on the above.
>> * Please close #1078555 if you agree with my above reasonings.
>> * Please downgrade severity of the new #-2 bug if you agree
>> or follow-up on this mail.
>
> The downgrade seems fine to me. For CVE-2024-7538 it seems likely, but
> could you doublecheck with upstream just to be sure?
It is confirmed. CVE-2024-7538 is a duplicate of CVE-2024-7539 (which
has been resolved in ofono in Debian already).
CVE-2024-7538:
https://www.zerodayinitiative.com/advisories/ZDI-24-1078/
Alternate ID: ZDI-CAN-23190
Details:
https://lore.kernel.org/ofono/BYAPR01MB3830CC0A4CA324706691F19380D62@BYAPR01MB3830.prod.exchangelabs.com/
CVE-2024-7539:
https://www.zerodayinitiative.com/advisories/ZDI-24-1079/
Alternate ID: ZDI-CAN-23195
Details:
https://lore.kernel.org/ofono/DM5PR0102MB3477EF696990E9AF78891586805F2@DM5PR0102MB3477.prod.exchangelabs.com/
So, #1078555 can be closed, imho.
Furthermore, can you please downgrade #1099190 to important as
discussed earlier? We have now also received the technical details for
CVE-2024-7537, see here:
https://lore.kernel.org/ofono/BYAPR01MB3830B08E8DB1D76A9A85B07680D62@BYAPR01MB3830.prod.exchangelabs.com/T/#u
Thanks!
Mike
--
mike gabriel aka sunweaver (Debian Developer)
mobile: +49 (1520) 1976 148
landline: +49 (4351) 486 14 27
GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31
mail: sunweaver at debian.org, http://sunweavers.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 851 bytes
Desc: Digitale PGP-Signatur
URL: <http://alioth-lists.debian.net/pipermail/pkg-telepathy-maintainers/attachments/20250310/2c18a4a5/attachment.sig>
More information about the Pkg-telepathy-maintainers
mailing list