[Pkg-telepathy-maintainers] Bug#1078555: ofono: CVE-2024-7537 CVE-2024-7538 CVE-2024-7539 CVE-2024-7540 CVE-2024-7541 CVE-2024-7542 CVE-2024-7543 CVE-2024-7544 CVE-2024-7545 CVE-2024-7546 CVE-2024-7547
Salvatore Bonaccorso
carnil at debian.org
Sat Mar 15 09:35:24 GMT 2025
H Mike,
On Mon, Mar 10, 2025 at 03:38:56PM +0000, Mike Gabriel wrote:
> Hi Moritz,
>
> On Mi 05 Mär 2025 22:55:49 CET, Moritz Mühlenhoff wrote:
>
> > On Sat, Mar 01, 2025 at 02:23:29PM +0100, Mike Gabriel wrote:
> > > Control: clone -1 -2
> > > Control: retitle -1 ofono CVE-2024-7538 CVE-2024-7539 CVE-2024-7540
> > > CVE-2024-7541 CVE-2024-7542 CVE-2024-7543 CVE-2024-7544
> > > CVE-2024-7545 CVE-2024-7546 CVE-2024-7547
> > > Control: retitle -2 ofono: CVE-2024-7537
> > > >
> > > > CVE-2024-7538[1]:
> > > > | oFono CUSD AT Command Stack-based Buffer Overflow Code Execution
> > > > | Vulnerability. This vulnerability allows local attackers to execute
> > > > | arbitrary code on affected installations of oFono. An attacker must
> > > > | first obtain the ability to execute code on the target modem in
> > > > | order to exploit this vulnerability. The specific flaw exists
> > > > | within the parsing of responses from AT Commands. The issue results
> > > > | from the lack of proper validation of the length of user-supplied
> > > > | data prior to copying it to a stack-based buffer. An attacker can
> > > > | leverage this vulnerability to execute code in the context of root.
> > > > | Was ZDI-CAN-23190.
> > >
> > > We think that CVE-2024-7538 has been fixed alongside the fix of
> > > CVE-2024-7539.
> > >
> > > See: https://salsa.debian.org/telepathy-team/ofono/-/commit/f11771ba52b3597302d7f3472d96034ee4e17dba
> > > (uploaded to Debian with ofono 2.14-1).
> > >
> > > With this in mind, I'd like to see #1078555 closed after the factoring out.
> > >
> > > @Debian sec team:
> > > * Please provide feedback on the above.
> > > * Please close #1078555 if you agree with my above reasonings.
> > > * Please downgrade severity of the new #-2 bug if you agree
> > > or follow-up on this mail.
> >
> > The downgrade seems fine to me. For CVE-2024-7538 it seems likely, but
> > could you doublecheck with upstream just to be sure?
>
> It is confirmed. CVE-2024-7538 is a duplicate of CVE-2024-7539 (which has
> been resolved in ofono in Debian already).
>
> CVE-2024-7538:
> https://www.zerodayinitiative.com/advisories/ZDI-24-1078/
> Alternate ID: ZDI-CAN-23190
> Details: https://lore.kernel.org/ofono/BYAPR01MB3830CC0A4CA324706691F19380D62@BYAPR01MB3830.prod.exchangelabs.com/
>
> CVE-2024-7539:
> https://www.zerodayinitiative.com/advisories/ZDI-24-1079/
> Alternate ID: ZDI-CAN-23195
> Details: https://lore.kernel.org/ofono/DM5PR0102MB3477EF696990E9AF78891586805F2@DM5PR0102MB3477.prod.exchangelabs.com/
>
>
> So, #1078555 can be closed, imho.
>
> Furthermore, can you please downgrade #1099190 to important as discussed
> earlier? We have now also received the technical details for CVE-2024-7537,
> see here:
> https://lore.kernel.org/ofono/BYAPR01MB3830B08E8DB1D76A9A85B07680D62@BYAPR01MB3830.prod.exchangelabs.com/T/#u
Thank you, I have updated the security tracker and BTS metadata (and
the severity of #1099190).
Regards,
Salvatore
More information about the Pkg-telepathy-maintainers
mailing list