Bug#1036625: unblock: sofia-sip/1.12.11+20110422.1+1e14eea~dfsg-5

Evangelos Ribeiro Tzaras devrtz-debian at fortysixandtwo.eu
Tue May 23 12:53:28 BST 2023 

Package: release.debian.org
Severity: normal
User: release.debian.org at packages.debian.org
Usertags: unblock
X-Debbugs-Cc: sofia-sip at packages.debian.org, team at security.debian.org
Control: affects -1 + src:sofia-sip

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Please unblock package sofia-sip

The latest version fixes bug#1031729 sofia-sip
informing of a denial of service CVE.

The fix for this CVE has been backported from the upstream sources.

You can find the debdiff between
1.12.11+20110422.1+1e14eea~dfsg-4 (currently in testing) and
1.12.11+20110422.1+1e14eea~dfsg-5
attached to this unblock request.

I have taken the liberty of uploading the package already
in anticipation that this request be granted on account that it fixes
a denial of service vulnerability.

unblock sofia-sip/1.12.11+20110422.1+1e14eea~dfsg-5

Cheers,
Evangelos

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEuThlVLfdJmvLjimpkPDJsYprShkFAmRsqTgACgkQkPDJsYpr
ShkLCw/7B8AxGxufx6AiZ/2M684vpNTByWW4HVqvi1l37DemoxD9d2Bn8QGvhOE7
cYwleQiHwJ0QZxDAyCKrF4VC9Z51GY6F6GwAVK207MNMoksrnw77VSVyOVTJvOV4
Eix8bkniRTH9lyrv3lgUyYhWoNZqtyrNsO1KIYveVTT9VZpuBvS6cX12Tmng7Y0U
VcltDfrgCu+LQYOyjT04zs7tQt6VHncWhv7CSV/p0cIT8A8ZeJOU7RiQDkMBomyL
04FMG7nYdWQk+spSZ4/nLY4XzZ8NLZllTrtavVas7dPCqywX+VVvG3Zhb1e5hgqL
gVkkEL7lYN2uknPoCie7t2yXrIb65z8iQqYGYN/Kvk2m34X/haExHpsXB4iU1cUt
84FFOFMWEvTfV4iH1oxvd+vRtySsl3Kr276fvP/YilWvScQu8XI1iyLr/IxH8CJd
72NBxdGh/m1NfoK2kIv4fy/6F/BVBWl3mQy+yEkMJBmrFHCqQ6gN0rRFwxJSpwQv
8GadOpo4USNylLt+IND3VCnSHnl4Pv3H69oiiIuftt1QO8cmnGbDdURkkjAjRUMK
07L5j7kcUUCshNWmt+LXtbGPXaloRWalCM15roG/92vu790zo93hl8+yFJRGcsQk
FjRHDpa9BG/Z3LFpENPxRNygndb/AUE5NxWPChFzsfuHvqo7RzU=
=cxDT
-----END PGP SIGNATURE-----
-------------- next part --------------
diff -Nru sofia-sip-1.12.11+20110422.1+1e14eea~dfsg/debian/changelog sofia-sip-1.12.11+20110422.1+1e14eea~dfsg/debian/changelog
--- sofia-sip-1.12.11+20110422.1+1e14eea~dfsg/debian/changelog	2023-02-08 09:46:57.000000000 +0100
+++ sofia-sip-1.12.11+20110422.1+1e14eea~dfsg/debian/changelog	2023-05-23 05:53:48.000000000 +0200
@@ -1,3 +1,13 @@
+sofia-sip (1.12.11+20110422.1+1e14eea~dfsg-5) unstable; urgency=medium
+
+  * Add patch to fix reported CVE; add copyright of patch.
+    For further information see:
+    - CVE-2022-47516[0]
+    [0] https://security-tracker.debian.org/tracker/CVE-2022-47516
+        https://www.cve.org/CVERecord?id=CVE-2022-47516 (closes: bug#1031792)
+
+ -- Evangelos Ribeiro Tzaras <devrtz-debian at fortysixandtwo.eu>  Tue, 23 May 2023 05:53:48 +0200
+
 sofia-sip (1.12.11+20110422.1+1e14eea~dfsg-4) unstable; urgency=high (fixes a CVE)
 
   * Rename patches to indicate they have been picked from upstream
diff -Nru sofia-sip-1.12.11+20110422.1+1e14eea~dfsg/debian/copyright sofia-sip-1.12.11+20110422.1+1e14eea~dfsg/debian/copyright
--- sofia-sip-1.12.11+20110422.1+1e14eea~dfsg/debian/copyright	2023-02-08 09:46:57.000000000 +0100
+++ sofia-sip-1.12.11+20110422.1+1e14eea~dfsg/debian/copyright	2023-05-23 05:53:48.000000000 +0200
@@ -250,6 +250,7 @@
 Copyright:
   2022  Andrey Volk <andywolk at gmail.com>
   2022  Qiuhao Li <Qiuhao.Li at outlook.com>
+  2022  Dave Horton <daveh at beachdognet.com>
 License-Grant:
  This library is free software;
  you can redistribute it and/or modify it
diff -Nru sofia-sip-1.12.11+20110422.1+1e14eea~dfsg/debian/patches/0005-cve-dos-wrong-assert.patch sofia-sip-1.12.11+20110422.1+1e14eea~dfsg/debian/patches/0005-cve-dos-wrong-assert.patch
--- sofia-sip-1.12.11+20110422.1+1e14eea~dfsg/debian/patches/0005-cve-dos-wrong-assert.patch	1970-01-01 01:00:00.000000000 +0100
+++ sofia-sip-1.12.11+20110422.1+1e14eea~dfsg/debian/patches/0005-cve-dos-wrong-assert.patch	2023-05-23 05:53:48.000000000 +0200
@@ -0,0 +1,22 @@
+From: Dave Horton <daveh at beachdognet.com>
+Date: Mon, 28 Nov 2022 14:44:30 -0500
+Subject: remove assert that can reasonably be expected to happen
+
+(cherry picked from commit cadf505d88e2971d24b6a4379ddbb1398d8ec443)
+---
+ libsofia-sip-ua/tport/tport.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/libsofia-sip-ua/tport/tport.c b/libsofia-sip-ua/tport/tport.c
+index c3bc2b6..18dfd47 100644
+--- a/libsofia-sip-ua/tport/tport.c
++++ b/libsofia-sip-ua/tport/tport.c
+@@ -3309,8 +3309,6 @@ tport_t *tport_tsend(tport_t *self,
+   tp_name_t tpn[1];
+   struct sigcomp_compartment *cc;
+ 
+-  assert(self);
+-
+   if (!self || !msg || !_tpn) {
+     msg_set_errno(msg, EINVAL);
+     return NULL;
diff -Nru sofia-sip-1.12.11+20110422.1+1e14eea~dfsg/debian/patches/series sofia-sip-1.12.11+20110422.1+1e14eea~dfsg/debian/patches/series
--- sofia-sip-1.12.11+20110422.1+1e14eea~dfsg/debian/patches/series	2023-02-08 09:46:57.000000000 +0100
+++ sofia-sip-1.12.11+20110422.1+1e14eea~dfsg/debian/patches/series	2023-05-23 05:53:48.000000000 +0200
@@ -4,3 +4,4 @@
 0002-cve-fix-oob-read-url_canonize.patch
 0003-cve-fix-heap-overflow-by-two.patch
 0004-cve-check-stun-message-and-attr-len.patch
+0005-cve-dos-wrong-assert.patch

More information about the Pkg-voip-maintainers mailing list