Headline
Debian Security Advisory 5431-1
Debian Linux Security Advisory 5431-1 - Xu Biang discovered that missing input sanitizing in Sofia-SIP, a SIP User-Agent library could result in denial of service.
-----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5431-1 [email protected]://www.debian.org/security/ Moritz MuehlenhoffJune 16, 2023 https://www.debian.org/security/faq- -------------------------------------------------------------------------Package : sofia-sipCVE ID : CVE-2023-32307Debian Bug : 1036847Xu Biang discovered that missing input sanitising in Sofia-SIP, a SIPUser-Agent library could result in denial of service.For the oldstable distribution (bullseye), this problem has been fixedin version 1.12.11+20110422.1-2.1+deb11u2.We recommend that you upgrade your sofia-sip packages.For the detailed security status of sofia-sip please refer toits security tracker page at:https://security-tracker.debian.org/tracker/sofia-sipFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: [email protected] PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmSMdDMACgkQEMKTtsN8TjYfkxAArFibANmIokupgYg4AFcFpZqsBQdg+eV2TeX3BRkTaj5UCimLyBZKPhmih/k27gp/F1Pn5GOVAltrNWUp83EENWDHcTlR6inmv2/IDFJZVbR8XIJhz+7FUfC2aGh8bfgDGYM0C+/2BQzK4TmPPNRjnxRsbrBB+upNEJ6PlqDlktHeT3ks0VbQbGuZgUoJMMrSQoztYfFbJJNr5hAOQUxkxz8avoVC66YXGtntj+PvXiPIZQiIOrjylF2aLdFvtbldjZXCeUn/7Iu+w8ekMM4skFmZ91JZ2AvMa1Mxmzp8MZ1KIpLnpLm34k7UZS9om0nBj5SschYywGmohPjyfAJUwtMhZmPp3h67UxdY3SrMYDnmrioX3+GJL6yPopkgbW4eVUNkgxX2AkfEMblwYgB/ysiwmxSmkqRiG4FetseZZJ8h85Wn9q/TZrf8yANBQbjmjXrjwv50fVuSApTV7lHsZWf79zOG8DZJikQ8/npdcDRFngZsH5NqD01G3JSrYEUnI+oH+/XfdY7YFsmgpOifKp+19aYvbiv1SFLs6jOBTWhwJn7Gd9kiW6IzTzu4ze2CmfzbOn9v4LdqMUodCO4/F77ahxHBblfKqNpy2bFWg/gyTtkY/MgG3PGB6pQmvTzADqtjNFErvP4wUpfqXHoa4x/sIcRND75hOH03UJ3gLf4=EZ/C-----END PGP SIGNATURE-----Related news
Gentoo Linux Security Advisory 202407-10 - Multiple vulnerabilities have been discovered in Sofia-SIP, the worst of which can lead to remote code execution. Versions prior to 1.13.16 are affected.
Ubuntu Security Notice 6448-1 - Xu Biang discovered that Sofia-SIP did not properly manage memory when handling STUN packets. An attacker could use this issue to cause Sofia-SIP to crash, resulting in a denial of service, or possibly execute arbitrary code.
Sofia-SIP is an open-source SIP User-Agent library, compliant with the IETF RFC3261 specification. Referring to [GHSA-8599-x7rq-fr54](https://github.com/freeswitch/sofia-sip/security/advisories/GHSA-8599-x7rq-fr54), several other potential heap-over-flow and integer-overflow in stun_parse_attr_error_code and stun_parse_attr_uint32 were found because the lack of attributes length check when Sofia-SIP handles STUN packets. The previous patch of [GHSA-8599-x7rq-fr54](https://github.com/freeswitch/sofia-sip/security/advisories/GHSA-8599-x7rq-fr54) fixed the vulnerability when attr_type did not match the enum value, but there are also vulnerabilities in the handling of other valid cases. The OOB read and integer-overflow made by attacker may lead to crash, high consumption of memory or even other more serious consequences. These issue have been addressed in version 1.13.15. Users are advised to upgrade.