Acknowledgement sent to Steffen Joeris <steffen.joeris@skolelinux.de>:
New Bug report received and forwarded. Copy sent to ARAKI Yasuhiro <ar@debian.org>.
(full text, mbox, link).
Package: sip-tester
Severity: important
Tags: Security
Hi
The following CVE(0) has been issued against sip-tester.
Please check, if it applies to the debian version.
CVE-2008-1959:
Stack-based buffer overflow in the get_remote_video_port_media function
in call.cpp in SIPp 3.0 allows remote attackers to cause a denial of
service and possibly execute arbitrary code via a crafted SIP message.
NOTE: some of these details are obtained from third party information.
Cheers
Steffen
(0): http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1959
Information forwarded to debian-bugs-dist@lists.debian.org, ARAKI Yasuhiro <ar@debian.org>: Bug#479039; Package sip-tester.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to ARAKI Yasuhiro <ar@debian.org>.
(full text, mbox, link).
severity 479039 grave
thanks
Hi Steffen,
* Steffen Joeris <steffen.joeris@skolelinux.de> [2008-05-02 14:46]:
[...]
> The following CVE(0) has been issued against sip-tester.
>
> Please check, if it applies to the debian version.
It applies to the debian version:
482 uint16_t get_remote_video_port_media(char *msg)
483 {
484 char pattern[] = "m=video ";
485 char *begin, *end;
486 char number[5];
487 begin = strstr(msg, pattern);
488 if (!begin) {
489 /* m=video not found */
490 return 0;
491 }
492 begin += sizeof("m=video ") - 1;
493 end = strstr(begin, "\r\n");
494 if (!end)
495 ERROR("get_remote_video_port_media: no CRLF found");
496 memset(number, 0, 5);
497 strncpy(number, begin, end - begin);
498 return atoi(number);
499 }
Looking at the code it is possible to cause a buffer overflow of number
by specifying a number to m=video that is larger than sizeof(number) bytes
because then end - begin will be > sizeof(number) and thus the strncpy call
int line 497 will overflow the number buffer. Or in other words, strncpy is
useless if used like this.
Adjusting severity.
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
Severity set to `grave' from `important'
Request was from Nico Golde <nion@debian.org>
to control@bugs.debian.org.
(Fri, 02 May 2008 13:42:06 GMT) (full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, ARAKI Yasuhiro <ar@debian.org>: Bug#479039; Package sip-tester.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to ARAKI Yasuhiro <ar@debian.org>.
(full text, mbox, link).
Hi Steffen,
* Steffen Joeris <steffen.joeris@skolelinux.de> [2008-05-02 14:46]:
> Package: sip-tester
> Severity: important
> Tags: Security
>
> Hi
>
> The following CVE(0) has been issued against sip-tester.
>
> Please check, if it applies to the debian version.
>
> CVE-2008-1959:
> Stack-based buffer overflow in the get_remote_video_port_media function
> in call.cpp in SIPp 3.0 allows remote attackers to cause a denial of
> service and possibly execute arbitrary code via a crafted SIP message.
> NOTE: some of these details are obtained from third party information.
BTW: the same issue affects get_remote_ip_media() and
get_remote_ipv6_media(), both unfixed in latest upstream
release (3.1) and the version in Debian:
122 uint32_t get_remote_ip_media(char *msg)
123 {
124 char pattern[] = "c=IN IP4 ";
125 char *begin, *end;
126 char ip[32];
127 begin = strstr(msg, pattern);
128 if (!begin) {
129 /* Can't find what we're looking at -> return no address */
130 return INADDR_NONE;
131 }
132 begin += sizeof("c=IN IP4 ") - 1;
133 end = strstr(begin, "\r\n");
134 if (!end)
135 return INADDR_NONE;
136 memset(ip, 0, 32);
137 strncpy(ip, begin, end - begin);
138 return inet_addr(ip);
139 }
145 uint8_t get_remote_ipv6_media(char *msg, struct in6_addr addr)
146 {
147 char pattern[] = "c=IN IP6 ";
148 char *begin, *end;
149 char ip[128];
150
151 memset(&addr, 0, sizeof(addr));
152 memset(ip, 0, 128);
153
154 begin = strstr(msg, pattern);
155 if (!begin) {
156 /* Can't find what we're looking at -> return no address */
157 return 0;
158 }
159 begin += sizeof("c=IN IP6 ") - 1;
160 end = strstr(begin, "\r\n");
161 if (!end)
162 return 0;
163 strncpy(ip, begin, end - begin);
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
Hi Steffen and Nico
Thank you for rapid mail.
Just now I have checked related process codes in sipp svn trunk.
Actually, (roughly counted), I found 6 wrong process lines.
I promise I will check and contact sipp author team.
ARAKI (ar@debian.org)
> Hi Steffen,
> * Steffen Joeris <steffen.joeris@skolelinux.de> [2008-05-02 14:46]:
>> Package: sip-tester
>> Severity: important
>> Tags: Security
>>
>> Hi
>>
>> The following CVE(0) has been issued against sip-tester.
>>
>> Please check, if it applies to the debian version.
>>
>> CVE-2008-1959:
>> Stack-based buffer overflow in the get_remote_video_port_media function
>> in call.cpp in SIPp 3.0 allows remote attackers to cause a denial of
>> service and possibly execute arbitrary code via a crafted SIP message.
>> NOTE: some of these details are obtained from third party information.
>
> BTW: the same issue affects get_remote_ip_media() and
> get_remote_ipv6_media(), both unfixed in latest upstream
> release (3.1) and the version in Debian:
>
> 122 uint32_t get_remote_ip_media(char *msg)
> 123 {
> 124 char pattern[] = "c=IN IP4 ";
> 125 char *begin, *end;
> 126 char ip[32];
> 127 begin = strstr(msg, pattern);
> 128 if (!begin) {
> 129 /* Can't find what we're looking at -> return no address */
> 130 return INADDR_NONE;
> 131 }
> 132 begin += sizeof("c=IN IP4 ") - 1;
> 133 end = strstr(begin, "\r\n");
> 134 if (!end)
> 135 return INADDR_NONE;
> 136 memset(ip, 0, 32);
> 137 strncpy(ip, begin, end - begin);
> 138 return inet_addr(ip);
> 139 }
>
> 145 uint8_t get_remote_ipv6_media(char *msg, struct in6_addr addr)
> 146 {
> 147 char pattern[] = "c=IN IP6 ";
> 148 char *begin, *end;
> 149 char ip[128];
> 150
> 151 memset(&addr, 0, sizeof(addr));
> 152 memset(ip, 0, 128);
> 153
> 154 begin = strstr(msg, pattern);
> 155 if (!begin) {
> 156 /* Can't find what we're looking at -> return no address */
> 157 return 0;
> 158 }
> 159 begin += sizeof("c=IN IP6 ") - 1;
> 160 end = strstr(begin, "\r\n");
> 161 if (!end)
> 162 return 0;
> 163 strncpy(ip, begin, end - begin);
>
>
> Kind regards
> Nico
--
ARAKI Yasuhiro
ar@debian.org
yasu@debian.or.jp
deb http://cdn.debian.net/debian/ sid main
deb-src http://cdn.debian.net/debian/ sid main
Changed Bug title to `sip-tester: CVE-2008-1959 multiple stack-based buffer overflows' from `CVE-2008-1959: Potential security problems'.
Request was from Nico Golde <nion@debian.org>
to control@bugs.debian.org.
(Sat, 03 May 2008 13:12:02 GMT) (full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, ARAKI Yasuhiro <ar@debian.org>: Bug#479039; Package sip-tester.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to ARAKI Yasuhiro <ar@debian.org>.
(full text, mbox, link).
tags 479039 + patch
thanks
Hi,
attached is a patch to fix the above issues.
It's also archived on:
http://people.debian.org/~nion/nmu-diff/sip-tester-2.0.1-1.1_2.0.1-1.2.patch
Kind regards
Nico
P.S. You should maybe update your record in the MIA
database, your are MIA referring to the database.
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
Tags added: patch
Request was from Nico Golde <nion@debian.org>
to control@bugs.debian.org.
(Sun, 04 May 2008 12:09:06 GMT) (full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, ARAKI Yasuhiro <ar@debian.org>: Bug#479039; Package sip-tester.
(full text, mbox, link).
Acknowledgement sent to "Steven M. Christey" <coley@linus.mitre.org>:
Extra info received and forwarded to list. Copy sent to ARAKI Yasuhiro <ar@debian.org>.
(full text, mbox, link).
On Fri, 2 May 2008, Nico Golde wrote:
> BTW: the same issue affects get_remote_ip_media() and
> get_remote_ipv6_media(), both unfixed in latest upstream
> release (3.1) and the version in Debian
This sounds like a different issue than CVE-2008-1959, which was already
addressed upstream apparently.
So, use CVE-2008-2085 for these new issues.
- Steve
Information forwarded to debian-bugs-dist@lists.debian.org, ARAKI Yasuhiro <ar@debian.org>: Bug#479039; Package sip-tester.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to ARAKI Yasuhiro <ar@debian.org>.
(full text, mbox, link).
retitle 479039 CVE-2008-2085, CVE-2008-1959 multiple stack-based buffer overflows
thanks
Hi,
mitre assigned an additional CVE id to the 2 issues I poited
out. Please also mention this one in the changelog.
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
Changed Bug title to `CVE-2008-2085, CVE-2008-1959 multiple stack-based buffer overflows' from `sip-tester: CVE-2008-1959 multiple stack-based buffer overflows'.
Request was from Nico Golde <nion@debian.org>
to control@bugs.debian.org.
(Mon, 05 May 2008 17:00:14 GMT) (full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, ARAKI Yasuhiro <ar@debian.org>: Bug#479039; Package sip-tester.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nico@ngolde.de>:
Extra info received and forwarded to list. Copy sent to ARAKI Yasuhiro <ar@debian.org>.
(full text, mbox, link).
Hi,
I updated the patch to add the second CVE id. Going to
upload my NMU now.
Cheers
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
Subject: Bug#479039: fixed in sip-tester 2.0.1-1.2
Date: Tue, 06 May 2008 18:02:06 +0000
Source: sip-tester
Source-Version: 2.0.1-1.2
We believe that the bug you reported is fixed in the latest version of
sip-tester, which is due to be installed in the Debian FTP archive:
sip-tester_2.0.1-1.2.diff.gz
to pool/main/s/sip-tester/sip-tester_2.0.1-1.2.diff.gz
sip-tester_2.0.1-1.2.dsc
to pool/main/s/sip-tester/sip-tester_2.0.1-1.2.dsc
sip-tester_2.0.1-1.2_amd64.deb
to pool/main/s/sip-tester/sip-tester_2.0.1-1.2_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 479039@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Nico Golde <nion@debian.org> (supplier of updated sip-tester package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sun, 04 May 2008 13:58:41 +0200
Source: sip-tester
Binary: sip-tester
Architecture: source amd64
Version: 2.0.1-1.2
Distribution: unstable
Urgency: high
Maintainer: ARAKI Yasuhiro <ar@debian.org>
Changed-By: Nico Golde <nion@debian.org>
Description:
sip-tester - a performance testing tool for the SIP protocol
Closes: 479039
Changes:
sip-tester (2.0.1-1.2) unstable; urgency=high
.
* Non-maintainer upload by the Security Team.
* CVE-2008-1959: Fix stack-based buffer overflow in the
get_remote_video_port_media function
* CVE-2008-2085: Fix stack-baseed buffer overflow in the
get_remote_ip_media and get_remote_ipv6_media
functions which lead to arbitrary code execution (Closes: #479039).
Checksums-Sha1:
47f565eb5dbcf91ee5fbf6b09ea67506a7dfd909 1032 sip-tester_2.0.1-1.2.dsc
bb45530c95b9395987037b4da06ee799b76d827e 3744 sip-tester_2.0.1-1.2.diff.gz
90daccf81685d46dafb9bdfa531955dc0d226d5d 122038 sip-tester_2.0.1-1.2_amd64.deb
Checksums-Sha256:
125c1e7205285b6928160fde4bd3f22441d215e0cf88dcaca58137b000084231 1032 sip-tester_2.0.1-1.2.dsc
861f0cf3f6d14e4b90741d10639c6cd1f8b98163254abf3704c48c463cc0c95e 3744 sip-tester_2.0.1-1.2.diff.gz
2eed043f3c7b579f3e61f37c54fcb501bbee3f33fe72e8dbc04793ea68556091 122038 sip-tester_2.0.1-1.2_amd64.deb
Files:
f40c457b6bab97d1c889b5fde7aefd92 1032 comm optional sip-tester_2.0.1-1.2.dsc
fe7c670731728b2fe1fe261de3e16bdb 3744 comm optional sip-tester_2.0.1-1.2.diff.gz
73d1d2c2375bcfc389b5e1565a5bcecd 122038 comm optional sip-tester_2.0.1-1.2_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFIIJdHHYflSXNkfP8RAqJcAJ9RfQ/jP0KnY4Ttei4J8KZ57dV4hACgo1qb
EXYE5umHLQPzbXiD6aviFG0=
=P6s7
-----END PGP SIGNATURE-----
Information forwarded to debian-bugs-dist@lists.debian.org, ARAKI Yasuhiro <ar@debian.org>: Bug#479039; Package sip-tester.
(full text, mbox, link).
Acknowledgement sent to "Yasuhiro Araki" <ar@debian.org>:
Extra info received and forwarded to list. Copy sent to ARAKI Yasuhiro <ar@debian.org>.
(full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.