Debian Bug report logs - #479039
CVE-2008-2085, CVE-2008-1959 multiple stack-based buffer overflows

version graph

Package: sip-tester; Maintainer for sip-tester is Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>; Source for sip-tester is src:sip-tester (PTS, buildd, popcon).

Reported by: Steffen Joeris <steffen.joeris@skolelinux.de>

Date: Fri, 2 May 2008 12:36:05 UTC

Severity: grave

Tags: patch, security

Fixed in version sip-tester/2.0.1-1.2

Done: Nico Golde <nion@debian.org>

Bug is archived. No further changes may be made.

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, ARAKI Yasuhiro <ar@debian.org>:
Bug#479039; Package sip-tester. (full text, mbox, link).


Acknowledgement sent to Steffen Joeris <steffen.joeris@skolelinux.de>:
New Bug report received and forwarded. Copy sent to ARAKI Yasuhiro <ar@debian.org>. (full text, mbox, link).


Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Steffen Joeris <steffen.joeris@skolelinux.de>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: CVE-2008-1959: Potential security problems
Date: Fri, 02 May 2008 21:19:56 +1000
Package: sip-tester
Severity: important
Tags: Security

Hi

The following CVE(0) has been issued against sip-tester.

Please check, if it applies to the debian version.

CVE-2008-1959:
Stack-based buffer overflow in the get_remote_video_port_media function
in call.cpp in SIPp 3.0 allows remote attackers to cause a denial of
service and possibly execute arbitrary code via a crafted SIP message.
NOTE: some of these details are obtained from third party information.

Cheers
Steffen

(0): http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1959




Information forwarded to debian-bugs-dist@lists.debian.org, ARAKI Yasuhiro <ar@debian.org>:
Bug#479039; Package sip-tester. (full text, mbox, link).


Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to ARAKI Yasuhiro <ar@debian.org>. (full text, mbox, link).


Message #10 received at 479039@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>
To: Steffen Joeris <steffen.joeris@skolelinux.de>, 479039@bugs.debian.org
Cc: control@bugs.debian.org, coley@mitre.org
Subject: Re: Bug#479039: CVE-2008-1959: Potential security problems
Date: Fri, 2 May 2008 15:35:25 +0200
[Message part 1 (text/plain, inline)]
severity 479039 grave
thanks

Hi Steffen,
* Steffen Joeris <steffen.joeris@skolelinux.de> [2008-05-02 14:46]:
[...] 
> The following CVE(0) has been issued against sip-tester.
> 
> Please check, if it applies to the debian version.

It applies to the debian version:
    482 uint16_t get_remote_video_port_media(char *msg)
    483 {
    484     char pattern[] = "m=video ";
    485     char *begin, *end;
    486     char number[5];
    487     begin = strstr(msg, pattern);
    488     if (!begin) {
    489       /* m=video not found */
    490       return 0;
    491     }
    492     begin += sizeof("m=video ") - 1;
    493     end = strstr(begin, "\r\n");
    494     if (!end)
    495       ERROR("get_remote_video_port_media: no CRLF found");
    496     memset(number, 0, 5);
    497     strncpy(number, begin, end - begin);
    498     return atoi(number);
    499 }

Looking at the code it is possible to cause a buffer overflow of number
by specifying a number to m=video that is larger than sizeof(number) bytes
because then end - begin will be > sizeof(number) and thus the strncpy call
int line 497 will overflow the number buffer. Or in other words, strncpy is
useless if used like this.

Adjusting severity.

Kind regards
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Severity set to `grave' from `important' Request was from Nico Golde <nion@debian.org> to control@bugs.debian.org. (Fri, 02 May 2008 13:42:06 GMT) (full text, mbox, link).


Information forwarded to debian-bugs-dist@lists.debian.org, ARAKI Yasuhiro <ar@debian.org>:
Bug#479039; Package sip-tester. (full text, mbox, link).


Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to ARAKI Yasuhiro <ar@debian.org>. (full text, mbox, link).


Message #17 received at 479039@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>
To: Steffen Joeris <steffen.joeris@skolelinux.de>, 479039@bugs.debian.org
Subject: Re: Bug#479039: CVE-2008-1959: Potential security problems
Date: Fri, 2 May 2008 15:45:51 +0200
[Message part 1 (text/plain, inline)]
Hi Steffen,
* Steffen Joeris <steffen.joeris@skolelinux.de> [2008-05-02 14:46]:
> Package: sip-tester
> Severity: important
> Tags: Security
> 
> Hi
> 
> The following CVE(0) has been issued against sip-tester.
> 
> Please check, if it applies to the debian version.
> 
> CVE-2008-1959:
> Stack-based buffer overflow in the get_remote_video_port_media function
> in call.cpp in SIPp 3.0 allows remote attackers to cause a denial of
> service and possibly execute arbitrary code via a crafted SIP message.
> NOTE: some of these details are obtained from third party information.

BTW: the same issue affects get_remote_ip_media() and 
get_remote_ipv6_media(), both unfixed in latest upstream 
release (3.1) and the version in Debian:

    122 uint32_t get_remote_ip_media(char *msg)
    123 {
    124     char pattern[] = "c=IN IP4 ";
    125     char *begin, *end;
    126     char ip[32];
    127     begin = strstr(msg, pattern);
    128     if (!begin) {
    129       /* Can't find what we're looking at -> return no address */
    130       return INADDR_NONE;
    131     }
    132     begin += sizeof("c=IN IP4 ") - 1;
    133     end = strstr(begin, "\r\n");
    134     if (!end)
    135       return INADDR_NONE;
    136     memset(ip, 0, 32);
    137     strncpy(ip, begin, end - begin);
    138     return inet_addr(ip);
    139 }

    145 uint8_t get_remote_ipv6_media(char *msg, struct in6_addr addr)
    146 {
    147     char pattern[] = "c=IN IP6 ";
    148     char *begin, *end;
    149     char ip[128];
    150
    151     memset(&addr, 0, sizeof(addr));
    152     memset(ip, 0, 128);
    153
    154     begin = strstr(msg, pattern);
    155     if (!begin) {
    156       /* Can't find what we're looking at -> return no address */
    157       return 0;
    158     }
    159     begin += sizeof("c=IN IP6 ") - 1;
    160     end = strstr(begin, "\r\n");
    161     if (!end)
    162       return 0;
    163     strncpy(ip, begin, end - begin);


Kind regards
Nico
-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#479039; Package sip-tester. (full text, mbox, link).


Acknowledgement sent to ARAKI Yasuhiro <ar@debian.org>:
Extra info received and forwarded to list. (full text, mbox, link).


Message #22 received at 479039@bugs.debian.org (full text, mbox, reply):

From: ARAKI Yasuhiro <ar@debian.org>
To: Nico Golde <nion@debian.org>, 479039@bugs.debian.org
Cc: Steffen Joeris <steffen.joeris@skolelinux.de>
Subject: Re: Bug#479039: CVE-2008-1959: Potential security problems
Date: Sat, 03 May 2008 08:48:20 +0900
Hi Steffen and Nico

Thank you for rapid mail.
Just now I have checked related process codes in sipp svn trunk.
Actually, (roughly counted), I found 6 wrong process lines.

I promise I will check and contact sipp author team.

ARAKI (ar@debian.org)

> Hi Steffen,
> * Steffen Joeris <steffen.joeris@skolelinux.de> [2008-05-02 14:46]:
>> Package: sip-tester
>> Severity: important
>> Tags: Security
>>
>> Hi
>>
>> The following CVE(0) has been issued against sip-tester.
>>
>> Please check, if it applies to the debian version.
>>
>> CVE-2008-1959:
>> Stack-based buffer overflow in the get_remote_video_port_media function
>> in call.cpp in SIPp 3.0 allows remote attackers to cause a denial of
>> service and possibly execute arbitrary code via a crafted SIP message.
>> NOTE: some of these details are obtained from third party information.
> 
> BTW: the same issue affects get_remote_ip_media() and 
> get_remote_ipv6_media(), both unfixed in latest upstream 
> release (3.1) and the version in Debian:
> 
>     122 uint32_t get_remote_ip_media(char *msg)
>     123 {
>     124     char pattern[] = "c=IN IP4 ";
>     125     char *begin, *end;
>     126     char ip[32];
>     127     begin = strstr(msg, pattern);
>     128     if (!begin) {
>     129       /* Can't find what we're looking at -> return no address */
>     130       return INADDR_NONE;
>     131     }
>     132     begin += sizeof("c=IN IP4 ") - 1;
>     133     end = strstr(begin, "\r\n");
>     134     if (!end)
>     135       return INADDR_NONE;
>     136     memset(ip, 0, 32);
>     137     strncpy(ip, begin, end - begin);
>     138     return inet_addr(ip);
>     139 }
> 
>     145 uint8_t get_remote_ipv6_media(char *msg, struct in6_addr addr)
>     146 {
>     147     char pattern[] = "c=IN IP6 ";
>     148     char *begin, *end;
>     149     char ip[128];
>     150
>     151     memset(&addr, 0, sizeof(addr));
>     152     memset(ip, 0, 128);
>     153
>     154     begin = strstr(msg, pattern);
>     155     if (!begin) {
>     156       /* Can't find what we're looking at -> return no address */
>     157       return 0;
>     158     }
>     159     begin += sizeof("c=IN IP6 ") - 1;
>     160     end = strstr(begin, "\r\n");
>     161     if (!end)
>     162       return 0;
>     163     strncpy(ip, begin, end - begin);
> 
> 
> Kind regards
> Nico


-- 
ARAKI Yasuhiro

ar@debian.org
yasu@debian.or.jp

  deb http://cdn.debian.net/debian/ sid main
  deb-src http://cdn.debian.net/debian/ sid main




Changed Bug title to `sip-tester: CVE-2008-1959 multiple stack-based buffer overflows' from `CVE-2008-1959: Potential security problems'. Request was from Nico Golde <nion@debian.org> to control@bugs.debian.org. (Sat, 03 May 2008 13:12:02 GMT) (full text, mbox, link).


Information forwarded to debian-bugs-dist@lists.debian.org, ARAKI Yasuhiro <ar@debian.org>:
Bug#479039; Package sip-tester. (full text, mbox, link).


Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to ARAKI Yasuhiro <ar@debian.org>. (full text, mbox, link).


Message #29 received at 479039@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>
To: 479039@bugs.debian.org
Subject: Re: Bug#479039: CVE-2008-1959: Potential security problems
Date: Sun, 4 May 2008 14:07:42 +0200
[Message part 1 (text/plain, inline)]
tags 479039 + patch
thanks

Hi,
attached is a patch to fix the above issues.
It's also archived on:
http://people.debian.org/~nion/nmu-diff/sip-tester-2.0.1-1.1_2.0.1-1.2.patch

Kind regards
Nico
P.S. You should maybe update your record in the MIA 
database, your are MIA referring to the database.

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[sip-tester-2.0.1-1.1_2.0.1-1.2.patch (text/x-diff, attachment)]
[Message part 3 (application/pgp-signature, inline)]

Tags added: patch Request was from Nico Golde <nion@debian.org> to control@bugs.debian.org. (Sun, 04 May 2008 12:09:06 GMT) (full text, mbox, link).


Information forwarded to debian-bugs-dist@lists.debian.org, ARAKI Yasuhiro <ar@debian.org>:
Bug#479039; Package sip-tester. (full text, mbox, link).


Acknowledgement sent to "Steven M. Christey" <coley@linus.mitre.org>:
Extra info received and forwarded to list. Copy sent to ARAKI Yasuhiro <ar@debian.org>. (full text, mbox, link).


Message #36 received at 479039@bugs.debian.org (full text, mbox, reply):

From: "Steven M. Christey" <coley@linus.mitre.org>
To: Nico Golde <nion@debian.org>
Cc: Steffen Joeris <steffen.joeris@skolelinux.de>, 479039@bugs.debian.org
Subject: Re: Bug#479039: CVE-2008-1959: Potential security problems
Date: Mon, 5 May 2008 12:46:42 -0400 (EDT)
On Fri, 2 May 2008, Nico Golde wrote:

> BTW: the same issue affects get_remote_ip_media() and
> get_remote_ipv6_media(), both unfixed in latest upstream
> release (3.1) and the version in Debian

This sounds like a different issue than CVE-2008-1959, which was already
addressed upstream apparently.

So, use CVE-2008-2085 for these new issues.

- Steve




Information forwarded to debian-bugs-dist@lists.debian.org, ARAKI Yasuhiro <ar@debian.org>:
Bug#479039; Package sip-tester. (full text, mbox, link).


Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to ARAKI Yasuhiro <ar@debian.org>. (full text, mbox, link).


Message #41 received at 479039@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>
To: 479039@bugs.debian.org
Cc: control@bugs.debian.org
Subject: another CVE id
Date: Mon, 5 May 2008 18:59:01 +0200
[Message part 1 (text/plain, inline)]
retitle 479039 CVE-2008-2085, CVE-2008-1959 multiple stack-based buffer overflows
thanks

Hi,
mitre assigned an additional CVE id to the 2 issues I poited 
out. Please also mention this one in the changelog.

Kind regards
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Changed Bug title to `CVE-2008-2085, CVE-2008-1959 multiple stack-based buffer overflows' from `sip-tester: CVE-2008-1959 multiple stack-based buffer overflows'. Request was from Nico Golde <nion@debian.org> to control@bugs.debian.org. (Mon, 05 May 2008 17:00:14 GMT) (full text, mbox, link).


Information forwarded to debian-bugs-dist@lists.debian.org, ARAKI Yasuhiro <ar@debian.org>:
Bug#479039; Package sip-tester. (full text, mbox, link).


Acknowledgement sent to Nico Golde <nico@ngolde.de>:
Extra info received and forwarded to list. Copy sent to ARAKI Yasuhiro <ar@debian.org>. (full text, mbox, link).


Message #48 received at 479039@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nico@ngolde.de>
To: 479039@bugs.debian.org
Subject: updated patch
Date: Tue, 6 May 2008 19:37:58 +0200
[Message part 1 (text/plain, inline)]
Hi,
I updated the patch to add the second CVE id. Going to 
upload my NMU now.

Cheers
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[sip-tester-2.0.1-1.1_2.0.1-1.2.patch (text/x-diff, attachment)]
[signature.asc (application/pgp-signature, inline)]

Reply sent to Nico Golde <nion@debian.org>:
You have taken responsibility. (full text, mbox, link).


Notification sent to Steffen Joeris <steffen.joeris@skolelinux.de>:
Bug acknowledged by developer. (full text, mbox, link).


Message #53 received at 479039-close@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>
To: 479039-close@bugs.debian.org
Subject: Bug#479039: fixed in sip-tester 2.0.1-1.2
Date: Tue, 06 May 2008 18:02:06 +0000
Source: sip-tester
Source-Version: 2.0.1-1.2

We believe that the bug you reported is fixed in the latest version of
sip-tester, which is due to be installed in the Debian FTP archive:

sip-tester_2.0.1-1.2.diff.gz
  to pool/main/s/sip-tester/sip-tester_2.0.1-1.2.diff.gz
sip-tester_2.0.1-1.2.dsc
  to pool/main/s/sip-tester/sip-tester_2.0.1-1.2.dsc
sip-tester_2.0.1-1.2_amd64.deb
  to pool/main/s/sip-tester/sip-tester_2.0.1-1.2_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 479039@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Nico Golde <nion@debian.org> (supplier of updated sip-tester package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 04 May 2008 13:58:41 +0200
Source: sip-tester
Binary: sip-tester
Architecture: source amd64
Version: 2.0.1-1.2
Distribution: unstable
Urgency: high
Maintainer: ARAKI Yasuhiro <ar@debian.org>
Changed-By: Nico Golde <nion@debian.org>
Description: 
 sip-tester - a performance testing tool for the SIP protocol
Closes: 479039
Changes: 
 sip-tester (2.0.1-1.2) unstable; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * CVE-2008-1959: Fix stack-based buffer overflow in the
     get_remote_video_port_media function
   * CVE-2008-2085: Fix stack-baseed buffer overflow in the
     get_remote_ip_media and get_remote_ipv6_media
     functions which lead to arbitrary code execution (Closes: #479039).
Checksums-Sha1: 
 47f565eb5dbcf91ee5fbf6b09ea67506a7dfd909 1032 sip-tester_2.0.1-1.2.dsc
 bb45530c95b9395987037b4da06ee799b76d827e 3744 sip-tester_2.0.1-1.2.diff.gz
 90daccf81685d46dafb9bdfa531955dc0d226d5d 122038 sip-tester_2.0.1-1.2_amd64.deb
Checksums-Sha256: 
 125c1e7205285b6928160fde4bd3f22441d215e0cf88dcaca58137b000084231 1032 sip-tester_2.0.1-1.2.dsc
 861f0cf3f6d14e4b90741d10639c6cd1f8b98163254abf3704c48c463cc0c95e 3744 sip-tester_2.0.1-1.2.diff.gz
 2eed043f3c7b579f3e61f37c54fcb501bbee3f33fe72e8dbc04793ea68556091 122038 sip-tester_2.0.1-1.2_amd64.deb
Files: 
 f40c457b6bab97d1c889b5fde7aefd92 1032 comm optional sip-tester_2.0.1-1.2.dsc
 fe7c670731728b2fe1fe261de3e16bdb 3744 comm optional sip-tester_2.0.1-1.2.diff.gz
 73d1d2c2375bcfc389b5e1565a5bcecd 122038 comm optional sip-tester_2.0.1-1.2_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFIIJdHHYflSXNkfP8RAqJcAJ9RfQ/jP0KnY4Ttei4J8KZ57dV4hACgo1qb
EXYE5umHLQPzbXiD6aviFG0=
=P6s7
-----END PGP SIGNATURE-----





Information forwarded to debian-bugs-dist@lists.debian.org, ARAKI Yasuhiro <ar@debian.org>:
Bug#479039; Package sip-tester. (full text, mbox, link).


Acknowledgement sent to "Yasuhiro Araki" <ar@debian.org>:
Extra info received and forwarded to list. Copy sent to ARAKI Yasuhiro <ar@debian.org>. (full text, mbox, link).


Message #58 received at 479039@bugs.debian.org (full text, mbox, reply):

From: "Yasuhiro Araki" <ar@debian.org>
To: "Nico Golde" <nico@ngolde.de>, 479039@bugs.debian.org
Subject: Re: Bug#479039: updated patch
Date: Tue, 6 May 2008 15:13:54 -0400
Thanks Nico..

On Tue, May 6, 2008 at 1:37 PM, Nico Golde <nico@ngolde.de> wrote:
> Hi,
>  I updated the patch to add the second CVE id. Going to
>  upload my NMU now.
>
>  Cheers
>  Nico
>
>  --
>  Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
>  For security reasons, all text in this mail is double-rot13 encrypted.
>
> -----BEGIN PGP SIGNATURE-----
>  Version: GnuPG v1.4.6 (GNU/Linux)
>
>  iD8DBQFIIJd2HYflSXNkfP8RAs1BAJ9y9PF6HQRj+FhOvAbvb+JW2I8xLACgqvTn
>  3JBzIIwZYCEyJewcN5aBxQ4=
>  =cO5t
>  -----END PGP SIGNATURE-----
>
>



-- 
ARAKI Yasuhiro




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 16 Mar 2009 08:43:08 GMT) (full text, mbox, link).


Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 06:07:59 2025; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.