This message is in MIME format and has been PGP signed.
Hi Moritz,
On Mi 05 Mär 2025 22:55:49 CET, Moritz Mühlenhoff wrote:
On Sat, Mar 01, 2025 at 02:23:29PM +0100, Mike Gabriel wrote:
Control: clone -1 -2
Control: retitle -1 ofono CVE-2024-7538 CVE-2024-7539 CVE-2024-7540
CVE-2024-7541 CVE-2024-7542 CVE-2024-7543 CVE-2024-7544
CVE-2024-7545 CVE-2024-7546 CVE-2024-7547
Control: retitle -2 ofono: CVE-2024-7537
CVE-2024-7538[1]:
| oFono CUSD AT Command Stack-based Buffer Overflow Code Execution
| Vulnerability. This vulnerability allows local attackers to execute
| arbitrary code on affected installations of oFono. An attacker must
| first obtain the ability to execute code on the target modem in
| order to exploit this vulnerability. The specific flaw exists
| within the parsing of responses from AT Commands. The issue results
| from the lack of proper validation of the length of user-supplied
| data prior to copying it to a stack-based buffer. An attacker can
| leverage this vulnerability to execute code in the context of root.
| Was ZDI-CAN-23190.
We think that CVE-2024-7538 has been fixed alongside the fix of
CVE-2024-7539.
See:
https://salsa.debian.org/telepathy-team/ofono/-/commit/f11771ba52b3597302d7f3472d96034ee4e17dba
(uploaded to Debian with ofono 2.14-1).
With this in mind, I'd like to see #1078555 closed after the factoring out. >>
@Debian sec team:
* Please provide feedback on the above.
* Please close #1078555 if you agree with my above reasonings.
* Please downgrade severity of the new #-2 bug if you agree
or follow-up on this mail.
The downgrade seems fine to me. For CVE-2024-7538 it seems likely, but
could you doublecheck with upstream just to be sure?
It is confirmed. CVE-2024-7538 is a duplicate of CVE-2024-7539 (which
has been resolved in ofono in Debian already).
CVE-2024-7538:
https://www.zerodayinitiative.com/advisories/ZDI-24-1078/
Alternate ID: ZDI-CAN-23190
Details:
https://lore.kernel.org/ofono/BYAPR01MB3830CC0A4CA324706691F19380D62@BYAPR01MB3830.prod.exchangelabs.com/
CVE-2024-7539:
https://www.zerodayinitiative.com/advisories/ZDI-24-1079/
Alternate ID: ZDI-CAN-23195
Details:
https://lore.kernel.org/ofono/DM5PR0102MB3477EF696990E9AF78891586805F2@DM5PR0102MB3477.prod.exchangelabs.com/
So, #1078555 can be closed, imho.
Furthermore, can you please downgrade #1099190 to important as
discussed earlier? We have now also received the technical details for CVE-2024-7537, see here:
https://lore.kernel.org/ofono/BYAPR01MB3830B08E8DB1D76A9A85B07680D62@BYAPR01MB3830.prod.exchangelabs.com/T/#u
Thanks!
Mike
--
mike gabriel aka sunweaver (Debian Developer)
mobile: +49 (1520) 1976 148
landline: +49 (4351) 486 14 27
GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31
mail:
sunweaver@debian.org,
http://sunweavers.net
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIzBAABCgAdFiEEm/uu6GwKpf+/IgeCmvRrMCV3GzEFAmfPB48ACgkQmvRrMCV3 GzFO8xAAs9ihBf6cE0ezZ5Ztige04hnBscdG/dhRNueiUwRBSdvjRcwYzLSSiW8l vyauBLiDG8QyrG43gA3eMckMGSxEnJVE+qMMOq/sEbbG/LlT0PK9R6Ui6Hwsyu/s dpq2ORDUkTLqPjQRnCZjcT1fZvD3mhBsEtHNXx65Jx3um47kdTnH3JwjW1yxZf/+ 7owdXaEPbioRjBQ9QqIUJ1ORQXgs3h6cVk/AI3JZI62xqYMbxkfXhv6Ch/IP3Eoy w+H2I+/DbZxcfPXw6tZrpQl4sXjh4eceDCmXgCXf4tsVWtbXhFouxYspyKsDQcoa FWr9BuN6UuVT1fmpTmVb6NJZbE3LHHm9p5n/q5O6FU9ZjU8GYdZVmKaREHJELbO3 YoJ+PiO0zsxr5hKbJ7QA67zKRfGuHZBKuqUxwC9Jj4vAUtfi+wlvsFmo0d/jVuWZ E8gDIAyzP7CDr808S8+iNBXIkSvPgZuhpnChOwReEGHJ22BJymhTSeuQLo9TejDw 7NOecIanEmKsXr2YC9XavB2BsJu/NVgUpm9sJgJTc/uLQc6MONCrbduAB80H5jUo bnGCotSZ060rCA0MVIAl5h0V10Eg8m4/yjrG5uCXBiOuwK+Vg3WJ3OVxqzf+9syk
ejA