Bug 20758 - libosip2 new security issues CVE-2016-1032[4-6] and CVE-2017-7853
Summary: libosip2 new security issues CVE-2016-1032[4-6] and CVE-2017-7853
Status: NEW
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA5-64-OK
Keywords:
Depends on:
Blocks:
 
Reported: 2017-04-29 23:36 CEST by David Walser
Modified: 2017-05-15 09:19 CEST (History)
4 users (show)

See Also:
Source RPM: libosip2-4.0.0-5.mga6.src.rpm
CVE: CVE-2016-10324, CVE-2016-10325, CVE-2016-10326, CVE-2017-7853
Status comment:


Attachments

Description David Walser 2017-04-29 23:36:23 CEST
openSUSE has issued an advisory on April 28:
https://lists.opensuse.org/opensuse-updates/2017-04/msg00109.html

Mageia 5 is also affected.
Comment 1 Nicolas Lécureuil 2017-04-30 09:19:53 CEST
updated in cauldron
Comment 2 Marja van Waes 2017-04-30 10:44:33 CEST
(In reply to Nicolas Lécureuil from comment #1)
> updated in cauldron

Thanks :-)

Assigning to all packagers collectively for the Mga5, because it has no registered maintainer.
Comment 3 Nicolas Lécureuil 2017-04-30 14:21:54 CEST
updated in mga5:

srpms:   libosip2-5.0.0-2.mga5 siproxd-0.8.1-14.3.mga5 exosip-4.0.0-4.2.mga5
Comment 4 David Walser 2017-04-30 23:41:34 CEST
Full package list:

libosip2_12-5.0.0-2.mga5
libosip2-devel-5.0.0-2.mga5
siproxd-0.8.1-14.3.mga5
exosip-4.0.0-4.2.mga5
libexosip2_10-4.0.0-4.2.mga5
libexosip2-devel-4.0.0-4.2.mga5

from SRPMS:
libosip2-5.0.0-2.mga5.src.rpm
siproxd-0.8.1-14.3.mga5.src.rpm
exosip-4.0.0-4.2.mga5.src.rpm
Comment 5 Herman Viaene 2017-05-06 12:02:43 CEST
MGA5-32 on Asus A6000VM Xfce
No installation issues
Not sure how to test. Info in MCC mentions support for linphone, but "urpmq --whatrequires" does not give any info.
Took my chances, installed linphone and used my IP's VOIP settings in it and was able to make a call.
However the strace of linphone did not show anything I could recognize as part of these update packages.
Comment 6 Lewis Smith 2017-05-14 20:45:56 CEST
Trying to find out what reqires what (64-bt):

 $ urpmq --whatrequires-recursive exosip     [nothing]

 $ urpmq --whatrequires-recursive siproxd    [nothing]

 $ urpmq --whatrequires-recursive lib64exosip2_10     [stays _10]
 exosip

 $ urpmq --whatrequires-recursive lib64osip2_10       [-> _12]
 exosip, lib64exosip2_10, siproxd

exosip - Extended osip library                [+ /usr/bin/sip_reg]
Exosip is a library that hides the complexity of using the SIP protocol for mutlimedia session establishement.

siproxd - A SIP masquerading proxy with RTP support        [/usr/sbin/siproxd]
Siprox is an proxy/masquerading daemon for the SIP protocol. It handles registrations of SIP clients on a private IP network and performs rewriting of the SIP message bodies to make SIP connections possible via a masquerading firewall.

So now we know.
I am just going to try for a clean update.
Comment 7 Lewis Smith 2017-05-14 21:13:27 CEST
BTW I can find no previous bugs or updates for these things.

BEFORE the update, installed:
- exosip-4.0.0-4.mga5.x86_64
- lib64exosip2_10-4.0.0-4.mga5.x86_64
- lib64osip2_10-4.0.0-4.mga5.x86_64
- siproxd-0.8.1-14.mga5.x86_64

UPDATE to:
- exosip-4.0.0-4.2.mga5.x86_64
- lib64exosip2_10-4.0.0-4.2.mga5.x86_64  *** was NOT auto-required by exosip ***
- lib64osip2_12-5.0.0-2.mga5.x86_64
- siproxd-0.8.1-14.3.mga5.x86_64

Problem: both exosip & siproxd correctly required automatically lib64osip2_12-5.0.0-2; but selecting exosip did *not* automatically require lib64exosip2_10-4.0.0-4.2, although this was in the Updates Testing list. I selected it manually, but it should be auto-selected 'required' by exosip.
Hence querying the update.

Despite which, after the update:
 $ urpmq --whatrequires lib64exosip2_10
 exosip
shows the correct dependancy.
Comment 8 David Walser 2017-05-14 21:45:56 CEST
We don't hard code library dependencies, they're automatically generated.  When the packages are available in updates, they'll all be updated.  When doing QA, you always might have to manually select the appropriate packages.
Comment 9 Lewis Smith 2017-05-15 09:19:05 CEST
Thanks David for your observation. In which case I shall risk the 64 OK.
If somebody can suggest an application which might use some of this, please do. (I decline getting bogged down in Linphone).
It looks as if lib[64]osip2_12 is the main thing.

Note You need to log in before you can comment on or make changes to this bug.