Bug 20758 - libosip2 new security issues CVE-2016-1032[4-6] and CVE-2017-7853
Summary: libosip2 new security issues CVE-2016-1032[4-6] and CVE-2017-7853
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
Whiteboard: MGA5-64-OK advisory
Keywords: validated_update
Depends on:
Reported: 2017-04-29 23:36 CEST by David Walser
Modified: 2017-06-14 15:51 CEST (History)
5 users (show)

See Also:
Source RPM: libosip2-4.0.0-5.mga6.src.rpm
CVE: CVE-2016-10324, CVE-2016-10325, CVE-2016-10326, CVE-2017-7853
Status comment:


Description David Walser 2017-04-29 23:36:23 CEST
openSUSE has issued an advisory on April 28:

Mageia 5 is also affected.
David Walser 2017-04-29 23:36:31 CEST

Whiteboard: (none) => MGA5TOO

Comment 1 Nicolas Lécureuil 2017-04-30 09:19:53 CEST
updated in cauldron

CC: (none) => mageia
Whiteboard: MGA5TOO => (none)
CVE: (none) => CVE-2016-10324, CVE-2016-10325, CVE-2016-10326, CVE-2017-7853
Version: Cauldron => 5

Comment 2 Marja Van Waes 2017-04-30 10:44:33 CEST
(In reply to Nicolas Lécureuil from comment #1)
> updated in cauldron

Thanks :-)

Assigning to all packagers collectively for the Mga5, because it has no registered maintainer.

Assignee: bugsquad => pkg-bugs
CC: (none) => marja11

Comment 3 Nicolas Lécureuil 2017-04-30 14:21:54 CEST
updated in mga5:

srpms:   libosip2-5.0.0-2.mga5 siproxd-0.8.1-14.3.mga5 exosip-4.0.0-4.2.mga5
Nicolas Lécureuil 2017-04-30 14:22:05 CEST

Assignee: pkg-bugs => qa-bugs

Comment 4 David Walser 2017-04-30 23:41:34 CEST
Full package list:


from SRPMS:
Comment 5 Herman Viaene 2017-05-06 12:02:43 CEST
MGA5-32 on Asus A6000VM Xfce
No installation issues
Not sure how to test. Info in MCC mentions support for linphone, but "urpmq --whatrequires" does not give any info.
Took my chances, installed linphone and used my IP's VOIP settings in it and was able to make a call.
However the strace of linphone did not show anything I could recognize as part of these update packages.

CC: (none) => herman.viaene

Comment 6 Lewis Smith 2017-05-14 20:45:56 CEST
Trying to find out what reqires what (64-bt):

 $ urpmq --whatrequires-recursive exosip     [nothing]

 $ urpmq --whatrequires-recursive siproxd    [nothing]

 $ urpmq --whatrequires-recursive lib64exosip2_10     [stays _10]

 $ urpmq --whatrequires-recursive lib64osip2_10       [-> _12]
 exosip, lib64exosip2_10, siproxd

exosip - Extended osip library                [+ /usr/bin/sip_reg]
Exosip is a library that hides the complexity of using the SIP protocol for mutlimedia session establishement.

siproxd - A SIP masquerading proxy with RTP support        [/usr/sbin/siproxd]
Siprox is an proxy/masquerading daemon for the SIP protocol. It handles registrations of SIP clients on a private IP network and performs rewriting of the SIP message bodies to make SIP connections possible via a masquerading firewall.

So now we know.
I am just going to try for a clean update.

CC: (none) => lewyssmith

Comment 7 Lewis Smith 2017-05-14 21:13:27 CEST
BTW I can find no previous bugs or updates for these things.

BEFORE the update, installed:
- exosip-4.0.0-4.mga5.x86_64
- lib64exosip2_10-4.0.0-4.mga5.x86_64
- lib64osip2_10-4.0.0-4.mga5.x86_64
- siproxd-0.8.1-14.mga5.x86_64

- exosip-4.0.0-4.2.mga5.x86_64
- lib64exosip2_10-4.0.0-4.2.mga5.x86_64  *** was NOT auto-required by exosip ***
- lib64osip2_12-5.0.0-2.mga5.x86_64
- siproxd-0.8.1-14.3.mga5.x86_64

Problem: both exosip & siproxd correctly required automatically lib64osip2_12-5.0.0-2; but selecting exosip did *not* automatically require lib64exosip2_10-4.0.0-4.2, although this was in the Updates Testing list. I selected it manually, but it should be auto-selected 'required' by exosip.
Hence querying the update.

Despite which, after the update:
 $ urpmq --whatrequires lib64exosip2_10
shows the correct dependancy.

Whiteboard: (none) => feedback

Comment 8 David Walser 2017-05-14 21:45:56 CEST
We don't hard code library dependencies, they're automatically generated.  When the packages are available in updates, they'll all be updated.  When doing QA, you always might have to manually select the appropriate packages.

Whiteboard: feedback => (none)

Comment 9 Lewis Smith 2017-05-15 09:19:05 CEST
Thanks David for your observation. In which case I shall risk the 64 OK.
If somebody can suggest an application which might use some of this, please do. (I decline getting bogged down in Linphone).
It looks as if lib[64]osip2_12 is the main thing.

Whiteboard: (none) => MGA5-64-OK

Comment 10 Lewis Smith 2017-06-09 20:43:16 CEST
Can this have its advisory, please. Comment 4 has the SRPMs.
I can invent one if desired.
Comment 11 David Walser 2017-06-09 21:45:05 CEST

Updated libosip2 packages fix security vulnerabilities:

In libosip2 in GNU oSIP 4.1.0, a malformed SIP message can lead to a heap
buffer overflow in the osip_clrncpy() function defined in
osipparser2/osip_port.c (CVE-2016-10324).

In libosip2 in GNU oSIP 4.1.0, a malformed SIP message can lead to a heap
buffer overflow in the _osip_message_to_str() function defined in
osipparser2/osip_message_to_str.c, resulting in a remote DoS (CVE-2016-10325).

In libosip2 in GNU oSIP 4.1.0, a malformed SIP message can lead to a heap
buffer overflow in the osip_body_to_str() function defined in
osipparser2/osip_body.c, resulting in a remote DoS (CVE-2016-10326).

In libosip2 in GNU 5.0.0, a malformed SIP message can lead to a heap buffer
overflow in the msg_osip_body_parse() function defined in
osipparser2/osip_message_parse.c, resulting in a remote DoS (CVE-2017-7853).

Lewis Smith 2017-06-10 07:31:23 CEST

Whiteboard: MGA5-64-OK => MGA5-64-OK advisory

Comment 12 Lewis Smith 2017-06-13 15:11:47 CEST
This has hung around too long. I am validating it on the basis of a clean 64-bit update.

CC: (none) => sysadmin-bugs
Keywords: (none) => validated_update

Comment 13 Mageia Robot 2017-06-14 15:51:12 CEST
An update for this issue has been pushed to the Mageia Updates repository.


Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.