Ubuntu has issued an advisory on December 9: https://ubuntu.com/security/notices/USN-7141-1
CVE: (none) => CVE-2023-2794, CVE-2023-4233, CVE-2023-4234Source RPM: (none) => ofono-2.13-1.mga10.src.rpm, ofono-2.1-1.mga9.src.rpmWhiteboard: (none) => MGA9TOO
Ubuntu has issued an advisory on December 11: https://ubuntu.com/security/notices/USN-7151-1
CVE: CVE-2023-2794, CVE-2023-4233, CVE-2023-4234 => CVE-2023-2794, CVE-2023-4232, CVE-2023-4233, CVE-2023-4234, CVE-2023-4235Summary: ofono new security issues CVE-2023-2794 and CVE-2023-423[34] => ofono new security issues CVE-2023-2794 and CVE-2023-423[2-5]
This one looks a lot of work. I hope the following are right: https://bugzilla.redhat.com/show_bug.cgi?id=2255396 Bug 2255396 (CVE-2023-4233, ZDI-CAN-20996) - CVE-2023-4233 ofono: SMS Decoder Stack-based Buffer Overflow Remote Code Execution Vulnerability within the sms_decode_address_field() function looks like a patch. https://bugzilla.redhat.com/show_bug.cgi?id=2255387 Bug 2255387 (CVE-2023-2794, ZDI-CAN-20971) - CVE-2023-2794 ofono: SMS Decoder Stack-based Buffer Overflow Remote Code Execution Vulnerability within the decode_deliver() function also a patch. https://bugzilla.redhat.com/show_bug.cgi?id=2255399 Bug 2255399 (CVE-2023-4234, ZDI-CAN-21015) - CVE-2023-4234 ofono: SMS Decoder Stack-based Buffer Overflow Remote Code Execution Vulnerability within the decode_submit_report() function another patch. https://bugzilla.redhat.com/show_bug.cgi?id=2255402 Bug 2255402 (CVE-2023-4235, ZDI-CAN-21016) - CVE-2023-4235 ofono: SMS Decoder Stack-based Buffer Overflow Remote Code Execution Vulnerability within the decode_deliver_report() function and another. https://bugzilla.redhat.com/show_bug.cgi?id=2255394 Bug 2255394 (CVE-2023-4232, ZDI-CAN-21014) - CVE-2023-4232 ofono: SMS Decoder Stack-based Buffer Overflow Remote Code Execution Vulnerability within the decode_status_report() function I think the last one!
Assignee: bugsquad => pkg-bugs
Fixed in Cauldron with ofono-2.14-1.mga10.
Source RPM: ofono-2.13-1.mga10.src.rpm, ofono-2.1-1.mga9.src.rpm => ofono-2.1-1.mga9.src.rpmWhiteboard: MGA9TOO => (none)Version: Cauldron => 9
Suggested advisory: ======================== The updated packages fix security vulnerabilities: Sms decoder stack-based buffer overflow remote code execution vulnerability within the decode_deliver() function. (CVE-2023-2794) Sms decoder stack-based buffer overflow remote code execution vulnerability within the decode_status_report() function. (CVE-2023-4232) Sms decoder stack-based buffer overflow remote code execution vulnerability within the sms_decode_address_field(). (CVE-2023-4233) Sms decoder stack-based buffer overflow remote code execution vulnerability within the decode_submit_report() function. (CVE-2023-4234) Sms decoder stack-based buffer overflow remote code execution vulnerability within the decode_deliver_report() function. (CVE-2023-4235) References: https://ubuntu.com/security/notices/USN-7141-1 https://ubuntu.com/security/notices/USN-7151-1 ======================== Updated packages in core/updates_testing: ======================== lib(64)ofono-devel-2.1-1.1.mga9 ofono-2.1-1.1.mga9 from SRPM: ofono-2.1-1.1.mga9.src.rpm
Assignee: pkg-bugs => qa-bugsStatus: NEW => ASSIGNED
Keywords: (none) => advisory
mga9, x86_64 I do not intend to test this. The only mobile telephone here is an ancient Nokia Classic 3100 (burner), not networked. For information only: The README for ofono gives no indication how to use it but it runs as a daemon. $ sudo systemctl start ofono $ sudo systemctl status ofono ● ofono.service - Telephony service Loaded: loaded (/usr/lib/systemd/system/ofono.service; disabled; preset: disabled) Active: active (running) since Wed 2025-02-12 18:03:24 GMT; 8s ago Main PID: 520049 (ofonod) Tasks: 1 (limit: 37702) Memory: 960.0K CPU: 40ms CGroup: /system.slice/ofono.service └─520049 /usr/sbin/ofonod -n Feb 12 18:03:24 rutilicus systemd[1]: Starting ofono.service... Feb 12 18:03:24 rutilicus ofonod[520049]: oFono version 2.1 Feb 12 18:03:24 rutilicus systemd[1]: Started ofono.service. Feb 12 18:03:24 rutilicus ofonod[520049]: parse_devices_reply: found 1st battery device: /org/freedesktop/UPower/devices/battery_hidpp_battery_0
CC: (none) => tarazed25
Qoute: "oFono.org is a place to bring developers together around designing an infrastructure for building mobile telephony (GSM/UMTS) applications." That puts it out of my league. However I don't want Len to get away with all the honors, so: # systemctl start ofono # systemctl -l status ofono ● ofono.service - Telephony service Loaded: loaded (/usr/lib/systemd/system/ofono.service; disabled; preset: disabled) Active: active (running) since Thu 2025-02-13 14:35:37 CET; 20s ago Main PID: 142964 (ofonod) Tasks: 1 (limit: 8806) Memory: 916.0K CPU: 229ms CGroup: /system.slice/ofono.service └─142964 /usr/sbin/ofonod -n Feb 13 14:35:37 mach3.hviaene.thuis systemd[1]: Starting ofono.service... Feb 13 14:35:37 mach3.hviaene.thuis ofonod[142964]: oFono version 2.1 Feb 13 14:35:37 mach3.hviaene.thuis systemd[1]: Started ofono.service. Feb 13 14:35:37 mach3.hviaene.thuis ofonod[142964]: RegisterProfile() replied an error: org.bluez.Error.NotPermitted, UUID already registered Feb 13 14:35:37 mach3.hviaene.thuis ofonod[142964]: parse_devices_reply: found 1st battery device: /org/freedesktop/UPower/devices/battery_BAT1 [root@mach3 ~]# Found https://github.com/moises-silva/mod_handsfree/blob/master/src/mod/endpoints/mod_handsfree/README.ofono-setup So my Nokia has always Bluetooth on, connected and then run # ofonod -n -d ofonod[144320]: oFono version 2.1 ofonod[144320]: src/plugin.c:__ofono_plugin_init() ofonod[144320]: src/gprs-provision.c:ofono_gprs_provision_driver_register() driver: 0x5605e94b8fa0 name: GPRS context provisioning ofonod[144320]: plugins/push-notification.c:push_notification_init() and get a loooong list of possible devices , including nokia, but also an equally long list of ofonod[144320]: plugins/udevng.c:add_serial_device() Device is missing required OFONO_DRIVER property ofonod[144320]: plugins/udevng.c:add_serial_device() Device is missing required OFONO_DRIVER property ofonod[144320]: plugins/udevng.c:add_serial_device() Device is missing required OFONO_DRIVER property and at the end src/modem.c:ofono_modem_create() name: hfp/org/bluez/hci0/dev_A0_28_ED_98_7D_96, type: hfp ofonod[144320]: src/modem.c:set_modem_property() modem 0x5605ec4bb050 property Remote ofonod[144320]: src/modem.c:set_modem_property() modem 0x5605ec4bb050 property DevicePath ofonod[144320]: src/modem.c:ofono_modem_register() 0x5605ec4bb050 ofonod[144320]: plugins/hfp_hf_bluez5.c:hfp_probe() modem: 0x5605ec4bb050 ofonod[144320]: src/modem.c:emit_modem_added() 0x5605ec4bb050 ofonod[144320]: src/modem.c:get_modem_property() modem 0x5605ec4bb050 property SystemPath ofonod[144320]: src/modem.c:call_modemwatches() 0x5605ec4bb050 added:1 ofonod[144320]: plugins/upower.c:modemwatch() modem: /hfp/org/bluez/hci0/dev_A0_28_ED_98_7D_96, added: 1 ofonod[144320]: plugins/dun_gw_bluez5.c:modem_watch() modem: 0x5605ec4bb050, added: 1 ofonod[144320]: plugins/hfp_ag_bluez5.c:modem_watch() modem: 0x5605ec4bb050, added: 1 ofonod[144320]: plugins/smart-messaging.c:modem_watch() modem: 0x5605ec4bb050, added: 1 ofonod[144320]: plugins/push-notification.c:modem_watch() modem: 0x5605ec4bb050, added: 1 But in the end I don't have the referred python scripts and gave up. But at least ofono seems to do something....
Whiteboard: (none) => MGA9-64-OKCC: (none) => herman.viaene
A valiant effort, guys. Validating.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2025-0063.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED