On Sat, Mar 01, 2025 at 02:23:29PM +0100, Mike Gabriel wrote:
> Control: clone -1 -2
> Control: retitle -1 ofono CVE-2024-7538 CVE-2024-7539 CVE-2024-7540
> CVE-2024-7541 CVE-2024-7542 CVE-2024-7543 CVE-2024-7544 CVE-2024-7545
> CVE-2024-7546 CVE-2024-7547
> Control: retitle -2 ofono: CVE-2024-7537
> >
> > CVE-2024-7538[1]:
> > | oFono CUSD AT Command Stack-based Buffer Overflow Code Execution
> > | Vulnerability. This vulnerability allows local attackers to execute
> > | arbitrary code on affected installations of oFono. An attacker must
> > | first obtain the ability to execute code on the target modem in
> > | order to exploit this vulnerability. The specific flaw exists
> > | within the parsing of responses from AT Commands. The issue results
> > | from the lack of proper validation of the length of user-supplied
> > | data prior to copying it to a stack-based buffer. An attacker can
> > | leverage this vulnerability to execute code in the context of root.
> > | Was ZDI-CAN-23190.
>
> We think that CVE-2024-7538 has been fixed alongside the fix of CVE-2024-7539.
>
> See:
> https://salsa.debian.org/telepathy-team/ofono/-/commit/f11771ba52b3597302d7f3472d96034ee4e17dba
> (uploaded to Debian with ofono 2.14-1).
>
> With this in mind, I'd like to see #1078555 closed after the factoring out.
>
> @Debian sec team:
> * Please provide feedback on the above.
> * Please close #1078555 if you agree with my above reasonings.
> * Please downgrade severity of the new #-2 bug if you agree
> or follow-up on this mail.
The downgrade seems fine to me. For CVE-2024-7538 it seems likely, but
could you doublecheck with upstream just to be sure?
Cheers,
Moritz
