Hi Moritz, On Mi 05 Mär 2025 22:55:49 CET, Moritz Mühlenhoff wrote:
On Sat, Mar 01, 2025 at 02:23:29PM +0100, Mike Gabriel wrote:Control: clone -1 -2Control: retitle -1 ofono CVE-2024-7538 CVE-2024-7539 CVE-2024-7540 CVE-2024-7541 CVE-2024-7542 CVE-2024-7543 CVE-2024-7544 CVE-2024-7545 CVE-2024-7546 CVE-2024-7547Control: retitle -2 ofono: CVE-2024-7537 > > CVE-2024-7538[1]: > | oFono CUSD AT Command Stack-based Buffer Overflow Code Execution > | Vulnerability. This vulnerability allows local attackers to execute > | arbitrary code on affected installations of oFono. An attacker must > | first obtain the ability to execute code on the target modem in > | order to exploit this vulnerability. The specific flaw exists > | within the parsing of responses from AT Commands. The issue results > | from the lack of proper validation of the length of user-supplied > | data prior to copying it to a stack-based buffer. An attacker can > | leverage this vulnerability to execute code in the context of root. > | Was ZDI-CAN-23190.We think that CVE-2024-7538 has been fixed alongside the fix of CVE-2024-7539.See: https://salsa.debian.org/telepathy-team/ofono/-/commit/f11771ba52b3597302d7f3472d96034ee4e17dba(uploaded to Debian with ofono 2.14-1). With this in mind, I'd like to see #1078555 closed after the factoring out. @Debian sec team: * Please provide feedback on the above. * Please close #1078555 if you agree with my above reasonings. * Please downgrade severity of the new #-2 bug if you agree or follow-up on this mail.The downgrade seems fine to me. For CVE-2024-7538 it seems likely, but could you doublecheck with upstream just to be sure?
It is confirmed. CVE-2024-7538 is a duplicate of CVE-2024-7539 (which has been resolved in ofono in Debian already).
CVE-2024-7538: https://www.zerodayinitiative.com/advisories/ZDI-24-1078/ Alternate ID: ZDI-CAN-23190Details: https://lore.kernel.org/ofono/byapr01mb3830cc0a4ca324706691f19380...@byapr01mb3830.prod.exchangelabs.com/
CVE-2024-7539: https://www.zerodayinitiative.com/advisories/ZDI-24-1079/ Alternate ID: ZDI-CAN-23195Details: https://lore.kernel.org/ofono/dm5pr0102mb3477ef696990e9af7889158680...@dm5pr0102mb3477.prod.exchangelabs.com/
So, #1078555 can be closed, imho.Furthermore, can you please downgrade #1099190 to important as discussed earlier? We have now also received the technical details for CVE-2024-7537, see here:
https://lore.kernel.org/ofono/byapr01mb3830b08e8db1d76a9a85b07680...@byapr01mb3830.prod.exchangelabs.com/T/#u Thanks! Mike -- mike gabriel aka sunweaver (Debian Developer) mobile: +49 (1520) 1976 148 landline: +49 (4351) 486 14 27 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net
pgpNgb9azkpfu.pgp
Description: Digitale PGP-Signatur
