H Mike, On Mon, Mar 10, 2025 at 03:38:56PM +0000, Mike Gabriel wrote: > Hi Moritz, > > On Mi 05 Mär 2025 22:55:49 CET, Moritz Mühlenhoff wrote: > > > On Sat, Mar 01, 2025 at 02:23:29PM +0100, Mike Gabriel wrote: > > > Control: clone -1 -2 > > > Control: retitle -1 ofono CVE-2024-7538 CVE-2024-7539 CVE-2024-7540 > > > CVE-2024-7541 CVE-2024-7542 CVE-2024-7543 CVE-2024-7544 > > > CVE-2024-7545 CVE-2024-7546 CVE-2024-7547 > > > Control: retitle -2 ofono: CVE-2024-7537 > > > > > > > > CVE-2024-7538[1]: > > > > | oFono CUSD AT Command Stack-based Buffer Overflow Code Execution > > > > | Vulnerability. This vulnerability allows local attackers to execute > > > > | arbitrary code on affected installations of oFono. An attacker must > > > > | first obtain the ability to execute code on the target modem in > > > > | order to exploit this vulnerability. The specific flaw exists > > > > | within the parsing of responses from AT Commands. The issue results > > > > | from the lack of proper validation of the length of user-supplied > > > > | data prior to copying it to a stack-based buffer. An attacker can > > > > | leverage this vulnerability to execute code in the context of root. > > > > | Was ZDI-CAN-23190. > > > > > > We think that CVE-2024-7538 has been fixed alongside the fix of > > > CVE-2024-7539. > > > > > > See: > > > https://salsa.debian.org/telepathy-team/ofono/-/commit/f11771ba52b3597302d7f3472d96034ee4e17dba > > > (uploaded to Debian with ofono 2.14-1). > > > > > > With this in mind, I'd like to see #1078555 closed after the factoring > > > out. > > > > > > @Debian sec team: > > > * Please provide feedback on the above. > > > * Please close #1078555 if you agree with my above reasonings. > > > * Please downgrade severity of the new #-2 bug if you agree > > > or follow-up on this mail. > > > > The downgrade seems fine to me. For CVE-2024-7538 it seems likely, but > > could you doublecheck with upstream just to be sure? > > It is confirmed. CVE-2024-7538 is a duplicate of CVE-2024-7539 (which has > been resolved in ofono in Debian already). > > CVE-2024-7538: > https://www.zerodayinitiative.com/advisories/ZDI-24-1078/ > Alternate ID: ZDI-CAN-23190 > Details: > https://lore.kernel.org/ofono/byapr01mb3830cc0a4ca324706691f19380...@byapr01mb3830.prod.exchangelabs.com/ > > CVE-2024-7539: > https://www.zerodayinitiative.com/advisories/ZDI-24-1079/ > Alternate ID: ZDI-CAN-23195 > Details: > https://lore.kernel.org/ofono/dm5pr0102mb3477ef696990e9af7889158680...@dm5pr0102mb3477.prod.exchangelabs.com/ > > > So, #1078555 can be closed, imho. > > Furthermore, can you please downgrade #1099190 to important as discussed > earlier? We have now also received the technical details for CVE-2024-7537, > see here: > https://lore.kernel.org/ofono/byapr01mb3830b08e8db1d76a9a85b07680...@byapr01mb3830.prod.exchangelabs.com/T/#u
Thank you, I have updated the security tracker and BTS metadata (and the severity of #1099190). Regards, Salvatore
