Bugzilla – Bug 1034570
VUL-0: CVE-2017-7853: libosip2: In libosip2 in GNU oSIP 5.0.0, a malformed SIP message can lead to a heap bufferoverflow in the msg...
Last modified: 2017-05-10 18:25:35 UTC
CVE-2017-7853 In libosip2 in GNU oSIP 5.0.0, a malformed SIP message can lead to a heap buffer overflow in the msg_osip_body_parse() function defined in osipparser2/osip_message_parse.c, resulting in a remote DoS. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-7853 http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-7853.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7853 http://www.cvedetails.com/cve/CVE-2017-7853/ http://www.securityfocus.com/bid/97644 https://savannah.gnu.org/support/index.php?109265
https://git.savannah.gnu.org/cgit/osip.git/commit/?id=1ae06daf3b2375c34af23083394a6f010be24a45
code is already in SLE11 GA, so considering all affected up to tumbleweed
link in comment#1 leads to 502/bad gateway
it works for me as of this time.
yes, it's back by now rq list: 489638 update libosip2 to 5.0.0 plus fix for bnc#1034570 489635 update for leap42.2 with fixes for bnc#103457[0124] 489634 update for leap42.1 with fixes for bnc#103457[0124] 131561 update for sle12 with fixes for bnc#103457[0124] 131562 update for sle11 with fixes for bnc#103457[0124]
This is an autogenerated message for OBS integration: This bug (1034570) was mentioned in https://build.opensuse.org/request/show/489634 42.1 / libosip2 https://build.opensuse.org/request/show/489635 42.2 / libosip2
openSUSE-SU-2017:1127-1: An update that fixes four vulnerabilities is now available. Category: security (important) Bug References: 1034570,1034571,1034572,1034574 CVE References: CVE-2016-10324,CVE-2016-10325,CVE-2016-10326,CVE-2017-7853 Sources used: openSUSE Leap 42.2 (src): libosip2-4.1.0-5.3.1 openSUSE Leap 42.1 (src): libosip2-4.1.0-5.1
SUSE-SU-2017:1187-1: An update that fixes four vulnerabilities is now available. Category: security (moderate) Bug References: 1034570,1034571,1034572,1034574 CVE References: CVE-2016-10324,CVE-2016-10325,CVE-2016-10326,CVE-2017-7853 Sources used: SUSE Linux Enterprise Workstation Extension 12-SP2 (src): libosip2-3.5.0-20.1 SUSE Linux Enterprise Workstation Extension 12-SP1 (src): libosip2-3.5.0-20.1 SUSE Linux Enterprise Software Development Kit 12-SP2 (src): libosip2-3.5.0-20.1 SUSE Linux Enterprise Software Development Kit 12-SP1 (src): libosip2-3.5.0-20.1 SUSE Linux Enterprise Desktop 12-SP2 (src): libosip2-3.5.0-20.1 SUSE Linux Enterprise Desktop 12-SP1 (src): libosip2-3.5.0-20.1
SUSE-SU-2017:1188-1: An update that fixes four vulnerabilities is now available. Category: security (moderate) Bug References: 1034570,1034571,1034572,1034574 CVE References: CVE-2016-10324,CVE-2016-10325,CVE-2016-10326,CVE-2017-7853 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): libosip2-3.1.0-3.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): libosip2-3.1.0-3.1