1. Forum
  2. Usenet
  3. LINUX.DEBIAN.BUGS.DIST

  • Bug#1078555: ofono: CVE-2024-7537 CVE-2024-7538 CVE-2024-7539 CVE-2024-

    From Salvatore Bonaccorso@21:1/5 to Mike Gabriel on Sat Mar 15 10:40:02 2025
    H Mike,

    On Mon, Mar 10, 2025 at 03:38:56PM +0000, Mike Gabriel wrote:
    Hi Moritz,

    On Mi 05 Mär 2025 22:55:49 CET, Moritz Mühlenhoff wrote:

    On Sat, Mar 01, 2025 at 02:23:29PM +0100, Mike Gabriel wrote:
    Control: clone -1 -2
    Control: retitle -1 ofono CVE-2024-7538 CVE-2024-7539 CVE-2024-7540 CVE-2024-7541 CVE-2024-7542 CVE-2024-7543 CVE-2024-7544
    CVE-2024-7545 CVE-2024-7546 CVE-2024-7547
    Control: retitle -2 ofono: CVE-2024-7537

    CVE-2024-7538[1]:
    | oFono CUSD AT Command Stack-based Buffer Overflow Code Execution
    | Vulnerability. This vulnerability allows local attackers to execute
    | arbitrary code on affected installations of oFono. An attacker must
    | first obtain the ability to execute code on the target modem in
    | order to exploit this vulnerability. The specific flaw exists
    | within the parsing of responses from AT Commands. The issue results
    | from the lack of proper validation of the length of user-supplied
    | data prior to copying it to a stack-based buffer. An attacker can
    | leverage this vulnerability to execute code in the context of root.
    | Was ZDI-CAN-23190.

    We think that CVE-2024-7538 has been fixed alongside the fix of CVE-2024-7539.

    See: https://salsa.debian.org/telepathy-team/ofono/-/commit/f11771ba52b3597302d7f3472d96034ee4e17dba
    (uploaded to Debian with ofono 2.14-1).

    With this in mind, I'd like to see #1078555 closed after the factoring out.

    @Debian sec team:
    * Please provide feedback on the above.
    * Please close #1078555 if you agree with my above reasonings.
    * Please downgrade severity of the new #-2 bug if you agree
    or follow-up on this mail.

    The downgrade seems fine to me. For CVE-2024-7538 it seems likely, but could you doublecheck with upstream just to be sure?

    It is confirmed. CVE-2024-7538 is a duplicate of CVE-2024-7539 (which has been resolved in ofono in Debian already).

    CVE-2024-7538:
    https://www.zerodayinitiative.com/advisories/ZDI-24-1078/
    Alternate ID: ZDI-CAN-23190
    Details: https://lore.kernel.org/ofono/BYAPR01MB3830CC0A4CA324706691F19380D62@BYAPR01MB3830.prod.exchangelabs.com/

    CVE-2024-7539:
    https://www.zerodayinitiative.com/advisories/ZDI-24-1079/
    Alternate ID: ZDI-CAN-23195
    Details: https://lore.kernel.org/ofono/DM5PR0102MB3477EF696990E9AF78891586805F2@DM5PR0102MB3477.prod.exchangelabs.com/


    So, #1078555 can be closed, imho.

    Furthermore, can you please downgrade #1099190 to important as discussed earlier? We have now also received the technical details for CVE-2024-7537, see here: https://lore.kernel.org/ofono/BYAPR01MB3830B08E8DB1D76A9A85B07680D62@BYAPR01MB3830.prod.exchangelabs.com/T/#u

    Thank you, I have updated the security tracker and BTS metadata (and
    the severity of #1099190).

    Regards,
    Salvatore

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)