sofia-sip: Multiple CVEs on 1.12.11

[CamberLoid]

CVE IDs

CVE-2023-32307,CVE-2023-22741,CVE-2022-31003,CVE-2022-31002,CVE-2022-31001

Other security advisory IDs

Debian:

• DSA-5431-1 sofia-sip - security update
• DLA-3441-1 sofia-sip - security update
• DSA-5410-1 sofia-sip - security update
• DLA-3334-1 sofia-sip - security update
• DLA-3292-1 sofia-sip - security update
• DLA-3091-1 sofia-sip - security update

Description

Multiple vulnerabilities of sofia-sip were found and fixed recently. They are:

CVE-2023-32307	heap-over-flow and integer-overflow in certain functions. GHSA-rm4c-ccvf-ff9c
CVE-2023-22741	heap-over-flow in stun_parse_attribute. GHSA-8599-x7rq-fr54
CVE-2022-47516	denial of service with a crafted UDP message. GHSA-h94r-c3pv-4564
CVE-2022-31003	Heap-buffer-overflow on sdp_parse. GHSA-79jq-hh82-cv9g
CVE-2022-31002	Out-of-bound read. GHSA-g3x6-p824-x6hm
CVE-2022-31001	Out-of-bound read. GHSA-79jq-hh82-cv9g

Despite upstream flagged them high to critical severity, as we only use it for gnome-calls and related, which has a limited usage in our distribution, these vulnerabilities are considered moderate severity and is subjected to be included in next security survey

Patches

Update to latest (v1.13.15)

PoC(s)

Included in above advisories.