GNU bug report logs -
#73696
[PATCH 0/3] Update osip, exosip, sipwitch. [security fixes]
Previous Next
Reported by: Nicolas Graves <ngraves <at> ngraves.fr>
Date: Tue, 8 Oct 2024 06:29:02 UTC
Severity: normal
Tags: patch
Done: Ludovic Courtès <ludo <at> gnu.org>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 73696 in the body.
You can then email your comments to 73696 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
guix-patches <at> gnu.org:
bug#73696; Package
guix-patches.
(Tue, 08 Oct 2024 06:29:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Nicolas Graves <ngraves <at> ngraves.fr>:
New bug report received and forwarded. Copy sent to
guix-patches <at> gnu.org.
(Tue, 08 Oct 2024 06:29:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
Nicolas Graves (3):
gnu: osip: Update to 5.3.1.
gnu: exosip: Update to 5.3.0. [security fixes]
gnu: sipwitch: Fix build.
gnu/local.mk | 2 +-
gnu/packages/patches/osip-CVE-2017-7853.patch | 40 ----------
.../sipwitch-fix-build-with-exosip5.patch | 77 +++++++++++++++++++
gnu/packages/telephony.scm | 16 ++--
4 files changed, 86 insertions(+), 49 deletions(-)
delete mode 100644 gnu/packages/patches/osip-CVE-2017-7853.patch
create mode 100644 gnu/packages/patches/sipwitch-fix-build-with-exosip5.patch
--
2.46.0
Information forwarded
to
guix-patches <at> gnu.org:
bug#73696; Package
guix-patches.
(Tue, 08 Oct 2024 06:36:02 GMT)
Full text and
rfc822 format available.
Message #8 received at 73696 <at> debbugs.gnu.org (full text, mbox):
* gnu/packages/telephony.scm (osip): Update to 5.3.1.
[origin]<patches>: Remove patch.
* gnu/packages/patches/osip-CVE-2017-7853.patch : Remove it.
* gnu/local.mk: Remove patch.
---
gnu/local.mk | 1 -
gnu/packages/patches/osip-CVE-2017-7853.patch | 40 -------------------
gnu/packages/telephony.scm | 5 +--
3 files changed, 2 insertions(+), 44 deletions(-)
delete mode 100644 gnu/packages/patches/osip-CVE-2017-7853.patch
diff --git a/gnu/local.mk b/gnu/local.mk
index c48f4bfeca..25d6249319 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1878,7 +1878,6 @@ dist_patch_DATA = \
%D%/packages/patches/orangeduck-mpc-fix-pkg-config.patch \
%D%/packages/patches/orbit2-fix-array-allocation-32bit.patch \
%D%/packages/patches/orpheus-cast-errors-and-includes.patch \
- %D%/packages/patches/osip-CVE-2017-7853.patch \
%D%/packages/patches/ots-no-include-missing-file.patch \
%D%/packages/patches/owncloud-disable-updatecheck.patch \
%D%/packages/patches/p7zip-CVE-2016-9296.patch \
diff --git a/gnu/packages/patches/osip-CVE-2017-7853.patch b/gnu/packages/patches/osip-CVE-2017-7853.patch
deleted file mode 100644
index 33d95cdb0e..0000000000
--- a/gnu/packages/patches/osip-CVE-2017-7853.patch
+++ /dev/null
@@ -1,40 +0,0 @@
-Fix CVE-2017-7853:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7853
-https://savannah.gnu.org/support/index.php?109265
-
-Patch copied from upstream source repository:
-
-https://git.savannah.gnu.org/cgit/osip.git/commit/?id=1ae06daf3b2375c34af23083394a6f010be24a45
-
-From 1ae06daf3b2375c34af23083394a6f010be24a45 Mon Sep 17 00:00:00 2001
-From: Aymeric Moizard <amoizard <at> gmail.com>
-Date: Tue, 21 Feb 2017 17:16:26 +0100
-Subject: [PATCH] * fix bug report: sr #109265: SIP message body length
- underflow in libosip2-4.1.0 https://savannah.gnu.org/support/?109265
- also applicable to current latest version
-
----
- src/osipparser2/osip_message_parse.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/src/osipparser2/osip_message_parse.c b/src/osipparser2/osip_message_parse.c
-index 1628c60..aa35446 100644
---- a/src/osipparser2/osip_message_parse.c
-+++ b/src/osipparser2/osip_message_parse.c
-@@ -784,6 +784,12 @@ msg_osip_body_parse (osip_message_t * sip, const char *start_of_buf, const char
- if ('\n' == start_of_body[0] || '\r' == start_of_body[0])
- start_of_body++;
-
-+ /* if message body is empty or contains a single CR/LF */
-+ if (end_of_body <= start_of_body) {
-+ osip_free (sep_boundary);
-+ return OSIP_SYNTAXERROR;
-+ }
-+
- body_len = end_of_body - start_of_body;
-
- /* Skip CR before end boundary. */
---
-2.13.1
-
diff --git a/gnu/packages/telephony.scm b/gnu/packages/telephony.scm
index a08e6cf031..c06178cafb 100644
--- a/gnu/packages/telephony.scm
+++ b/gnu/packages/telephony.scm
@@ -359,14 +359,13 @@ (define-public zrtpcpp
(define-public osip
(package
(name "osip")
- (version "5.2.1")
+ (version "5.3.1")
(source (origin
(method url-fetch)
(uri (string-append "mirror://gnu/osip/libosip2-" version ".tar.gz"))
- (patches (search-patches "osip-CVE-2017-7853.patch"))
(sha256
(base32
- "1wibs2zs035ay7qvl5ai8drv6f0xw7iscb0frmpgax3pisy88dzf"))))
+ "0yfwd8g2nxf3i9d8gqh6a16ma350dlhih4awbb0nl9h82s2gx0py"))))
(build-system gnu-build-system)
(synopsis "Library implementing SIP (RFC-3261)")
--
2.46.0
Information forwarded
to
guix-patches <at> gnu.org:
bug#73696; Package
guix-patches.
(Tue, 08 Oct 2024 06:36:02 GMT)
Full text and
rfc822 format available.
Message #11 received at 73696 <at> debbugs.gnu.org (full text, mbox):
This fixes CVE-2014-10375.
* gnu/packages/telephony.scm (exosip): Update to 5.3.0.
---
gnu/packages/telephony.scm | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/gnu/packages/telephony.scm b/gnu/packages/telephony.scm
index c06178cafb..714982c5b0 100644
--- a/gnu/packages/telephony.scm
+++ b/gnu/packages/telephony.scm
@@ -377,17 +377,16 @@ (define-public osip
(upstream-name . "libosip2")))
(home-page "https://www.gnu.org/software/osip/")))
-
(define-public exosip
(package
(name "exosip")
- (version "4.1.0")
+ (version "5.3.0")
(source (origin
(method url-fetch)
- (uri (string-append "mirror://savannah/exosip/libeXosip2-"
+ (uri (string-append "mirror://savannah/exosip/libexosip2-"
version ".tar.gz"))
(sha256 (base32
- "17cna8kpc8nk1si419vgr6r42k2lda0rdk50vlxrw8rzg0xp2xrw"))))
+ "1hn9xgy8ny04hjqd1rra7c4nz5nf9abdd5ghr7nmrsiicjc26y2v"))))
(build-system gnu-build-system)
(inputs (list osip))
(synopsis "Sip abstraction library")
--
2.46.0
Information forwarded
to
guix-patches <at> gnu.org:
bug#73696; Package
guix-patches.
(Tue, 08 Oct 2024 06:36:03 GMT)
Full text and
rfc822 format available.
Message #14 received at 73696 <at> debbugs.gnu.org (full text, mbox):
* gnu/packages/telephony.scm (sipwitch): Fix build.
[origin]<patches>: Add sipwitch-fix-build-with-exosip5.patch here...
* gnu/packages/patches: ...here and...
* gnu/local.mk: ...here.
---
gnu/local.mk | 1 +
.../sipwitch-fix-build-with-exosip5.patch | 77 +++++++++++++++++++
gnu/packages/telephony.scm | 4 +-
3 files changed, 81 insertions(+), 1 deletion(-)
create mode 100644 gnu/packages/patches/sipwitch-fix-build-with-exosip5.patch
diff --git a/gnu/local.mk b/gnu/local.mk
index 25d6249319..fa9d7f7e0b 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -2158,6 +2158,7 @@ dist_patch_DATA = \
%D%/packages/patches/shakespeare-spl-fix-grammar.patch \
%D%/packages/patches/shared-mime-info-xdgmime-path.patch \
%D%/packages/patches/sharutils-CVE-2018-1000097.patch \
+ %D%/packages/patches/sipwitch-fix-build-with-exosip5.patch \
%D%/packages/patches/slim-config.patch \
%D%/packages/patches/slim-login.patch \
%D%/packages/patches/slim-display.patch \
diff --git a/gnu/packages/patches/sipwitch-fix-build-with-exosip5.patch b/gnu/packages/patches/sipwitch-fix-build-with-exosip5.patch
new file mode 100644
index 0000000000..d18aa75f32
--- /dev/null
+++ b/gnu/packages/patches/sipwitch-fix-build-with-exosip5.patch
@@ -0,0 +1,77 @@
+From 59c0063443ce0de7f93c34b6c29dd3f12e678848 Mon Sep 17 00:00:00 2001
+From: Fredrick Brennan <copypaste <at> kittens.ph>
+Date: Fri, 3 Nov 2023 20:57:59 -0400
+Subject: [PATCH] Fix build with 5.x series of libexosip2
+
+---
+ common/voip.cpp | 5 +++--
+ utils/Makefile.am | 3 ++-
+ utils/sipquery.cpp | 6 +++++-
+ 3 files changed, 10 insertions(+), 4 deletions(-)
+
+diff --git a/common/voip.cpp b/common/voip.cpp
+index d3ee15b..d0f6ebd 100644
+--- a/common/voip.cpp
++++ b/common/voip.cpp
+@@ -138,9 +138,10 @@ bool voip::make_prack_message(context_t ctx, tid_t tid, msg_t *msg)
+ if(!msg)
+ return false;
+
++ msg_t onexxmsg = NULL;
+ *msg = NULL;
+ eXosip_lock(ctx);
+- eXosip_call_build_prack(ctx, tid, msg);
++ eXosip_call_build_prack(ctx, tid, onexxmsg, msg);
+ if(!*msg) {
+ eXosip_unlock(ctx);
+ return false;
+@@ -438,7 +439,7 @@ void voip::create(context_t *ctx, const char *agent, int f)
+
+ #ifdef AF_INET6
+ if(family == AF_INET6)
+- eXosip_enable_ipv6(1);
++ voip::option(*ctx, EXOSIP_OPT_ENABLE_IPV6, (void *)2);
+ #endif
+ }
+
+diff --git a/utils/Makefile.am b/utils/Makefile.am
+index dd2040f..ffe6d09 100644
+--- a/utils/Makefile.am
++++ b/utils/Makefile.am
+@@ -22,7 +22,8 @@ sipcontrol_SOURCES = sipcontrol.cpp
+ sipcontrol_LDADD = @LDFLAGS@ @SIPWITCH_LIBS@
+
+ sipquery_SOURCES = sipquery.cpp
+-sipquery_LDADD = @LDFLAGS@ @SIPWITCH_EXOSIP2@ @SIPWITCH_LIBS@
++sipquery_LDFLAGS = -L$(top_builddir)/common -lsipwitch
++sipquery_LDADD = @LDFLAGS@ @SIPWITCH_LIBS@ @SIPWITCH_EXOSIP2@
+
+ sippasswd_SOURCES = sippasswd.cpp
+ sippasswd_LDADD = @LDFLAGS@ @SIPWITCH_LIBS@
+diff --git a/utils/sipquery.cpp b/utils/sipquery.cpp
+index 5b83590..f99512d 100644
+--- a/utils/sipquery.cpp
++++ b/utils/sipquery.cpp
+@@ -50,6 +50,10 @@ static struct eXosip_t *context = NULL;
+
+ using namespace ucommon;
+
++#include "sipwitch/voip.h"
++
++using namespace sipwitch;
++
+ #if defined(_MSWINDOWS_) && defined(__GNUC__)
+ // binds addrinfo for mingw32 linkage since otherwise mingw32 cannot
+ // cannot link proper getaddrinfo/freeaddrinfo calls that eXosip uses.
+@@ -226,7 +230,7 @@ usage:
+
+ #ifdef AF_INET6
+ if(family == AF_INET6) {
+- eXosip_enable_ipv6(1);
++ sipwitch::voip::option(EXOSIP_CONTEXT, EXOSIP_OPT_ENABLE_IPV6, (void *)2);
+ if(binding == NULL)
+ binding = "::0";
+ }
+--
+2.42.0
+
diff --git a/gnu/packages/telephony.scm b/gnu/packages/telephony.scm
index 714982c5b0..99a8486b7f 100644
--- a/gnu/packages/telephony.scm
+++ b/gnu/packages/telephony.scm
@@ -409,7 +409,9 @@ (define-public sipwitch
(uri (string-append "mirror://gnu/sipwitch/sipwitch-"
version ".tar.gz"))
(sha256 (base32
- "10lli9c703d7qbarzc0lgmz963ppncvnrklwrnri0s1zcmmahyia"))))
+ "10lli9c703d7qbarzc0lgmz963ppncvnrklwrnri0s1zcmmahyia"))
+ (patches
+ (search-patches "sipwitch-fix-build-with-exosip5.patch"))))
(build-system gnu-build-system)
;; The configure.ac uses pkg-config but in a kludgy way which breaks when
;; cross-compiling. Among other issues there the program name "pkg-config"
--
2.46.0
Reply sent
to
Ludovic Courtès <ludo <at> gnu.org>:
You have taken responsibility.
(Tue, 15 Oct 2024 16:21:02 GMT)
Full text and
rfc822 format available.
Notification sent
to
Nicolas Graves <ngraves <at> ngraves.fr>:
bug acknowledged by developer.
(Tue, 15 Oct 2024 16:21:02 GMT)
Full text and
rfc822 format available.
Message #19 received at 73696-done <at> debbugs.gnu.org (full text, mbox):
Nicolas Graves <ngraves <at> ngraves.fr> skribis:
> gnu: osip: Update to 5.3.1.
> gnu: exosip: Update to 5.3.0. [security fixes]
> gnu: sipwitch: Fix build.
Applied, thanks!
Ludo’.
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Wed, 13 Nov 2024 12:24:14 GMT)
Full text and
rfc822 format available.
This bug report was last modified 277 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.