ofono - Debian Package Tracker

general

source: ofono (main)
version: 2.16-5
maintainer: Debian Telepathy maintainers (archive) (DMD)
uploaders: Mike Gabriel [DMD] – Héctor Orón Martínez [DMD]
arch: all
std-ver: 4.7.2
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 1.21-1
oldstable: 1.31-3
stable: 1.31-3
testing: 2.16-5
unstable: 2.16-5

versioned links

1.21-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.31-3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.16-5: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

ofono
ofono-dev
ofono-scripts

action needed

A new upstream version is available: 2.17 high

A new upstream version 2.17 is available, you should consider packaging it.

Created: 2025-05-08 Last update: 2025-06-03 02:03

debian/patches: 1 patch with invalid metadata, 7 patches to forward upstream high

Among the 10 debian patches available in version 2.16-5 of the package, we noticed the following issues:

1 patch with invalid metadata that ought to be fixed.
7 patches where the metadata indicates that the patch has not yet been forwarded upstream. You should either forward the patch upstream or update the metadata to document its real status.

Created: 2023-02-26 Last update: 2025-05-05 08:00

1 new commit since last upload, is it time to release? normal

vcswatch reports that this package seems to have new commits in its VCS but has not yet updated debian/changelog. You should consider updating the Debian changelog and uploading this new version into the archive.

Here are the relevant commit logs:

commit 9a45efeb4cf84756ea661281b4be8b6aaad6612e
Author: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
Date:   Mon May 12 08:11:10 2025 +0200

    debian/patches: Add 0005-unit-Fix-string-field-size-in-test-stkutil-test-vectors.patch. Fix -Werror=unterminated-string-initialization.

Created: 2025-05-12 Last update: 2025-05-31 15:02

lintian reports 6 warnings normal

Lintian reports 6 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2025-05-05 Last update: 2025-05-05 10:31

16 low-priority security issues in bookworm low

There are 16 open security issues in bookworm.

16 issues left for the package maintainer to handle:

CVE-2023-2794: (needs triaging) A flaw was found in ofono, an Open Source Telephony on Linux. A stack overflow bug is triggered within the decode_deliver() function during the SMS decoding. It is assumed that the attack scenario is accessible from a compromised modem, a malicious base station, or just SMS. There is a bound check for this memcpy length in decode_submit(), but it was forgotten in decode_deliver().
CVE-2023-4232: (postponed; to be fixed through a stable update) A flaw was found in ofono, an Open Source Telephony on Linux. A stack overflow bug is triggered within the decode_status_report() function during the SMS decoding. It is assumed that the attack scenario is accessible from a compromised modem, a malicious base station, or just SMS. There is a bound check for this memcpy length in decode_submit(), but it was forgotten in decode_status_report().
CVE-2023-4233: (postponed; to be fixed through a stable update) A flaw was found in ofono, an Open Source Telephony on Linux. A stack overflow bug is triggered within the sms_decode_address_field() function during the SMS PDU decoding. It is assumed that the attack scenario is accessible from a compromised modem, a malicious base station, or just SMS.
CVE-2023-4234: (postponed; to be fixed through a stable update) A flaw was found in ofono, an Open Source Telephony on Linux. A stack overflow bug is triggered within the decode_submit_report() function during the SMS decoding. It is assumed that the attack scenario is accessible from a compromised modem, a malicious base station, or just SMS. There is a bound check for this memcpy length in decode_submit(), but it was forgotten in decode_submit_report().
CVE-2023-4235: (postponed; to be fixed through a stable update) A flaw was found in ofono, an Open Source Telephony on Linux. A stack overflow bug is triggered within the decode_deliver_report() function during the SMS decoding. It is assumed that the attack scenario is accessible from a compromised modem, a malicious base station, or just SMS. There is a bound check for this memcpy length in decode_submit(), but it was forgotten in decode_deliver_report().
CVE-2024-7537: (postponed; to be fixed through a stable update) oFono QMI SMS Handling Out-Of-Bounds Read Information Disclosure Vulnerability. This vulnerability allows local attackers to disclose sensitive information on affected installations of oFono. Authentication is not required to exploit this vulnerability. The specific flaw exists within the processing of SMS message lists. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of root. Was ZDI-CAN-23157.
CVE-2024-7538: (postponed; to be fixed through a stable update) oFono CUSD AT Command Stack-based Buffer Overflow Code Execution Vulnerability. This vulnerability allows local attackers to execute arbitrary code on affected installations of oFono. An attacker must first obtain the ability to execute code on the target modem in order to exploit this vulnerability. The specific flaw exists within the parsing of responses from AT Commands. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-23190.
CVE-2024-7539: (postponed; to be fixed through a stable update) oFono CUSD Stack-based Buffer Overflow Code Execution Vulnerability. This vulnerability allows local attackers to execute arbitrary code on affected installations of oFono. An attacker must first obtain the ability to execute code on the target modem in order to exploit this vulnerability. The specific flaw exists within the parsing of responses from AT+CUSD commands. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-23195.
CVE-2024-7540: (postponed; to be fixed through a stable update) oFono AT CMGL Command Uninitialized Variable Information Disclosure Vulnerability. This vulnerability allows local attackers to disclose sensitive information on affected installations of oFono. An attacker must first obtain the ability to execute code on the target modem in order to exploit this vulnerability. The specific flaw exists within the parsing of responses from AT+CMGL commands. The issue results from the lack of proper initialization of memory prior to accessing it. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of root. Was ZDI-CAN-23307.
CVE-2024-7541: (postponed; to be fixed through a stable update) oFono AT CMT Command Uninitialized Variable Information Disclosure Vulnerability. This vulnerability allows local attackers to disclose sensitive information on affected installations of oFono. An attacker must first obtain the ability to execute code on the target modem in order to exploit this vulnerability. The specific flaw exists within the parsing of responses from AT+CMT commands. The issue results from the lack of proper initialization of memory prior to accessing it. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of root. Was ZDI-CAN-23308.
CVE-2024-7542: (postponed; to be fixed through a stable update) oFono AT CMGR Command Uninitialized Variable Information Disclosure Vulnerability. This vulnerability allows local attackers to disclose sensitive information on affected installations of oFono. An attacker must first obtain the ability to execute code on the target modem in order to exploit this vulnerability. The specific flaw exists within the parsing of responses from AT+CMGR commands. The issue results from the lack of proper initialization of memory prior to accessing it. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of root. Was ZDI-CAN-23309.
CVE-2024-7543: (postponed; to be fixed through a stable update) oFono SimToolKit Heap-based Buffer Overflow Privilege Escalation Vulnerability. This vulnerability allows local attackers to execute arbitrary code on affected installations of oFono. An attacker must first obtain the ability to execute code on the target modem in order to exploit this vulnerability. The specific flaw exists within the parsing of STK command PDUs. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-23456.
CVE-2024-7544: (postponed; to be fixed through a stable update) oFono SimToolKit Heap-based Buffer Overflow Privilege Escalation Vulnerability. This vulnerability allows local attackers to execute arbitrary code on affected installations of oFono. An attacker must first obtain the ability to execute code on the target modem in order to exploit this vulnerability. The specific flaw exists within the parsing of STK command PDUs. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-23457.
CVE-2024-7545: (postponed; to be fixed through a stable update) oFono SimToolKit Heap-based Buffer Overflow Privilege Escalation Vulnerability. This vulnerability allows local attackers to execute arbitrary code on affected installations of oFono. An attacker must first obtain the ability to execute code on the target modem in order to exploit this vulnerability. The specific flaw exists within the parsing of STK command PDUs. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-23458.
CVE-2024-7546: (postponed; to be fixed through a stable update) oFono SimToolKit Heap-based Buffer Overflow Privilege Escalation Vulnerability. This vulnerability allows local attackers to execute arbitrary code on affected installations of oFono. An attacker must first obtain the ability to execute code on the target modem in order to exploit this vulnerability. The specific flaw exists within the parsing of STK command PDUs. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-23459.
CVE-2024-7547: (postponed; to be fixed through a stable update) oFono SMS Decoder Stack-based Buffer Overflow Privilege Escalation Vulnerability. This vulnerability allows local attackers to execute arbitrary code on affected installations of oFono. An attacker must first obtain the ability to execute code on the target modem in order to exploit this vulnerability. The specific flaw exists within the parsing of SMS PDUs. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-23460.

You can find information about how to handle these issues in the security team's documentation.

Created: 2024-04-11 Last update: 2025-05-15 07:29

Build log checks report 1 warning low

Build log checks report 1 warning

Created: 2024-09-17 Last update: 2024-09-17 16:03

news

[rss feed]

[2025-05-15] ofono 2.16-5 MIGRATED to testing (Debian testing watch)
[2025-05-04] Accepted ofono 2.16-5 (source) into unstable (Mike Gabriel)
[2025-05-04] Accepted ofono 2.16-4 (source) into unstable (Mike Gabriel)
[2025-05-03] Accepted ofono 2.16-3 (source) into unstable (Mike Gabriel)
[2025-04-30] Accepted ofono 2.16-2 (source) into unstable (Mike Gabriel)
[2025-04-15] ofono 2.16-1 MIGRATED to testing (Debian testing watch)
[2025-04-09] Accepted ofono 2.16-1 (source) into unstable (Mike Gabriel)
[2025-03-16] ofono 2.14-1 MIGRATED to testing (Debian testing watch)
[2025-01-05] Accepted ofono 2.14-1 (source) into unstable (Mike Gabriel)
[2024-11-18] Accepted ofono 2.12-1 (source) into unstable (Mike Gabriel)
[2024-11-05] Accepted ofono 2.11-1 (source) into unstable (Mike Gabriel)
[2024-09-17] Accepted ofono 2.10-1 (source) into unstable (Mike Gabriel)
[2024-09-07] ofono REMOVED from testing (Debian testing watch)
[2024-05-29] ofono 1.31-4 MIGRATED to testing (Debian testing watch)
[2024-05-24] Accepted ofono 1.31-4 (source) into unstable (Mike Gabriel)
[2020-04-03] ofono 1.31-3 MIGRATED to testing (Debian testing watch)
[2020-03-28] Accepted ofono 1.31-3 (source) into unstable (Laurent Bigonville)
[2020-03-28] Accepted ofono 1.31-2.1 (source) into unstable (Paul Gevers)
[2020-01-02] Accepted ofono 1.31-2 (source amd64 all) into unstable, unstable (Laurent Bigonville)
[2019-02-08] Accepted ofono 1.28-1 (source amd64 all) into unstable (Héctor Orón Martínez) (signed by: Hector Oron Martinez)
[2017-11-17] ofono 1.21-1 MIGRATED to testing (Debian testing watch)
[2017-11-10] Accepted ofono 1.21-1 (source amd64 all) into unstable (Laurent Bigonville)
[2016-06-10] ofono 1.18-1 MIGRATED to testing (Debian testing watch)
[2016-06-04] Accepted ofono 1.18-1 (source amd64 all) into unstable (Laurent Bigonville)
[2015-05-19] ofono 1.15-3 MIGRATED to testing (Britney)
[2015-05-13] Accepted ofono 1.15-3 (source all amd64) into unstable (Laurent Bigonville)
[2014-10-30] ofono 1.15-2 MIGRATED to testing (Britney)
[2014-10-20] Accepted ofono 1.15-2 (source all i386) into unstable (Hector Oron) (signed by: Hector Oron Martinez)
[2014-09-29] ofono 1.15-1 MIGRATED to testing (Britney)
[2014-09-24] Accepted ofono 1.15-1 (source all amd64) into unstable (Hector Oron) (signed by: Hector Oron Martinez)

bugs [bug history graph]

all: 0

links

homepage
lintian (0, 6)
buildd: logs, checks, reproducibility
popcon
browse source code
edit tags
other distros
security tracker
screenshots
debian patches

ubuntu

[Information about Ubuntu for Debian Developers]

version: 2.16-5ubuntu1
129 bugs (1 patch)
patches for 2.16-5ubuntu1