ofono - Debian Package Tracker

general

source: ofono (main)
version: 2.14-1
maintainer: Debian Telepathy maintainers (archive) (DMD)
uploaders: Mike Gabriel [DMD] – Héctor Orón Martínez [DMD]
arch: all
std-ver: 4.7.0
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 1.21-1
oldstable: 1.31-3
stable: 1.31-3
unstable: 2.14-1

versioned links

1.21-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.31-3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.14-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

ofono (2 bugs: 0, 2, 0, 0)
ofono-dev
ofono-scripts

action needed

2 security issues in sid high

There are 2 open security issues in sid.

2 important issues:

CVE-2024-7537: oFono QMI SMS Handling Out-Of-Bounds Read Information Disclosure Vulnerability. This vulnerability allows local attackers to disclose sensitive information on affected installations of oFono. Authentication is not required to exploit this vulnerability. The specific flaw exists within the processing of SMS message lists. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of root. Was ZDI-CAN-23157.
CVE-2024-7538: oFono CUSD AT Command Stack-based Buffer Overflow Code Execution Vulnerability. This vulnerability allows local attackers to execute arbitrary code on affected installations of oFono. An attacker must first obtain the ability to execute code on the target modem in order to exploit this vulnerability. The specific flaw exists within the parsing of responses from AT Commands. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-23190.

Created: 2024-04-11 Last update: 2025-01-06 06:32

15 security issues in trixie high

There are 15 open security issues in trixie.

15 important issues:

CVE-2023-4232: A flaw was found in ofono, an Open Source Telephony on Linux. A stack overflow bug is triggered within the decode_status_report() function during the SMS decoding. It is assumed that the attack scenario is accessible from a compromised modem, a malicious base station, or just SMS. There is a bound check for this memcpy length in decode_submit(), but it was forgotten in decode_status_report().
CVE-2023-4233: A flaw was found in ofono, an Open Source Telephony on Linux. A stack overflow bug is triggered within the sms_decode_address_field() function during the SMS PDU decoding. It is assumed that the attack scenario is accessible from a compromised modem, a malicious base station, or just SMS.
CVE-2023-4234: A flaw was found in ofono, an Open Source Telephony on Linux. A stack overflow bug is triggered within the decode_submit_report() function during the SMS decoding. It is assumed that the attack scenario is accessible from a compromised modem, a malicious base station, or just SMS. There is a bound check for this memcpy length in decode_submit(), but it was forgotten in decode_submit_report().
CVE-2023-4235: A flaw was found in ofono, an Open Source Telephony on Linux. A stack overflow bug is triggered within the decode_deliver_report() function during the SMS decoding. It is assumed that the attack scenario is accessible from a compromised modem, a malicious base station, or just SMS. There is a bound check for this memcpy length in decode_submit(), but it was forgotten in decode_deliver_report().
CVE-2024-7537: oFono QMI SMS Handling Out-Of-Bounds Read Information Disclosure Vulnerability. This vulnerability allows local attackers to disclose sensitive information on affected installations of oFono. Authentication is not required to exploit this vulnerability. The specific flaw exists within the processing of SMS message lists. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of root. Was ZDI-CAN-23157.
CVE-2024-7538: oFono CUSD AT Command Stack-based Buffer Overflow Code Execution Vulnerability. This vulnerability allows local attackers to execute arbitrary code on affected installations of oFono. An attacker must first obtain the ability to execute code on the target modem in order to exploit this vulnerability. The specific flaw exists within the parsing of responses from AT Commands. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-23190.
CVE-2024-7539: oFono CUSD Stack-based Buffer Overflow Code Execution Vulnerability. This vulnerability allows local attackers to execute arbitrary code on affected installations of oFono. An attacker must first obtain the ability to execute code on the target modem in order to exploit this vulnerability. The specific flaw exists within the parsing of responses from AT+CUSD commands. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-23195.
CVE-2024-7540: oFono AT CMGL Command Uninitialized Variable Information Disclosure Vulnerability. This vulnerability allows local attackers to disclose sensitive information on affected installations of oFono. An attacker must first obtain the ability to execute code on the target modem in order to exploit this vulnerability. The specific flaw exists within the parsing of responses from AT+CMGL commands. The issue results from the lack of proper initialization of memory prior to accessing it. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of root. Was ZDI-CAN-23307.
CVE-2024-7541: oFono AT CMT Command Uninitialized Variable Information Disclosure Vulnerability. This vulnerability allows local attackers to disclose sensitive information on affected installations of oFono. An attacker must first obtain the ability to execute code on the target modem in order to exploit this vulnerability. The specific flaw exists within the parsing of responses from AT+CMT commands. The issue results from the lack of proper initialization of memory prior to accessing it. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of root. Was ZDI-CAN-23308.
CVE-2024-7542: oFono AT CMGR Command Uninitialized Variable Information Disclosure Vulnerability. This vulnerability allows local attackers to disclose sensitive information on affected installations of oFono. An attacker must first obtain the ability to execute code on the target modem in order to exploit this vulnerability. The specific flaw exists within the parsing of responses from AT+CMGR commands. The issue results from the lack of proper initialization of memory prior to accessing it. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of root. Was ZDI-CAN-23309.
CVE-2024-7543: oFono SimToolKit Heap-based Buffer Overflow Privilege Escalation Vulnerability. This vulnerability allows local attackers to execute arbitrary code on affected installations of oFono. An attacker must first obtain the ability to execute code on the target modem in order to exploit this vulnerability. The specific flaw exists within the parsing of STK command PDUs. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-23456.
CVE-2024-7544: oFono SimToolKit Heap-based Buffer Overflow Privilege Escalation Vulnerability. This vulnerability allows local attackers to execute arbitrary code on affected installations of oFono. An attacker must first obtain the ability to execute code on the target modem in order to exploit this vulnerability. The specific flaw exists within the parsing of STK command PDUs. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-23457.
CVE-2024-7545: oFono SimToolKit Heap-based Buffer Overflow Privilege Escalation Vulnerability. This vulnerability allows local attackers to execute arbitrary code on affected installations of oFono. An attacker must first obtain the ability to execute code on the target modem in order to exploit this vulnerability. The specific flaw exists within the parsing of STK command PDUs. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-23458.
CVE-2024-7546: oFono SimToolKit Heap-based Buffer Overflow Privilege Escalation Vulnerability. This vulnerability allows local attackers to execute arbitrary code on affected installations of oFono. An attacker must first obtain the ability to execute code on the target modem in order to exploit this vulnerability. The specific flaw exists within the parsing of STK command PDUs. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-23459.
CVE-2024-7547: oFono SMS Decoder Stack-based Buffer Overflow Privilege Escalation Vulnerability. This vulnerability allows local attackers to execute arbitrary code on affected installations of oFono. An attacker must first obtain the ability to execute code on the target modem in order to exploit this vulnerability. The specific flaw exists within the parsing of SMS PDUs. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-23460.

Created: 2024-04-11 Last update: 2024-08-15 08:30

The package has not entered testing even though the delay is over normal

The package has not entered testing even though the 5-day delay is over. Check why.

Created: 2025-01-11 Last update: 2025-01-20 18:22

lintian reports 7 warnings normal

Lintian reports 7 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2025-01-06 Last update: 2025-01-06 09:31

debian/patches: 5 patches to forward upstream low

Among the 5 debian patches available in version 2.14-1 of the package, we noticed the following issues:

5 patches where the metadata indicates that the patch has not yet been forwarded upstream. You should either forward the patch upstream or update the metadata to document its real status.

Created: 2023-02-26 Last update: 2025-01-06 08:04

16 low-priority security issues in bookworm low

There are 16 open security issues in bookworm.

16 issues left for the package maintainer to handle:

CVE-2023-2794: (needs triaging) A flaw was found in ofono, an Open Source Telephony on Linux. A stack overflow bug is triggered within the decode_deliver() function during the SMS decoding. It is assumed that the attack scenario is accessible from a compromised modem, a malicious base station, or just SMS. There is a bound check for this memcpy length in decode_submit(), but it was forgotten in decode_deliver().
CVE-2023-4232: (postponed; to be fixed through a stable update) A flaw was found in ofono, an Open Source Telephony on Linux. A stack overflow bug is triggered within the decode_status_report() function during the SMS decoding. It is assumed that the attack scenario is accessible from a compromised modem, a malicious base station, or just SMS. There is a bound check for this memcpy length in decode_submit(), but it was forgotten in decode_status_report().
CVE-2023-4233: (postponed; to be fixed through a stable update) A flaw was found in ofono, an Open Source Telephony on Linux. A stack overflow bug is triggered within the sms_decode_address_field() function during the SMS PDU decoding. It is assumed that the attack scenario is accessible from a compromised modem, a malicious base station, or just SMS.
CVE-2023-4234: (postponed; to be fixed through a stable update) A flaw was found in ofono, an Open Source Telephony on Linux. A stack overflow bug is triggered within the decode_submit_report() function during the SMS decoding. It is assumed that the attack scenario is accessible from a compromised modem, a malicious base station, or just SMS. There is a bound check for this memcpy length in decode_submit(), but it was forgotten in decode_submit_report().
CVE-2023-4235: (postponed; to be fixed through a stable update) A flaw was found in ofono, an Open Source Telephony on Linux. A stack overflow bug is triggered within the decode_deliver_report() function during the SMS decoding. It is assumed that the attack scenario is accessible from a compromised modem, a malicious base station, or just SMS. There is a bound check for this memcpy length in decode_submit(), but it was forgotten in decode_deliver_report().
CVE-2024-7537: (postponed; to be fixed through a stable update) oFono QMI SMS Handling Out-Of-Bounds Read Information Disclosure Vulnerability. This vulnerability allows local attackers to disclose sensitive information on affected installations of oFono. Authentication is not required to exploit this vulnerability. The specific flaw exists within the processing of SMS message lists. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of root. Was ZDI-CAN-23157.
CVE-2024-7538: (postponed; to be fixed through a stable update) oFono CUSD AT Command Stack-based Buffer Overflow Code Execution Vulnerability. This vulnerability allows local attackers to execute arbitrary code on affected installations of oFono. An attacker must first obtain the ability to execute code on the target modem in order to exploit this vulnerability. The specific flaw exists within the parsing of responses from AT Commands. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-23190.
CVE-2024-7539: (postponed; to be fixed through a stable update) oFono CUSD Stack-based Buffer Overflow Code Execution Vulnerability. This vulnerability allows local attackers to execute arbitrary code on affected installations of oFono. An attacker must first obtain the ability to execute code on the target modem in order to exploit this vulnerability. The specific flaw exists within the parsing of responses from AT+CUSD commands. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-23195.
CVE-2024-7540: (postponed; to be fixed through a stable update) oFono AT CMGL Command Uninitialized Variable Information Disclosure Vulnerability. This vulnerability allows local attackers to disclose sensitive information on affected installations of oFono. An attacker must first obtain the ability to execute code on the target modem in order to exploit this vulnerability. The specific flaw exists within the parsing of responses from AT+CMGL commands. The issue results from the lack of proper initialization of memory prior to accessing it. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of root. Was ZDI-CAN-23307.
CVE-2024-7541: (postponed; to be fixed through a stable update) oFono AT CMT Command Uninitialized Variable Information Disclosure Vulnerability. This vulnerability allows local attackers to disclose sensitive information on affected installations of oFono. An attacker must first obtain the ability to execute code on the target modem in order to exploit this vulnerability. The specific flaw exists within the parsing of responses from AT+CMT commands. The issue results from the lack of proper initialization of memory prior to accessing it. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of root. Was ZDI-CAN-23308.
CVE-2024-7542: (postponed; to be fixed through a stable update) oFono AT CMGR Command Uninitialized Variable Information Disclosure Vulnerability. This vulnerability allows local attackers to disclose sensitive information on affected installations of oFono. An attacker must first obtain the ability to execute code on the target modem in order to exploit this vulnerability. The specific flaw exists within the parsing of responses from AT+CMGR commands. The issue results from the lack of proper initialization of memory prior to accessing it. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of root. Was ZDI-CAN-23309.
CVE-2024-7543: (postponed; to be fixed through a stable update) oFono SimToolKit Heap-based Buffer Overflow Privilege Escalation Vulnerability. This vulnerability allows local attackers to execute arbitrary code on affected installations of oFono. An attacker must first obtain the ability to execute code on the target modem in order to exploit this vulnerability. The specific flaw exists within the parsing of STK command PDUs. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-23456.
CVE-2024-7544: (postponed; to be fixed through a stable update) oFono SimToolKit Heap-based Buffer Overflow Privilege Escalation Vulnerability. This vulnerability allows local attackers to execute arbitrary code on affected installations of oFono. An attacker must first obtain the ability to execute code on the target modem in order to exploit this vulnerability. The specific flaw exists within the parsing of STK command PDUs. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-23457.
CVE-2024-7545: (postponed; to be fixed through a stable update) oFono SimToolKit Heap-based Buffer Overflow Privilege Escalation Vulnerability. This vulnerability allows local attackers to execute arbitrary code on affected installations of oFono. An attacker must first obtain the ability to execute code on the target modem in order to exploit this vulnerability. The specific flaw exists within the parsing of STK command PDUs. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-23458.
CVE-2024-7546: (postponed; to be fixed through a stable update) oFono SimToolKit Heap-based Buffer Overflow Privilege Escalation Vulnerability. This vulnerability allows local attackers to execute arbitrary code on affected installations of oFono. An attacker must first obtain the ability to execute code on the target modem in order to exploit this vulnerability. The specific flaw exists within the parsing of STK command PDUs. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-23459.
CVE-2024-7547: (postponed; to be fixed through a stable update) oFono SMS Decoder Stack-based Buffer Overflow Privilege Escalation Vulnerability. This vulnerability allows local attackers to execute arbitrary code on affected installations of oFono. An attacker must first obtain the ability to execute code on the target modem in order to exploit this vulnerability. The specific flaw exists within the parsing of SMS PDUs. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-23460.

You can find information about how to handle these issues in the security team's documentation.

Created: 2024-04-11 Last update: 2025-01-06 06:32

Build log checks report 1 warning low

Build log checks report 1 warning

Created: 2024-09-17 Last update: 2024-09-17 16:03

testing migrations

excuses:
- Migration status for ofono (- to 2.14-1): BLOCKED: Rejected/violates migration policy/introduces a regression
- Issues preventing migration:
- ∙ ∙ Updating ofono would introduce bugs in testing: #1078555
- Additional info:
- ∙ ∙ Piuparts tested OK - https://piuparts.debian.org/sid/source/o/ofono.html
- ∙ ∙ Reproducible on amd64 - info ♻
- ∙ ∙ Reproducible on arm64 - info ♻
- ∙ ∙ Reproducible on armhf - info ♻
- ∙ ∙ Reproducible on i386 - info ♻
- ∙ ∙ 14 days old (needed 5 days)
- Not considered

news

[rss feed]

[2025-01-05] Accepted ofono 2.14-1 (source) into unstable (Mike Gabriel)
[2024-11-18] Accepted ofono 2.12-1 (source) into unstable (Mike Gabriel)
[2024-11-05] Accepted ofono 2.11-1 (source) into unstable (Mike Gabriel)
[2024-09-17] Accepted ofono 2.10-1 (source) into unstable (Mike Gabriel)
[2024-09-07] ofono REMOVED from testing (Debian testing watch)
[2024-05-29] ofono 1.31-4 MIGRATED to testing (Debian testing watch)
[2024-05-24] Accepted ofono 1.31-4 (source) into unstable (Mike Gabriel)
[2020-04-03] ofono 1.31-3 MIGRATED to testing (Debian testing watch)
[2020-03-28] Accepted ofono 1.31-3 (source) into unstable (Laurent Bigonville)
[2020-03-28] Accepted ofono 1.31-2.1 (source) into unstable (Paul Gevers)
[2020-01-02] Accepted ofono 1.31-2 (source amd64 all) into unstable, unstable (Laurent Bigonville)
[2019-02-08] Accepted ofono 1.28-1 (source amd64 all) into unstable (Héctor Orón Martínez) (signed by: Hector Oron Martinez)
[2017-11-17] ofono 1.21-1 MIGRATED to testing (Debian testing watch)
[2017-11-10] Accepted ofono 1.21-1 (source amd64 all) into unstable (Laurent Bigonville)
[2016-06-10] ofono 1.18-1 MIGRATED to testing (Debian testing watch)
[2016-06-04] Accepted ofono 1.18-1 (source amd64 all) into unstable (Laurent Bigonville)
[2015-05-19] ofono 1.15-3 MIGRATED to testing (Britney)
[2015-05-13] Accepted ofono 1.15-3 (source all amd64) into unstable (Laurent Bigonville)
[2014-10-30] ofono 1.15-2 MIGRATED to testing (Britney)
[2014-10-20] Accepted ofono 1.15-2 (source all i386) into unstable (Hector Oron) (signed by: Hector Oron Martinez)
[2014-09-29] ofono 1.15-1 MIGRATED to testing (Britney)
[2014-09-24] Accepted ofono 1.15-1 (source all amd64) into unstable (Hector Oron) (signed by: Hector Oron Martinez)
[2013-06-16] ofono 1.9-2 MIGRATED to testing (Debian testing watch)
[2013-06-05] Accepted ofono 1.9-2 (source all amd64) (Hector Oron) (signed by: Hector Oron Martinez)
[2012-08-09] Accepted ofono 1.9-1 (source all amd64) (Konstantinos Margaritis)
[2012-06-12] ofono 1.6-2 MIGRATED to testing (Debian testing watch)
[2012-06-01] Accepted ofono 1.6-2 (source all) (Hector Oron) (signed by: Hector Oron Martinez)
[2012-06-01] Accepted ofono 1.6-1 (source all) (Hector Oron) (signed by: Hector Oron Martinez)
[2011-09-04] ofono 0.53-2 MIGRATED to testing (Debian testing watch)
[2011-08-24] Accepted ofono 0.53-2 (source all amd64) (Jonny Lamb)

bugs [bug history graph]

all: 2 3
RC: 1
I&N: 1 2
M&W: 0
F&P: 0
patch: 0

links

homepage
lintian (0, 7)
buildd: logs, checks
popcon
browse source code
edit tags
other distros
security tracker
screenshots
debian patches

ubuntu

[Information about Ubuntu for Debian Developers]

version: 1.31-3ubuntu3
129 bugs (1 patch)
patches for 1.31-3ubuntu3