From ${URL} : Multiple security issues were reported in libosip2. CVE-2016-10324 - In libosip2 in GNU oSIP, a malformed SIP message can lead to a heap buffer overflow in the osip_clrncpy() function defined in osipparser2/osip_port.c. https://savannah.gnu.org/support/index.php?109133 CVE-2016-10325 - In libosip2 in GNU oSIP, a malformed SIP message can lead to a heap buffer overflow in the _osip_message_to_str() function defined in osipparser2/osip_message_to_str.c, resulting in a remote DoS. https://savannah.gnu.org/support/index.php?109131 CVE-2016-10326 - In libosip2 in GNU oSIP, a malformed SIP message can lead to a heap buffer overflow in the osip_body_to_str() function defined in osipparser2/osip_body.c, resulting in a remote DoS. https://savannah.gnu.org/support/index.php?109132 CVE-2017-7853 - In libosip2 in GNU oSIP, a malformed SIP message can lead to a heap buffer overflow in the msg_osip_body_parse() function defined in osipparser2/osip_message_parse.c, resulting in a remote DoS. https://savannah.gnu.org/support/index.php?109265 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
@bircoph, greetings! Due to multiple outstanding vulnerabilities within net-libs/libosip that have not been corrected within Gentoo or upstream (after several years) we would like to last-rite it. Unfortunately, net-voip/linphone depends on it. Please let security know if we can last-rite net-voip/linphone in order to proceed. Mike Boyle Gentoo Security Padawan
Upstream has released v5.0.0 in 2016. The latest version in portage is 4.0.0 which was released in 2012 (see https://ftp.gnu.org/gnu/osip/ ).
At least net-voip/linphone-3.6.1 can be built against and works fine with net-libs/libosip-5.0.0 (currently not in the tree). To get net-libs/libosip-5.0.0 to build successfully it is enough to rename libosip-4.0.0 ebuild appropriately.
I modified the ebuilds for libexosip2 and libosip2 v5.0.0 here: https://github.com/anyc/anyc-overlay/tree/master/net-libs I renamed libosip to libosip2 and libeXosip to libexosip2 in order to reflect upstream naming and removed the slotting as old versions seem unsupported.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=529da2a566027d4ca738ebafec7230da75eb23c2 commit 529da2a566027d4ca738ebafec7230da75eb23c2 Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2019-03-13 09:43:45 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2019-03-13 09:44:02 +0000 net-libs/libosip: Remove last-rited pkg Bug: https://bugs.gentoo.org/616490 Signed-off-by: Michał Górny <mgorny@gentoo.org> net-libs/libosip/Manifest | 2 -- .../files/libosip-3.3.0-out-source-build.patch | 16 ---------- net-libs/libosip/libosip-3.6.0.ebuild | 33 -------------------- net-libs/libosip/libosip-4.0.0.ebuild | 35 ---------------------- net-libs/libosip/metadata.xml | 5 ---- profiles/package.mask | 1 - 6 files changed, 92 deletions(-)
This has been removed from tree. Arches and Maintainer(s), Thank you for your work.