Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 616490 (CVE-2016-10324, CVE-2016-10325, CVE-2016-10326, CVE-2017-7853) - net-libs/libosip: multiple vulnerabilities
Summary: net-libs/libosip: multiple vulnerabilities
Alias: CVE-2016-10324, CVE-2016-10325, CVE-2016-10326, CVE-2017-7853
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: B2 [upstream/cve],Pending removal: 20...
Keywords: PMASKED
Depends on: 504114
  Show dependency tree
Reported: 2017-04-24 12:02 UTC by Agostino Sarubbo
Modified: 2019-03-27 02:34 UTC (History)
5 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2017-04-24 12:02:46 UTC
From ${URL} :

Multiple security issues were reported in libosip2.

CVE-2016-10324 - In libosip2 in GNU oSIP, a malformed SIP message can lead to a heap buffer overflow in the osip_clrncpy() function defined in osipparser2/osip_port.c.

CVE-2016-10325 - In libosip2 in GNU oSIP, a malformed SIP message can lead to a heap buffer overflow in the _osip_message_to_str() function defined in 
osipparser2/osip_message_to_str.c, resulting in a remote DoS.

CVE-2016-10326 - In libosip2 in GNU oSIP, a malformed SIP message can lead to a heap buffer overflow in the osip_body_to_str() function defined in osipparser2/osip_body.c, resulting 
in a remote DoS.

CVE-2017-7853 - In libosip2 in GNU oSIP, a malformed SIP message can lead to a heap buffer overflow in the msg_osip_body_parse() function defined in osipparser2/osip_message_parse.c, 
resulting in a remote DoS.

@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Michael Boyle 2018-04-18 02:36:08 UTC
@bircoph, greetings! Due to multiple outstanding vulnerabilities within net-libs/libosip that have not been corrected within Gentoo or upstream (after several years) we would like to last-rite it. Unfortunately, net-voip/linphone depends on it. Please let security know if we can last-rite net-voip/linphone in order to proceed.

Mike Boyle
Gentoo Security Padawan
Comment 2 Mario Kicherer 2018-06-08 13:14:10 UTC
Upstream has released v5.0.0 in 2016. The latest version in portage is 4.0.0 which was released in 2012 (see ).
Comment 3 Maciej S. Szmigiero 2018-06-08 17:48:28 UTC
At least net-voip/linphone-3.6.1 can be built against and works fine with
net-libs/libosip-5.0.0 (currently not in the tree).

To get net-libs/libosip-5.0.0 to build successfully it is enough to rename
libosip-4.0.0 ebuild appropriately.
Comment 4 Mario Kicherer 2018-06-08 19:14:06 UTC
I modified the ebuilds for libexosip2 and libosip2 v5.0.0 here:

I renamed libosip to libosip2 and libeXosip to libexosip2 in order to reflect upstream naming and removed the slotting as old versions seem unsupported.
Comment 5 Larry the Git Cow gentoo-dev 2019-03-13 09:46:21 UTC
The bug has been referenced in the following commit(s):

commit 529da2a566027d4ca738ebafec7230da75eb23c2
Author:     Michał Górny <>
AuthorDate: 2019-03-13 09:43:45 +0000
Commit:     Michał Górny <>
CommitDate: 2019-03-13 09:44:02 +0000

    net-libs/libosip: Remove last-rited pkg
    Signed-off-by: Michał Górny <>

 net-libs/libosip/Manifest                          |  2 --
 .../files/libosip-3.3.0-out-source-build.patch     | 16 ----------
 net-libs/libosip/libosip-3.6.0.ebuild              | 33 --------------------
 net-libs/libosip/libosip-4.0.0.ebuild              | 35 ----------------------
 net-libs/libosip/metadata.xml                      |  5 ----
 profiles/package.mask                              |  1 -
 6 files changed, 92 deletions(-)
Comment 6 Yury German Gentoo Infrastructure gentoo-dev 2019-03-27 02:34:04 UTC
This has been removed from tree. 
Arches and Maintainer(s), Thank you for your work.