CVE-2018-8828

NameCVE-2018-8828
DescriptionA Buffer Overflow issue was discovered in Kamailio before 4.4.7, 5.0.x before 5.0.6, and 5.1.x before 5.1.2. A specially crafted REGISTER message with a malformed branch or From tag triggers an off-by-one heap-based buffer overflow in the tmx_check_pretran function in modules/tmx/tmx_pretran.c.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDSA-4148-1
NVD severityhigh (attack range: remote)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
kamailio (PTS)jessie4.2.0-2+deb8u3fixed
jessie (security)4.2.0-2+deb8u5fixed
stretch (security), stretch4.4.4-2+deb9u3fixed
buster5.1.6-1fixed
sid5.2.0-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
kamailiosource(unstable)5.1.2-1high
kamailiosourcejessie4.2.0-2+deb8u3highDSA-4148-1
kamailiosourcestretch4.4.4-2+deb9u1highDSA-4148-1

Notes

https://github.com/EnableSecurity/advisories/tree/master/ES2018-05-kamailio-heap-overflow
https://github.com/kamailio/kamailio/commit/e1d8008a09d9390ebaf698abe8909e10dfec4097

Search for package or bug name: Reporting problems