A message validation check flaw in WengoPhone SIP phone implementation may allow a remote attacker to crash the phone causing denial of service. The vulnerability occurs as a result of how the SIP client component handles an incorrectly formatted sip packet. MESSAGE is a sip method for Instant Messaging. After WengoPhone receive a malformed packet without "Content-Type" field, we call "Missing Content-Type Vulnerability", it will be crash.
CC'ing herd and setting whiteboard status.
This is CVE-2007-4366 wengophone-2.1.2 has been released which fixes the issue. http://blog.openwengo.org/index.php?/archives/96-WengoPhone-releases-2.1.2-and-2.2-alpha-1.html
I've put the new version of wengophone in the tree, and removed all old versions. I also removed the downloads of pre-built libraries from debian for amd64. WTF was that? We have emul lib packages for such cases, in any case I think they are included in the package now, so external libs are not needed. I will try to test on amd64 tonight or tomorrow to make sure I haven't broken anything.
No stabilisation needed here, so removing amd64, there were no complaints up to now. Olivier, I add you to cc instead alone. As it is a minor issue (4), I set whiteboard to [noglsa] and ask security team to close this bug.
(In reply to comment #4) > No stabilisation needed here, so removing amd64, there were no complaints up to > now. Olivier, I add you to cc instead alone. As it is a minor issue (4), I > set whiteboard to [noglsa] and ask security team to close this bug. > right, closing without glsa. Thanks again for your help opfer.
