From RedHat: José Miguel Esparza discovered that insufficient input validation is performed on SIP protocol header field 'Content-Length' by opal library used by ekiga. This flaw can be used to write '\0' byte to attacker-controlled address and crash ekiga. Ekiga 2.0.10 using opal library 2.2.10 was released to address this issue. I am not aware whether the versions in our tree are affected, the patch linked to at the RedHat bug references a code that is not in in opal-2.2.8. ( https://bugzilla.redhat.com/296371 )
Whiteboard and cc'ing maintainers. voip, please advise and patch as necessary.
voip, please advise.
*** Bug 194434 has been marked as a duplicate of this bug. ***
*** Bug 195068 has been marked as a duplicate of this bug. ***
(In reply to comment #5) > *** Bug 195068 has been marked as a duplicate of this bug. *** > that is not "a duplicate of this bug", but actually a small patch and ebuild bump for ekiga-2.0.11 (Jakube, as http://bugs.gentoo.org/buglist.cgi?quicksearch=%23ekiga does't list it, nobody can probably find it.)
2.0.11 for both are in the tree
Created attachment 132965 [details, diff] pwlib-1.10.1-vsprintf.patch RedHat issued a pwlib advisory for CVE-2007-4897. The CVE info states that Ekiga after 2.0.5 is not affected, which is false according to their bug. https://bugzilla.redhat.com/292831 I'll attach the patch that was also applied to pwlib upstream, we should include this. Sorry I didn't notice earlier.
updated pwlib is in the tree now. Arches, please test and mark stable: * dev-libs/pwlib-1.10.10-r1 * net-libs/opal-2.2.6 * net-im/ekiga-2.0.11 Targets are: "alpha amd64 hppa ia64 ppc ppc64 sparc x86" Please also test that the new pwlib also works with its other rrdeps.
(In reply to comment #9) > Arches, please test and mark stable: > * net-libs/opal-2.2.6 I think you mean opal 2.2.11?
x86 stable
(In reply to comment #10) > (In reply to comment #9) > > Arches, please test and mark stable: > > * net-libs/opal-2.2.6 > > I think you mean opal 2.2.11? Yes, my bad.
Stable for HPPA.
* dev-libs/pwlib-1.10.10-r1 * net-libs/opal-2.2.6 * net-im/ekiga-2.0.11 amd64 stable
(In reply to comment #14) > * dev-libs/pwlib-1.10.10-r1 > * net-libs/opal-2.2.6 > * net-im/ekiga-2.0.11 > > amd64 stable net-libs/opal-2.2.11 please. That was a typo up there.
ppc64 stable
alpha/ia64/sparc stable
amd64 done here.
ppc stable, ready for glsa-voting
I vote NO.
voting no too, and closing.