193095 – net-libs/opal <2.2.11 dev-libs/pwlib: Two DoS vulnerabilitues in Ekiga (CVE-2007-{4897,4924})

Bug 193095 - net-libs/opal <2.2.11 dev-libs/pwlib: Two DoS vulnerabilitues in Ekiga (CVE-2007-{4897,4924})

Summary: net-libs/opal <2.2.11 dev-libs/pwlib: Two DoS vulnerabilitues in Ekiga (CVE-2...

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High minor (vote)
Assignee:	Gentoo Security

URL:	http://mail.gnome.org/archives/ekiga-...
Whiteboard:	B3 [noglsa]
Keywords:

Duplicates (2):	194434 195068 (view as bug list)
Depends on:
Blocks:

Reported:	2007-09-19 17:13 UTC by Robert Buchholz (RETIRED)
Modified:	2007-10-17 22:16 UTC (History)
CC List:	3 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
pwlib-1.10.1-vsprintf.patch (pwlib-1.10.1-vsprintf.patch,405 bytes, patch) 2007-10-08 22:08 UTC, Robert Buchholz (RETIRED)	no flags	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Robert Buchholz (RETIRED) gentoo-dev

2007-09-19 17:13:26 UTC

From RedHat:
  José Miguel Esparza discovered that insufficient input validation is
  performed on SIP protocol header field 'Content-Length' by opal library
  used by ekiga. This flaw can be used to write '\0' byte to
  attacker-controlled address and crash ekiga.  Ekiga 2.0.10 using opal
  library 2.2.10 was released to address this issue.

I am not aware whether the versions in our tree are affected, the patch linked
to at the RedHat bug references a code that is not in in opal-2.2.8.
( https://bugzilla.redhat.com/296371 )

Comment 1 Robert Buchholz (RETIRED) gentoo-dev

2007-09-19 17:14:52 UTC

Whiteboard and cc'ing maintainers.

voip, please advise and patch as necessary.

Comment 2 Robert Buchholz (RETIRED) gentoo-dev

2007-09-24 22:10:32 UTC

voip, please advise.

Comment 3 Jakub Moc (RETIRED) gentoo-dev

2007-10-01 19:37:50 UTC

*** Bug 194434 has been marked as a duplicate of this bug. ***

Comment 4 Robert Buchholz (RETIRED) gentoo-dev

2007-10-02 08:02:25 UTC

voip, please advise.

Comment 5 Jakub Moc (RETIRED) gentoo-dev

2007-10-08 08:08:08 UTC

*** Bug 195068 has been marked as a duplicate of this bug. ***

Comment 6 Martin Capitanio 2007-10-08 08:47:15 UTC

(In reply to comment #5)
> *** Bug 195068 has been marked as a duplicate of this bug. ***
> 
that is not "a duplicate of this bug", but actually a small patch
and ebuild bump for ekiga-2.0.11

(Jakube, as http://bugs.gentoo.org/buglist.cgi?quicksearch=%23ekiga
does't list it, nobody can probably find it.)

Comment 7 Christian Faulhammer (RETIRED) gentoo-dev

2007-10-08 15:36:45 UTC

2.0.11 for both are in the tree

Comment 8 Robert Buchholz (RETIRED) gentoo-dev

2007-10-08 22:08:53 UTC

Created attachment 132965 [details, diff]
pwlib-1.10.1-vsprintf.patch

RedHat issued a pwlib advisory for CVE-2007-4897. The CVE info states that Ekiga after 2.0.5 is not affected, which is false according to their bug. https://bugzilla.redhat.com/292831

I'll attach the patch that was also applied to pwlib upstream, we should include this. Sorry I didn't notice earlier.

Comment 9 Robert Buchholz (RETIRED) gentoo-dev

2007-10-09 21:17:57 UTC

updated pwlib is in the tree now.

Arches, please test and mark stable:
* dev-libs/pwlib-1.10.10-r1
* net-libs/opal-2.2.6
* net-im/ekiga-2.0.11

Targets are: "alpha amd64 hppa ia64 ppc ppc64 sparc x86"

Please also test that the new pwlib also works with its other rrdeps.

Comment 10 Christian Faulhammer (RETIRED) gentoo-dev

2007-10-10 05:57:53 UTC

(In reply to comment #9)
> Arches, please test and mark stable:
> * net-libs/opal-2.2.6

 I think you mean opal 2.2.11?

Comment 11 Christian Faulhammer (RETIRED) gentoo-dev

2007-10-10 08:11:44 UTC

x86 stable

Comment 12 Robert Buchholz (RETIRED) gentoo-dev

2007-10-10 08:39:17 UTC

(In reply to comment #10)
> (In reply to comment #9)
> > Arches, please test and mark stable:
> > * net-libs/opal-2.2.6
> 
>  I think you mean opal 2.2.11?

Yes, my bad.

Comment 13 Jeroen Roovers (RETIRED) gentoo-dev

2007-10-10 16:55:57 UTC

Stable for HPPA.

Comment 14 Mike Doty (RETIRED) gentoo-dev

2007-10-11 07:07:28 UTC

* dev-libs/pwlib-1.10.10-r1
* net-libs/opal-2.2.6
* net-im/ekiga-2.0.11

amd64 stable

Comment 15 Robert Buchholz (RETIRED) gentoo-dev

2007-10-11 09:37:47 UTC

(In reply to comment #14)
> * dev-libs/pwlib-1.10.10-r1
> * net-libs/opal-2.2.6
> * net-im/ekiga-2.0.11
> 
> amd64 stable

net-libs/opal-2.2.11 please. That was a typo up there.

Comment 16 Markus Rothe (RETIRED) gentoo-dev

2007-10-11 09:44:19 UTC

ppc64 stable

Comment 17 Raúl Porcel (RETIRED) gentoo-dev

2007-10-11 18:40:48 UTC

alpha/ia64/sparc stable

Comment 18 Robert Buchholz (RETIRED) gentoo-dev

2007-10-11 20:23:11 UTC

amd64 done here.

Comment 19 Tobias Scherbaum (RETIRED) gentoo-dev

2007-10-12 16:03:29 UTC

ppc stable, ready for glsa-voting

Comment 20 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2007-10-17 18:36:14 UTC

I vote NO.

Comment 21 Pierre-Yves Rofes (RETIRED) gentoo-dev

2007-10-17 22:16:46 UTC

voting no too, and closing.