Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 45846 - pwlib < 1.6.0: multiple vulnerabilities allow remote DoS attacks and possibly execution of arbitrary code
Summary: pwlib < 1.6.0: multiple vulnerabilities allow remote DoS attacks and possibly...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: GLSA Errors (show other bugs)
Hardware: All Linux
: High critical (vote)
Assignee: Gentoo Security
URL: http://www.postincrement.com/openh323...
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2004-03-26 15:58 UTC by schaedpq
Modified: 2004-04-09 06:22 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---
klieber: Assigned_To+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description schaedpq 2004-03-26 15:58:27 UTC
Multiple vulnerabilities in PWLib before 1.6.0 allow remote attackers to cause a denial of service and possibly execute arbitrary code, as demonstrated by the NISCC/OUSPG PROTOS test suite for the H.225 protocol.

Reproducible: Didn't try
Steps to Reproduce:
1.
2.
3.




The discovered security vulnerabilities (in several implementation of the
multimedia telephony protocols H.323 and H.225, including pwlib) could be
exploited remotely and will probably lead to a denial of service but may
possibly allow execution of arbitrary code.

The original announcement of the NISCC which discovered the vulnerabilities:
http://www.uniras.gov.uk/vuls/2004/006489/h323.htm
The developers statement can be found here:
http://www.postincrement.com/openh323/nissc_vulnerabilty.html
The CVE assigned CAN-2004-0097 to this issue:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0097

The solution would be to update pwlib to 1.6.0 or higher (1.6.5 is the current
stable release, 1.6.3 the most current in portage, but the most current stable
one in portage ist 1.5.0)
Temporary workaround is to filter network traffic: port 1720/tcp and 1720/udp

There are already some advisory, e.g. from Debian and Red Hat:
http://www.linuxsecurity.com/advisories/redhat_advisory-4022.html
http://www.debian.org/security/2004/dsa-448.en.html

This should be fixed ASAP as this vulnerability is public since 13th of january,
a fix is available since 18th january and several distributors sent Advisories
in februar, so we are really late. :-(
Comment 1 Alastair Tse (RETIRED) gentoo-dev 2004-03-28 09:24:10 UTC
stkn, can we go stable with pwlib-1.6.3?
Comment 2 schaedpq 2004-03-28 09:56:42 UTC
I have a problem with pwlib-1.6.3-r1 (Arch: x86) in combination with openh323-1.13.2-r1 and openh323-1.12.2-r2. In both cases I get an error message, when using simph323 to call someone:

Could not open sound device VIA 8233 - Check permissions or full duplex capability.
Could not open sound device VIA 8233 - Check permissions or full duplex capability.
Could not open sound device VIA 8233 - Check permissions or full duplex capability.
ALSA lib pcm_hw.c:1055:(snd_pcm_hw_open) open /dev/snd/pcmC0D0c failed: Device or resource busy
Could not open sound device VIA 8233 - Check permissions or full duplex capability.
ALSA lib pcm_hw.c:1055:(snd_pcm_hw_open) open /dev/snd/pcmC0D0c failed: Device or resource busy
Could not open sound device VIA 8233 - Check permissions or full duplex capability.
ALSA lib pcm_hw.c:1055:(snd_pcm_hw_open) open /dev/snd/pcmC0D0c failed: Device or resource busy
Could not open sound device VIA 8233 - Check permissions or full duplex capability.
ALSA lib pcm_hw.c:1055:(snd_pcm_hw_open) open /dev/snd/pcmC0D0c failed: Device or resource busy
Could not open sound device VIA 8233 - Check permissions or full duplex capability.
In call with ISDN gateway [192.168.202.10]

Then the connection is established but neither me nor my the called person does hear anything.
Of course I checked permissions (they are OK) and if some other process is using /dev/snd/pcmC0D0c, this is not the case.
If I uninstall pwlib-1.6.3-r1 and reinstall pwlib-1.5.2-r2 (with openh323-1.12.2-r2) I have no problems and it worked like before the update.
So I believe the cause of this problem must be somewhere in pwlib because everything works when downgrading to pwlib-1.5.2-r2 and keeping the same version of openh323 (openh323-1.12.2-r2).
Comment 3 Stefan Knoblich (RETIRED) gentoo-dev 2004-03-28 17:26:55 UTC
looks like simph323 is trying to use full-duplex and your sound card doesn't support it, does gnomemeeting work for you?
Comment 4 schaedpq 2004-03-28 22:40:24 UTC
I am not sure about that. I'm quite confident that the vt8235 has full duplex capabilities. In the past there was also no problem, when the two phoning people were speaking and hearing at the same time. If the hardware/ALSA driver would not support full duplex this should not have been the case as far I unterstand it.
And I'm not changing the openh323 version (or simph323 in the openh323 package), I only update/downgrade  pwlib (with recompiling the same openh323 version) and have the problem with pwlib-1.6.3 and not with pwlib-1.5.2. 
I tried to find out, what was changed but was quite unsuccesful because I really don't know the pwlib. There were some changes in pwlib/plugins/sound_alsa/sound_alsa.cxx in the 3 months, but I don't know if they are significant.

I am not using gnomemeeting therefore it is not installed on my machine. But I will install and test it this evening after work and keep you informed about that.
Comment 5 foser (RETIRED) gentoo-dev 2004-03-29 04:20:29 UTC
back on topic here please stkn, we need to go stable on this.

@ Dominik : this problem does not directly relate to this bug and should've been filed as a new bug.
Comment 6 Alastair Tse (RETIRED) gentoo-dev 2004-03-29 06:19:58 UTC
i talked to stkn last night about this, we've decided to apply a patch against 1.5.2 (and then make it stable) for the security vunerability rather than making pwlib 1.6.3 stable, as the one included with gnomemeeting-1.0 doesn't seem to be endorsed as stable by the openh323 people.
Comment 7 Stefan Knoblich (RETIRED) gentoo-dev 2004-03-29 15:58:31 UTC
pwlib-1.5.2-r3 is in the tree, please do a little testing so i can mark it stable tomorrow (tuesday)
Comment 8 Kurt Lieber (RETIRED) gentoo-dev 2004-03-29 23:41:36 UTC
adding other herds.
Comment 9 Kurt Lieber (RETIRED) gentoo-dev 2004-03-29 23:43:25 UTC
AMD64 -- pwlib-1.5.2-r3 has amd64 specific stuff in it (if [ ${ARCH} = "amd64" ] ; then) but no amd64 keywords.  plzfix when testing/marking stable.
Comment 10 Lars Weiler (RETIRED) gentoo-dev 2004-03-30 06:28:50 UTC
pwlib-1.5.2-r3 is stable on ppc.  Removing from Cc.
Comment 11 Jon Portnoy (RETIRED) gentoo-dev 2004-03-30 07:02:40 UTC
Stable, removing amd64 from CC
Comment 12 Sven Blumenstein (RETIRED) gentoo-dev 2004-03-30 07:15:39 UTC
Stable on sparc.
Comment 13 Kurt Lieber (RETIRED) gentoo-dev 2004-04-08 07:43:07 UTC
Aida -- can you draft this GLSA?
Comment 14 Aida Escriva-Sammer (RETIRED) gentoo-dev 2004-04-09 06:22:10 UTC
GLSA 200404-11 sent.