From ${URL} : A flaw in ptlib prior to 2.12.1 was fixed [1]; this prevents the "billion laughs" denial of service attack. This attack is due to improper length checks/recursion detection during XML entity expansion. If an attacker were able to provide as input a crafted XML document containing a large number of nested entity references, they could cause the application linked to ptlib (for example, Ekiga) to consume extreme amounts of CPU and memory. [1] http://opalvoip.svn.sourceforge.net/viewvc/opalvoip?view=revision&revision=28856
This is already fixed in ptlib-2.10.10
(In reply to comment #1) > This is already fixed in ptlib-2.10.10 Is this ready to be marked stable?
Arches, please stabilize net-libs/ptlib-2.10.10 net-libs/opal-3.10.10 Target keywords: alpha amd64 ia64 ppc ppc64 sparc x86
(In reply to comment #3) > Arches, please stabilize > net-libs/ptlib-2.10.10 > net-libs/opal-3.10.10 > > Target keywords: alpha amd64 ia64 ppc ppc64 sparc x86 This will cause a downgrade for ekiga's users: the ebuild says: <net-libs/opal-3.10.8[audio,sip,video,debug=,h323?] <net-libs/ptlib-2.10.8[ldap?,stun,v4l?,video,wav,debug=] What we should do?
Probably stabilize net-voip/ekiga-4.0.0-r1 since current stable ekiga does not work with these versions of net-libs/{opal,ptlib}
amd64 stable
x86 stable
ppc stable
ia64 stable
alpha stable
ppc64 stable
sparc team: *ping*
sparc is blocked by bug 464182
sparc stable
Cleanup, please! GLSA vote: no
NO too, keeping open for cleanup.
CVE-2013-1864 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1864): The Portable Tool Library (aka PTLib) before 2.10.10, as used in Ekiga before 4.0.1, does not properly detect recursion during entity expansion, which allows remote attackers to cause a denial of service (memory and CPU consumption) via a crafted PXML document containing a large number of nested entity references, aka a "billion laughs attack."
Maintaner(s): Please drop affected versions, security will remove in 30 days if no response.
Cleanup done, closing 29 Jan 2015; Kristian Fiskerstrand <k_f@gentoo.org> -ptlib-2.10.9.ebuild, -ptlib-2.6.7-r1.ebuild: Security cleanup c.f bug #461842
