CVE-2013-2221 Remote Heap Overflow
The ZRtp::storeMsgTemp() function is used to temporarily hold a packet in memory so that it may later be hashed/verified. A buffer overflow exists in this function due to a lack of bounds checking of the size of the source buffer.
CVE-2013-2222 Multiple Stack Overflows
ZRTPCPP contains multiple stack overflows that arise when preparing a response to a client's ZRTP Hello packet.
CVE-2013-2223 Information Leaking / Out of Bounds Reads
The ZRTPCPP library performs very little validation regarding the expected size of a packet versus the actual amount of data received. This can lead to both information leaking and out of bounds data reads (usually resulting in a crash).
=net-libs/libzrtpcpp-2.3.2 is unmasked in amd64, vulnerable to the above exploits, and does not build correctly. did a version bump of the current ebuild && ebuild libzrtpcpp-2.3.4 digest, and was able to compile without issue.
Arches, please test and stabilize =net-libs/libzrtpcpp-2.3.4. Target arches: amd64 ppc x86. Thanks!
As usual, stabilizing works much better when arches are CC'd.
GLSA drafted and ready for review.
@maintainers: please clean up affected versions.
Vulnerable versions have been removed from the tree.
This issue was resolved and addressed in
GLSA 201309-13 at http://security.gentoo.org/glsa/glsa-201309-13.xml
by GLSA coordinator Sean Amoss (ackle).
GNU ZRTPCPP before 3.2.0 allows remote attackers to obtain sensitive
information (uninitialized heap memory) or cause a denial of service
(out-of-bounds read) via a crafted packet, as demonstrated by a truncated
Ping packet that is not properly handled by the getEpHash function.
Multiple stack-based buffer overflows in GNU ZRTPCPP before 3.2.0 allow
remote attackers to cause a denial of service (crash) and possibly execute
arbitrary code via a crafted ZRTP Hello packet to the (1)
ZRtp::findBestSASType, (2) ZRtp::findBestAuthLen, (3) ZRtp::findBestCipher,
(4) ZRtp::findBestHash, or (5) ZRtp::findBestPubKey functions.
Heap-based buffer overflow in the ZRtp::storeMsgTemp function in GNU ZRTPCPP
before 3.2.0 allows remote attackers to cause a denial of service (crash)
and possibly execute arbitrary code via a large packet.