Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 481228 (CVE-2013-2221) - <net-libs/libzrtpcpp-2.3.4: multiple vulnerabilities (CVE-2013-{2221,2222,2223})
Summary: <net-libs/libzrtpcpp-2.3.4: multiple vulnerabilities (CVE-2013-{2221,2222,2223})
Status: RESOLVED FIXED
Alias: CVE-2013-2221
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: http://blog.azimuthsecurity.com/2013/...
Whiteboard: B1 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2013-08-16 00:05 UTC by Chí-Thanh Christopher Nguyễn
Modified: 2013-10-06 23:21 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Chí-Thanh Christopher Nguyễn gentoo-dev 2013-08-16 00:05:20 UTC
CVE-2013-2221 Remote Heap Overflow

The ZRtp::storeMsgTemp() function is used to temporarily hold a packet in memory so that it may later be hashed/verified. A buffer overflow exists in this function due to a lack of bounds checking of the size of the source buffer.

CVE-2013-2222 Multiple Stack Overflows

ZRTPCPP contains multiple stack overflows that arise when preparing a response to a client's ZRTP Hello packet.

CVE-2013-2223 Information Leaking / Out of Bounds Reads

The ZRTPCPP library performs very little validation regarding the expected size of a packet versus the actual amount of data received. This can lead to both information leaking and out of bounds data reads (usually resulting in a crash).
Comment 1 Jason Oliveira 2013-08-16 02:30:15 UTC
=net-libs/libzrtpcpp-2.3.2 is unmasked in amd64, vulnerable to the above exploits, and does not build correctly. did a version bump of the current ebuild && ebuild libzrtpcpp-2.3.4 digest, and was able to compile without issue.
Comment 2 Chris Reffett (RETIRED) gentoo-dev Security 2013-08-23 14:24:35 UTC
Arches, please test and stabilize =net-libs/libzrtpcpp-2.3.4. Target arches: amd64 ppc x86. Thanks!
Comment 3 Chris Reffett (RETIRED) gentoo-dev Security 2013-08-27 02:17:49 UTC
As usual, stabilizing works much better when arches are CC'd.
Comment 4 Agostino Sarubbo gentoo-dev 2013-08-28 10:27:34 UTC
amd64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2013-08-28 10:27:49 UTC
x86 stable
Comment 6 Agostino Sarubbo gentoo-dev 2013-09-01 15:52:23 UTC
ppc stable
Comment 7 Sean Amoss gentoo-dev Security 2013-09-01 19:02:54 UTC
GLSA drafted and ready for review.
Comment 8 Chris Reffett (RETIRED) gentoo-dev Security 2013-09-02 00:39:40 UTC
@maintainers: please clean up affected versions.
Comment 9 Chí-Thanh Christopher Nguyễn gentoo-dev 2013-09-03 17:55:24 UTC
Vulnerable versions have been removed from the tree.
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2013-09-24 22:31:20 UTC
This issue was resolved and addressed in
 GLSA 201309-13 at http://security.gentoo.org/glsa/glsa-201309-13.xml
by GLSA coordinator Sean Amoss (ackle).
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2013-10-06 23:21:54 UTC
CVE-2013-2223 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2223):
  GNU ZRTPCPP before 3.2.0 allows remote attackers to obtain sensitive
  information (uninitialized heap memory) or cause a denial of service
  (out-of-bounds read) via a crafted packet, as demonstrated by a truncated
  Ping packet that is not properly handled by the getEpHash function.

CVE-2013-2222 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2222):
  Multiple stack-based buffer overflows in GNU ZRTPCPP before 3.2.0 allow
  remote attackers to cause a denial of service (crash) and possibly execute
  arbitrary code via a crafted ZRTP Hello packet to the (1)
  ZRtp::findBestSASType, (2) ZRtp::findBestAuthLen, (3) ZRtp::findBestCipher,
  (4) ZRtp::findBestHash, or (5) ZRtp::findBestPubKey functions.

CVE-2013-2221 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2221):
  Heap-based buffer overflow in the ZRtp::storeMsgTemp function in GNU ZRTPCPP
  before 3.2.0 allows remote attackers to cause a denial of service (crash)
  and possibly execute arbitrary code via a large packet.