Bug 115563

Summary: CAN-2004-0097 PWlib/OpenH323 vulnerabilities
Product: [Fedora] Fedora Reporter: Leonard den Ottolander <leonard-rh-bugzilla>
Component: pwlibAssignee: Alexander Larsson <alexl>
Status: CLOSED DUPLICATE QA Contact:
Severity: medium Docs Contact:
Priority: high    
Version: 1CC: mitr
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-02-21 19:01:12 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
SPEC file to add CVE-CAN-2004-0097 ranges patch
none
Patch taken from RHL 9 to address CVE-CAN-2004-0097 none

Description Leonard den Ottolander 2004-02-13 15:58:58 UTC 
Vulnerabilities in PWLib were found after running the NISCC OpenH323
test suite.

"Of the nearly 4500 tests in the suite, OpenH323 failed two of them,
which took three lines of code to fix. These pointed out several other
potential problems as well, so the total changes were about 20 lines." 

Fix:
http://cvs.sourceforge.net/viewcvs.py/openh323/pwlib/src/ptclib/asnper.cxx?r1=1.8&r2=1.6

The pwlib-1.4.7-ranges.patch applies cleanly against pwlib-1.5.0 from
Fedora Core 1.
Comment 1 Leonard den Ottolander 2004-02-13 16:00:23 UTC 
Created attachment 97647 [details]
SPEC file to add CVE-CAN-2004-0097 ranges patch
Comment 2 Leonard den Ottolander 2004-02-13 16:01:55 UTC 
Created attachment 97648 [details]
Patch taken from RHL 9 to address CVE-CAN-2004-0097

This patch patches cleanly against Fedora Core 1's pwlib-1.5.0.
Comment 3 Leonard den Ottolander 2004-02-13 16:11:56 UTC 
Just a question as I stumbled on hunk #2 (#3 in the original patch) as
well: Shouldn't that function return len for this version of the code?
The return value was only changed to 0 in later versions of the code.
Changing it to 0 here might lead to unexpected results.
Comment 4 Alexander Larsson 2004-02-17 08:42:13 UTC 
Well. That was basically a bugfix i applied at the same time as the
security fix. :)
Comment 5 Mark J. Cox 2004-02-17 13:36:05 UTC 

*** This bug has been marked as a duplicate of 114310 ***
Comment 6 Leonard den Ottolander 2004-02-17 20:46:30 UTC 
Yeah, I figured that out (comment #4). Had a closer look and saw the
length should not be returned by the function but only in &len.
Comment 7 Red Hat Bugzilla 2006-02-21 19:01:12 UTC 
Changed to 'CLOSED' state since 'RESOLVED' has been deprecated.