Bug 152672

Summary: PWLib: Carefully crafted messages can cause a Denial of Service on a application.
Product: [Retired] Fedora Legacy Reporter: David Lawrence <dkl>
Component: Package requestAssignee: Fedora Legacy Bugs <bugs>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecified   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://www.openh323.org/
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description David Lawrence 2005-03-30 23:23:29 UTC 
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0097
https://rhn.redhat.com/errata/RHSA-2004-048.html

A test suite for the H.225 protocol (part of the H.323 family) provided by
the NISCC uncovered bugs in PWLib prior to version 1.6.0. An attacker
could trigger these bugs by sending carefully crafted messages to an
application. The effects of such an attack can vary depending on the
application, but would usually result in a Denial of Service. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name
CAN-2004-0097 to this issue.



------- Additional Comments From jonny.strom 2004-02-15 03:11:07 ----

A backported fix for RH 7.3 is avalible from:

http://www.linuxsolutions.fi/~johnny/fedora_legacy/rh73/

pwlib-1.2.12-3.7.3.1.legacy.i386.rpm       dd31c44d1ea0d8e6341bcd0604bb64f1

pwlib-devel-1.2.12-3.7.3.1.legacy.i386.rpm cb18cb98e1e620b63122ebd7dd01c2f4

pwlib-1.2.12-3.7.3.1.legacy.src.rpm        a61430ef95666aa0d41d9162d6053ea5

pwlib-1.2.12-ranges.patch                  2dc35057a654f2a057491a008b1650c0 


I did some testing with Gnomemeeting that uses pwlib and it seems to work ok,
note that Gnomemeeting can crash on exit this is an old bug in gnomemeeting not
caused by this fix. In addition if someone wants to do testing with other users
trough an ILS server so is the new addres ils.seconix.com.



------- Additional Comments From jkeating 2004-02-24 18:01:57 ----

Red Hat didn't ship w/ pwlib.  Building 8.0 rpms.



------- Additional Comments From jkeating 2004-02-24 19:12:55 ----

Pushed to updates-testing due to timeout.



------- Bug moved to this database by dkl 2005-03-30 18:23 -------

This bug previously known as bug 1296 at https://bugzilla.fedora.us/
https://bugzilla.fedora.us/show_bug.cgi?id=1296
Originally filed under the Fedora Legacy product and Package request component.

Unknown priority P2. Setting to default priority "normal".
Unknown platform PC. Setting to default platform "All".
Unknown severity major. Setting to default severity "normal".
The original reporter of this bug does not have
   an account here. Reassigning to the person who moved
   it here, dkl.
   Previous reporter was jonny.strom.
Setting qa contact to the default for this product.
   This bug either had no qa contact or an invalid one.