Bug 246034 (CVE-2007-1665)

Summary: CVE-2007-166{3,4,5} ekg denial of service vulnerabilities
Product: [Fedora] Fedora Reporter: Lubomir Kundrak <lkundrak>
Component: ekgAssignee: Dominik 'Rathann' Mierzejewski <dominik>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: low    
Version: 7Keywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://www.debian.org/security/2007/dsa-1318
Whiteboard:
Fixed In Version: 1.7-1.fc7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-07-02 16:09:53 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Fix for three denial of service vulnerabilities in ekg none

Description Lubomir Kundrak 2007-06-27 23:18:07 UTC 
Description of problem:

Debian issued an update for ekg patching three denial of service issues,
one of them triggerable by malicious Gadu-Gadu user:

   * Patched three medium severity security issues in src/events.c:
     - CVE-2007-1663 A memory leak in handling image messages, which may cause
       memory exhaustion resulting in a DoS (ekg program crash). Exploitable by
       a hostile GG user.
     - CVE-2007-1664 off-by-one in token OCR function, which may cause a null
       pointer dereference resulting in a DoS (ekg program crash). Exploitable
       by MiTM (hostile HTTP proxy or TCP stream injection) or a hostile GG
       server.
     - CVE-2007-1665 potential memory exhaust in token OCR function, which may
       cause memory exhaustion resulting in a DoS (ekg program crash).
       Exploitable by MiTM (hostile HTTP proxy or TCP stream injection) or a
       hostile GG server. 

Version-Release number of selected component (if applicable):

ekg-1.7-0.4.rc2.fc7
Comment 1 Lubomir Kundrak 2007-06-27 23:18:08 UTC 
Created attachment 158077 [details]
Fix for three denial of service vulnerabilities in ekg
Comment 2 Dominik 'Rathann' Mierzejewski 2007-06-30 00:10:56 UTC 
Fixed and built (available in koji).
Comment 3 Fedora Update System 2007-07-02 16:09:50 UTC 
ekg-1.7-1.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.