Bug 292831 (CVE-2007-4897)

Summary: CVE-2007-4897 ekiga GetHostAddress remote DoS
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: kreilly, veillard
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-4897
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-12-20 12:18:19 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 297561, 301071, 301081, 833973    
Bug Blocks:    
Attachments:
Description Flags
pwlib PString::vsprintf patch none

Description Tomas Hoger 2007-09-17 08:11:25 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2007-4897 to the following vulnerability:

The SIPURL::GetHostAddress function in Ekiga (formerly GnomeMeeting) 2.0.5 and
earlier allows remote attackers to cause a denial of service (application
crash) via unspecified vectors, related to "bad management of memory
allocation."

References:
http://www.securityfocus.com/bid/25642
http://www.s21sec.com/avisos/s21sec-036-en.txt
http://marc.info/?l=full-disclosure&m=118959114522339&w=2


Note:
Advisory posted to full-disclosure stated versions 2.0.5 and prior are
vulnerable.  s21sec site seems to have updated advisory stating version
2.0.7 is also vulnerable.
Comment 1 Tomas Hoger 2007-09-17 11:20:16 UTC 
s21sec advisory is a bit vague.  Their blog contains bit more info (in Spanish):

http://blog.s21sec.com/2007/09/sobre-la-vulnerabilidad-del-ekiga.html

Blog entry links following CVS commit as fix to the issue:

http://openh323.cvs.sourceforge.net/openh323/opal/src/sip/sipcon.cxx?r1=2.120.2.25&r2=2.120.2.26&pathrev=v2_2_9


Problem lies not in ekiga itself, but in opal library / package.

openh323 used by gnomemeeting in RHEL3 and RHEL4 does not seem to contain
vulnerable code.  Hence gnomemeeting (ekiga's predecessor) as shipped in Red Hat
Enterprise Linux 3 and 4 is not vulnerable.  cmontgom, could you please correct
me if this assertion is wrong and I've managed to miss something important.
Comment 3 Tomas Hoger 2007-09-17 18:14:05 UTC 
New ekiga version 2.0.10 was released today:

http://mail.gnome.org/archives/ekiga-list/2007-September/msg00103.html

Announcement states this new version fixes this remote crash.
Comment 4 Daniel Veillard 2007-09-17 21:54:23 UTC 
I contacted Damien Sandras this evening. The upstream patch for this
is the following:

http://openh323.cvs.sourceforge.net/openh323/opal/src/sip/sippdu.cxx?r1=2.83.2.19&r2=2.83.2.20&pathrev=Phobos

Daniel
Comment 5 Tomas Hoger 2007-09-19 14:19:05 UTC 
Vulnerability fixed in ekiga 2.0.10 and addressed by patch in comment #4 is
different issue - CVE-2007-4924.
Comment 8 Tomas Hoger 2007-09-28 07:59:04 UTC 
Created attachment 209771 [details]
pwlib PString::vsprintf patch

Root cause of the issue seems to lie in the pwlib library in implementation of
PString class.	When string is already longer then 1000 characters, call to
(v)sprintf cause memory corruption.
Comment 12 Tomas Hoger 2007-12-20 12:18:19 UTC 
Fixed in affected products:

Red Hat Enterprise Linux:  	
  http://rhn.redhat.com/errata/RHSA-2007-0932.html

Fedora:
  https://admin.fedoraproject.org/updates/F7/FEDORA-2007-2245