Bug 883058 (CVE-2012-5621)

Summary: CVE-2012-5621 ekiga: DoS (crash) after receiving call from other party with not UTF-8 valid name
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: jrusnack, otte, pbrobinson, veillard
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=moderate,public=20110620,reported=20121202,source=internet,cvss2=5.0/AV:N/AC:L/Au:N/C:N/I:N/A:P,rhel-5/ekiga=notaffected,rhel-6/ekiga=defer,fedora-16/ekiga=affected,fedora-17/ekiga=notaffected
Fixed In Version: Ekiga 4.0.0 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-03-04 11:45:58 EST Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 883063    
Bug Blocks: 883070    

Description Jan Lieskovsky 2012-12-03 12:25:43 EST
A denial of service flaw was found in the way Ekiga, a Gnome based SIP/H323 teleconferencing application, processed information from certain OPAL connections (UTF-8 strings were not verified for validity prior showing them). A remote attacker (other party with a not UTF-8 valid name) could use this flaw to cause ekiga executable crash.

Upstream bug report:
[1] https://bugzilla.gnome.org/show_bug.cgi?id=653009

Relevant upstream patch:
[2] http://git.gnome.org/browse/ekiga/commit/?id=7d09807257

References:
[3] http://ftp.gnome.org/pub/gnome/sources/ekiga/4.0/ekiga-4.0.0.news
Comment 1 Jan Lieskovsky 2012-12-03 12:29:29 EST
This issue did NOT affect the version of the ekiga package, as shipped with Red Hat Enterprise Linux 5.

--

This issue affects the version of the ekiga package, as shipped with Red Hat Enterprise Linux 6.

--

This issue affects the version of the ekiga package, as shipped with Fedora release of 16. Please schedule an update.

--

This issue affects the version of the ekiga package, as shipped with Fedora release of 17 (current version in -stable repository). Version ekiga-4.0.0-1.fc17 already available from the -testing repository is not vulnerable to this issue.
Comment 2 Jan Lieskovsky 2012-12-03 12:30:49 EST
Created ekiga tracking bugs for this issue

Affects: fedora-16 [bug 883063]
Comment 3 Jan Lieskovsky 2012-12-03 12:37:51 EST
CVE Request:
  http://www.openwall.com/lists/oss-security/2012/12/03/5
Comment 4 Jan Lieskovsky 2012-12-04 05:49:09 EST
The CVE identifier of CVE-2012-5621 has been assigned to this issue:
  http://www.openwall.com/lists/oss-security/2012/12/04/3
Comment 5 Huzaifa S. Sidhpurwala 2012-12-06 03:17:41 EST
Statement:

This issue does not affect the version of ekiga as shipped with Red Hat Enterprise Linux 5. This issue affects the version of ekiga as shipped with Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this issue as having moderate security impact, a future update may address this flaw.
Comment 6 Peter Robinson 2013-01-10 02:31:34 EST
Are we sure that 4.0.0 isn't vulnerable?

This is the fix in trunk:

http://opalvoip.svn.sourceforge.net/viewvc/opalvoip?view=revision&revision=28824

And updated sample code:

http://opalvoip.svn.sourceforge.net/viewvc/opalvoip/ptlib/trunk/samples/pxml/main.cxx?revision=28826&view=markup
Comment 7 Fedora Update System 2013-03-03 17:34:07 EST
ptlib-2.10.10-1.fc18, opal-3.10.10-1.fc18, ekiga-4.0.1-1.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2013-03-03 17:40:11 EST
ptlib-2.10.10-1.fc17, opal-3.10.10-1.fc17, ekiga-4.0.1-1.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.