292831 – (CVE-2007-4897) CVE-2007-4897 ekiga GetHostAddress remote DoS

Bug 292831 (CVE-2007-4897) - CVE-2007-4897 ekiga GetHostAddress remote DoS

Summary: CVE-2007-4897 ekiga GetHostAddress remote DoS

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2007-4897
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:	http://nvd.nist.gov/nvd.cfm?cvename=C...
Whiteboard:
Depends On:	297561 Engineering301071 Engineering301081 Engineering833973
Blocks:
TreeView+	depends on / blocked

Reported:	2007-09-17 08:11 UTC by Tomas Hoger
Modified:	2019-09-29 12:21 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2007-12-20 12:18:19 UTC

Attachments	(Terms of Use)
pwlib PString::vsprintf patch (405 bytes, patch) 2007-09-28 07:59 UTC, Tomas Hoger	no flags	Details \| Diff
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2007:0932	0	normal	SHIPPED_LIVE	Moderate: pwlib security update	2007-10-08 08:07:44 UTC

Description Tomas Hoger 2007-09-17 08:11:25 UTC

Common Vulnerabilities and Exposures assigned an identifier CVE-2007-4897 to the following vulnerability:

The SIPURL::GetHostAddress function in Ekiga (formerly GnomeMeeting) 2.0.5 and
earlier allows remote attackers to cause a denial of service (application
crash) via unspecified vectors, related to "bad management of memory
allocation."

References:
http://www.securityfocus.com/bid/25642
http://www.s21sec.com/avisos/s21sec-036-en.txt
http://marc.info/?l=full-disclosure&m=118959114522339&w=2


Note:
Advisory posted to full-disclosure stated versions 2.0.5 and prior are
vulnerable.  s21sec site seems to have updated advisory stating version
2.0.7 is also vulnerable.

Comment 1 Tomas Hoger 2007-09-17 11:20:16 UTC

s21sec advisory is a bit vague.  Their blog contains bit more info (in Spanish):

http://blog.s21sec.com/2007/09/sobre-la-vulnerabilidad-del-ekiga.html

Blog entry links following CVS commit as fix to the issue:

http://openh323.cvs.sourceforge.net/openh323/opal/src/sip/sipcon.cxx?r1=2.120.2.25&r2=2.120.2.26&pathrev=v2_2_9


Problem lies not in ekiga itself, but in opal library / package.

openh323 used by gnomemeeting in RHEL3 and RHEL4 does not seem to contain
vulnerable code.  Hence gnomemeeting (ekiga's predecessor) as shipped in Red Hat
Enterprise Linux 3 and 4 is not vulnerable.  cmontgom, could you please correct
me if this assertion is wrong and I've managed to miss something important.

Comment 3 Tomas Hoger 2007-09-17 18:14:05 UTC

New ekiga version 2.0.10 was released today:

http://mail.gnome.org/archives/ekiga-list/2007-September/msg00103.html

Announcement states this new version fixes this remote crash.

Comment 4 Daniel Veillard 2007-09-17 21:54:23 UTC

I contacted Damien Sandras this evening. The upstream patch for this
is the following:

http://openh323.cvs.sourceforge.net/openh323/opal/src/sip/sippdu.cxx?r1=2.83.2.19&r2=2.83.2.20&pathrev=Phobos

Daniel

Comment 5 Tomas Hoger 2007-09-19 14:19:05 UTC

Vulnerability fixed in ekiga 2.0.10 and addressed by patch in comment #4 is
different issue - CVE-2007-4924.

Comment 8 Tomas Hoger 2007-09-28 07:59:04 UTC

Created attachment 209771 [details]
pwlib PString::vsprintf patch

Root cause of the issue seems to lie in the pwlib library in implementation of
PString class.	When string is already longer then 1000 characters, call to
(v)sprintf cause memory corruption.

Comment 12 Tomas Hoger 2007-12-20 12:18:19 UTC

Fixed in affected products:

Red Hat Enterprise Linux:  	
  http://rhn.redhat.com/errata/RHSA-2007-0932.html

Fedora:
  https://admin.fedoraproject.org/updates/F7/FEDORA-2007-2245

Note You need to log in before you can comment on or make changes to this bug.