Bug 292831 (CVE-2007-4897) - CVE-2007-4897 ekiga GetHostAddress remote DoS
Summary: CVE-2007-4897 ekiga GetHostAddress remote DoS
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2007-4897
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL: http://nvd.nist.gov/nvd.cfm?cvename=C...
Whiteboard:
Depends On: 297561 301071 301081 833973
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-09-17 08:11 UTC by Tomas Hoger
Modified: 2019-09-29 12:21 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2007-12-20 12:18:19 UTC


Attachments (Terms of Use)
pwlib PString::vsprintf patch (405 bytes, patch)
2007-09-28 07:59 UTC, Tomas Hoger
no flags Details | Diff


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2007:0932 normal SHIPPED_LIVE Moderate: pwlib security update 2007-10-08 08:07:44 UTC

Description Tomas Hoger 2007-09-17 08:11:25 UTC
Common Vulnerabilities and Exposures assigned an identifier CVE-2007-4897 to the following vulnerability:

The SIPURL::GetHostAddress function in Ekiga (formerly GnomeMeeting) 2.0.5 and
earlier allows remote attackers to cause a denial of service (application
crash) via unspecified vectors, related to "bad management of memory
allocation."

References:
http://www.securityfocus.com/bid/25642
http://www.s21sec.com/avisos/s21sec-036-en.txt
http://marc.info/?l=full-disclosure&m=118959114522339&w=2


Note:
Advisory posted to full-disclosure stated versions 2.0.5 and prior are
vulnerable.  s21sec site seems to have updated advisory stating version
2.0.7 is also vulnerable.

Comment 1 Tomas Hoger 2007-09-17 11:20:16 UTC
s21sec advisory is a bit vague.  Their blog contains bit more info (in Spanish):

http://blog.s21sec.com/2007/09/sobre-la-vulnerabilidad-del-ekiga.html

Blog entry links following CVS commit as fix to the issue:

http://openh323.cvs.sourceforge.net/openh323/opal/src/sip/sipcon.cxx?r1=2.120.2.25&r2=2.120.2.26&pathrev=v2_2_9


Problem lies not in ekiga itself, but in opal library / package.

openh323 used by gnomemeeting in RHEL3 and RHEL4 does not seem to contain
vulnerable code.  Hence gnomemeeting (ekiga's predecessor) as shipped in Red Hat
Enterprise Linux 3 and 4 is not vulnerable.  cmontgom, could you please correct
me if this assertion is wrong and I've managed to miss something important.


Comment 3 Tomas Hoger 2007-09-17 18:14:05 UTC
New ekiga version 2.0.10 was released today:

http://mail.gnome.org/archives/ekiga-list/2007-September/msg00103.html

Announcement states this new version fixes this remote crash.

Comment 4 Daniel Veillard 2007-09-17 21:54:23 UTC
I contacted Damien Sandras this evening. The upstream patch for this
is the following:

http://openh323.cvs.sourceforge.net/openh323/opal/src/sip/sippdu.cxx?r1=2.83.2.19&r2=2.83.2.20&pathrev=Phobos

Daniel

Comment 5 Tomas Hoger 2007-09-19 14:19:05 UTC
Vulnerability fixed in ekiga 2.0.10 and addressed by patch in comment #4 is
different issue - CVE-2007-4924.

Comment 8 Tomas Hoger 2007-09-28 07:59:04 UTC
Created attachment 209771 [details]
pwlib PString::vsprintf patch

Root cause of the issue seems to lie in the pwlib library in implementation of
PString class.	When string is already longer then 1000 characters, call to
(v)sprintf cause memory corruption.

Comment 12 Tomas Hoger 2007-12-20 12:18:19 UTC
Fixed in affected products:

Red Hat Enterprise Linux:  	
  http://rhn.redhat.com/errata/RHSA-2007-0932.html

Fedora:
  https://admin.fedoraproject.org/updates/F7/FEDORA-2007-2245



Note You need to log in before you can comment on or make changes to this bug.