Bug 292831 - (CVE-2007-4897) CVE-2007-4897 ekiga GetHostAddress remote DoS
CVE-2007-4897 ekiga GetHostAddress remote DoS
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
http://nvd.nist.gov/nvd.cfm?cvename=C...
source=cve,reported=20070914,public=2...
: Security
Depends On: 297561 301071 301081 833973
Blocks:
  Show dependency treegraph
 
Reported: 2007-09-17 04:11 EDT by Tomas Hoger
Modified: 2012-06-20 10:35 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-12-20 07:18:19 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
pwlib PString::vsprintf patch (405 bytes, patch)
2007-09-28 03:59 EDT, Tomas Hoger
no flags Details | Diff

  None (edit)
Description Tomas Hoger 2007-09-17 04:11:25 EDT
Common Vulnerabilities and Exposures assigned an identifier CVE-2007-4897 to the following vulnerability:

The SIPURL::GetHostAddress function in Ekiga (formerly GnomeMeeting) 2.0.5 and
earlier allows remote attackers to cause a denial of service (application
crash) via unspecified vectors, related to "bad management of memory
allocation."

References:
http://www.securityfocus.com/bid/25642
http://www.s21sec.com/avisos/s21sec-036-en.txt
http://marc.info/?l=full-disclosure&m=118959114522339&w=2


Note:
Advisory posted to full-disclosure stated versions 2.0.5 and prior are
vulnerable.  s21sec site seems to have updated advisory stating version
2.0.7 is also vulnerable.
Comment 1 Tomas Hoger 2007-09-17 07:20:16 EDT
s21sec advisory is a bit vague.  Their blog contains bit more info (in Spanish):

http://blog.s21sec.com/2007/09/sobre-la-vulnerabilidad-del-ekiga.html

Blog entry links following CVS commit as fix to the issue:

http://openh323.cvs.sourceforge.net/openh323/opal/src/sip/sipcon.cxx?r1=2.120.2.25&r2=2.120.2.26&pathrev=v2_2_9


Problem lies not in ekiga itself, but in opal library / package.

openh323 used by gnomemeeting in RHEL3 and RHEL4 does not seem to contain
vulnerable code.  Hence gnomemeeting (ekiga's predecessor) as shipped in Red Hat
Enterprise Linux 3 and 4 is not vulnerable.  cmontgom, could you please correct
me if this assertion is wrong and I've managed to miss something important.
Comment 3 Tomas Hoger 2007-09-17 14:14:05 EDT
New ekiga version 2.0.10 was released today:

http://mail.gnome.org/archives/ekiga-list/2007-September/msg00103.html

Announcement states this new version fixes this remote crash.
Comment 4 Daniel Veillard 2007-09-17 17:54:23 EDT
I contacted Damien Sandras this evening. The upstream patch for this
is the following:

http://openh323.cvs.sourceforge.net/openh323/opal/src/sip/sippdu.cxx?r1=2.83.2.19&r2=2.83.2.20&pathrev=Phobos

Daniel
Comment 5 Tomas Hoger 2007-09-19 10:19:05 EDT
Vulnerability fixed in ekiga 2.0.10 and addressed by patch in comment #4 is
different issue - CVE-2007-4924.
Comment 8 Tomas Hoger 2007-09-28 03:59:04 EDT
Created attachment 209771 [details]
pwlib PString::vsprintf patch

Root cause of the issue seems to lie in the pwlib library in implementation of
PString class.	When string is already longer then 1000 characters, call to
(v)sprintf cause memory corruption.
Comment 12 Tomas Hoger 2007-12-20 07:18:19 EST
Fixed in affected products:

Red Hat Enterprise Linux:  	
  http://rhn.redhat.com/errata/RHSA-2007-0932.html

Fedora:
  https://admin.fedoraproject.org/updates/F7/FEDORA-2007-2245

Note You need to log in before you can comment on or make changes to this bug.