A denial of service flaw was found in the way Ekiga, a Gnome based SIP/H323 teleconferencing application, processed information from certain OPAL connections (UTF-8 strings were not verified for validity prior showing them). A remote attacker (other party with a not UTF-8 valid name) could use this flaw to cause ekiga executable crash.
Upstream bug report:
Relevant upstream patch:
This issue did NOT affect the version of the ekiga package, as shipped with Red Hat Enterprise Linux 5.
This issue affects the version of the ekiga package, as shipped with Red Hat Enterprise Linux 6.
This issue affects the version of the ekiga package, as shipped with Fedora release of 16. Please schedule an update.
This issue affects the version of the ekiga package, as shipped with Fedora release of 17 (current version in -stable repository). Version ekiga-4.0.0-1.fc17 already available from the -testing repository is not vulnerable to this issue.
Created ekiga tracking bugs for this issue
Affects: fedora-16 [bug 883063]
The CVE identifier of CVE-2012-5621 has been assigned to this issue:
Are we sure that 4.0.0 isn't vulnerable?
This is the fix in trunk:
And updated sample code:
ptlib-2.10.10-1.fc18, opal-3.10.10-1.fc18, ekiga-4.0.1-1.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.
ptlib-2.10.10-1.fc17, opal-3.10.10-1.fc17, ekiga-4.0.1-1.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.