Bug#454141: opal: CVE-2007-4924 remote denial of service

Mon, 03 Dec 2007 05:17:34 -0800 

Package: opal
Version: 2.2.3.dfsg-1
Severity: grave
Tags: security patch

Hi, as you wanted a bug report, here it comes:
the following CVE (Common Vulnerabilities & Exposures) id was
published for opal.

CVE-2007-4924[0]:
| The Open Phone Abstraction Library (opal), as used by (1) Ekiga before
| 2.0.10 and (2) OpenH323 before 2.2.4, allows remote attackers to cause
| a denial of service (crash) via an invalid Content-Length header field
| in Session Initiation Protocol (SIP) packets, which causes a 0 byte
| to be written to an "attacker-controlled address."

If you fix this vulnerability please also include the CVE id
in your changelog entry.

http://people.debian.org/~nion/CVE-2007-4924.dpatch
should fix this, I also attached it.

For further information:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4924

Kind regards
Nico

-- 
Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

#! /bin/sh /usr/share/dpatch/dpatch-run
## CVE-2007-4924.dpatch by Nico Golde <[EMAIL PROTECTED]>
##
## All lines beginning with `## DP:' are a description of the patch.
## DP: No description.

@DPATCH@
diff -urNad opal-2.2.3.dfsg~/src/sip/sippdu.cxx 
opal-2.2.3.dfsg/src/sip/sippdu.cxx
--- opal-2.2.3.dfsg~/src/sip/sippdu.cxx 2006-08-07 22:07:46.000000000 +0200
+++ opal-2.2.3.dfsg/src/sip/sippdu.cxx  2007-12-02 23:12:31.000000000 +0100
@@ -656,7 +656,7 @@
   else
     addr += hostname;
 
-  if (port != 0)
+  if (port > 0)
     addr.sprintf(":%u", port);
 
   return addr;
@@ -1815,8 +1815,18 @@
   // if no content length is specified (which is not the same as zero length)
   // then read until plausible end of header marker
   PINDEX contentLength = mime.GetContentLength();
-  if (contentLength > 0)
+ // assume entity bodies can't be longer than a UDP packet
+ if (contentLength > 1500) {
+   PTRACE(2, "SIP\tImplausibly long Content-Length " << contentLength << " 
received on " << transport);
+   return FALSE;
+ }
+ else if (contentLength < 0) {
+   PTRACE(2, "SIP\tImpossible negative Content-Length on " << transport);
+   return FALSE;
+ } 
+  if (contentLength > 0){
     transport.read(entityBody.GetPointer(contentLength+1), contentLength);
+  }
 
   else if (!mime.IsContentLengthPresent()) {
     PBYTEArray pp;

Attachment: pgpXmOCpgRWKP.pgp
Description: PGP signature

Reply via email to