Your message dated Thu, 20 Dec 2007 19:53:52 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#454141: fixed in opal 2.2.3.dfsg-3+etch1
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: opal
Version: 2.2.3.dfsg-1
Severity: grave
Tags: security patch
Hi, as you wanted a bug report, here it comes:
the following CVE (Common Vulnerabilities & Exposures) id was
published for opal.
CVE-2007-4924[0]:
| The Open Phone Abstraction Library (opal), as used by (1) Ekiga before
| 2.0.10 and (2) OpenH323 before 2.2.4, allows remote attackers to cause
| a denial of service (crash) via an invalid Content-Length header field
| in Session Initiation Protocol (SIP) packets, which causes a 0 byte
| to be written to an "attacker-controlled address."
If you fix this vulnerability please also include the CVE id
in your changelog entry.
http://people.debian.org/~nion/CVE-2007-4924.dpatch
should fix this, I also attached it.
For further information:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4924
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
#! /bin/sh /usr/share/dpatch/dpatch-run
## CVE-2007-4924.dpatch by Nico Golde <[EMAIL PROTECTED]>
##
## All lines beginning with `## DP:' are a description of the patch.
## DP: No description.
@DPATCH@
diff -urNad opal-2.2.3.dfsg~/src/sip/sippdu.cxx
opal-2.2.3.dfsg/src/sip/sippdu.cxx
--- opal-2.2.3.dfsg~/src/sip/sippdu.cxx 2006-08-07 22:07:46.000000000 +0200
+++ opal-2.2.3.dfsg/src/sip/sippdu.cxx 2007-12-02 23:12:31.000000000 +0100
@@ -656,7 +656,7 @@
else
addr += hostname;
- if (port != 0)
+ if (port > 0)
addr.sprintf(":%u", port);
return addr;
@@ -1815,8 +1815,18 @@
// if no content length is specified (which is not the same as zero length)
// then read until plausible end of header marker
PINDEX contentLength = mime.GetContentLength();
- if (contentLength > 0)
+ // assume entity bodies can't be longer than a UDP packet
+ if (contentLength > 1500) {
+ PTRACE(2, "SIP\tImplausibly long Content-Length " << contentLength << "
received on " << transport);
+ return FALSE;
+ }
+ else if (contentLength < 0) {
+ PTRACE(2, "SIP\tImpossible negative Content-Length on " << transport);
+ return FALSE;
+ }
+ if (contentLength > 0){
transport.read(entityBody.GetPointer(contentLength+1), contentLength);
+ }
else if (!mime.IsContentLengthPresent()) {
PBYTEArray pp;
pgpzuTot0Vp74.pgp
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: opal
Source-Version: 2.2.3.dfsg-3+etch1
We believe that the bug you reported is fixed in the latest version of
opal, which is due to be installed in the Debian FTP archive:
libopal-2.2.0_2.2.3.dfsg-3+etch1_i386.deb
to pool/main/o/opal/libopal-2.2.0_2.2.3.dfsg-3+etch1_i386.deb
libopal-dbg_2.2.3.dfsg-3+etch1_i386.deb
to pool/main/o/opal/libopal-dbg_2.2.3.dfsg-3+etch1_i386.deb
libopal-dev_2.2.3.dfsg-3+etch1_i386.deb
to pool/main/o/opal/libopal-dev_2.2.3.dfsg-3+etch1_i386.deb
libopal-doc_2.2.3.dfsg-3+etch1_all.deb
to pool/main/o/opal/libopal-doc_2.2.3.dfsg-3+etch1_all.deb
opal_2.2.3.dfsg-3+etch1.diff.gz
to pool/main/o/opal/opal_2.2.3.dfsg-3+etch1.diff.gz
opal_2.2.3.dfsg-3+etch1.dsc
to pool/main/o/opal/opal_2.2.3.dfsg-3+etch1.dsc
simpleopal_2.2.3.dfsg-3+etch1_i386.deb
to pool/main/o/opal/simpleopal_2.2.3.dfsg-3+etch1_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Kilian Krause <[EMAIL PROTECTED]> (supplier of updated opal package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Tue, 4 Dec 2007 12:28:48 +0100
Source: opal
Binary: libopal-doc simpleopal libopal-2.2.0 libopal-dev libopal-dbg
Architecture: source i386 all
Version: 2.2.3.dfsg-3+etch1
Distribution: proposed-updates
Urgency: high
Maintainer: Debian VoIP Team <[EMAIL PROTECTED]>
Changed-By: Kilian Krause <[EMAIL PROTECTED]>
Description:
libopal-2.2.0 - Open Phone Abstraction Library - successor of OpenH323
libopal-dbg - OPAL library debug symbols
libopal-dev - OPAL library header files
libopal-doc - OPAL library documentation files
simpleopal - Simple example from the OPAL project
Closes: 454141
Changes:
opal (2.2.3.dfsg-3+etch1) proposed-updates; urgency=high
.
* Fix CVE-2007-4924: OPAL allows remote attackers to cause a denial of
service (crash) via an invalid Content-Length header field in Session
Initiation Protocol (SIP) packets, which causes a \0 byte to be written to
an "attacker-controlled address." (Closes: #454141)
Files:
6a3d18872b5bafcaa3150fbd4ad38dea 1088 libs optional opal_2.2.3.dfsg-3+etch1.dsc
1bcebb551ba5ad9f9a210bcaab8044e5 14661 libs optional
opal_2.2.3.dfsg-3+etch1.diff.gz
63eed9a1292a36dc48e4cae3a8e86e26 2917386 libs optional
libopal-2.2.0_2.2.3.dfsg-3+etch1_i386.deb
948e163693e7fdf861cf87d7fbdcfb28 448870 libdevel optional
libopal-dev_2.2.3.dfsg-3+etch1_i386.deb
83ef674d07a65dfc70325d108705f89f 61720 comm optional
simpleopal_2.2.3.dfsg-3+etch1_i386.deb
944de1e0e9349e7e6a92288d982cf718 627898 libdevel extra
libopal-dbg_2.2.3.dfsg-3+etch1_i386.deb
e6ce62f878cc6ac9e7b48f646b624ec3 7890174 doc extra
libopal-doc_2.2.3.dfsg-3+etch1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFHVm7Evdkzt4X+wX8RAu0jAJ9L0Pt47bsXhFy/LSOKrLvdCTOcRQCfVbe2
i6vgdPQ0nhGCAhamPiv13Yo=
=8lpz
-----END PGP SIGNATURE-----
--- End Message ---
