Package: opal Version: 2.2.3.dfsg-1 Severity: grave Tags: security patch Hi, as you wanted a bug report, here it comes: the following CVE (Common Vulnerabilities & Exposures) id was published for opal.
CVE-2007-4924[0]: | The Open Phone Abstraction Library (opal), as used by (1) Ekiga before | 2.0.10 and (2) OpenH323 before 2.2.4, allows remote attackers to cause | a denial of service (crash) via an invalid Content-Length header field | in Session Initiation Protocol (SIP) packets, which causes a 0 byte | to be written to an "attacker-controlled address." If you fix this vulnerability please also include the CVE id in your changelog entry. http://people.debian.org/~nion/CVE-2007-4924.dpatch should fix this, I also attached it. For further information: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4924 Kind regards Nico -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
#! /bin/sh /usr/share/dpatch/dpatch-run ## CVE-2007-4924.dpatch by Nico Golde <[EMAIL PROTECTED]> ## ## All lines beginning with `## DP:' are a description of the patch. ## DP: No description. @DPATCH@ diff -urNad opal-2.2.3.dfsg~/src/sip/sippdu.cxx opal-2.2.3.dfsg/src/sip/sippdu.cxx --- opal-2.2.3.dfsg~/src/sip/sippdu.cxx 2006-08-07 22:07:46.000000000 +0200 +++ opal-2.2.3.dfsg/src/sip/sippdu.cxx 2007-12-02 23:12:31.000000000 +0100 @@ -656,7 +656,7 @@ else addr += hostname; - if (port != 0) + if (port > 0) addr.sprintf(":%u", port); return addr; @@ -1815,8 +1815,18 @@ // if no content length is specified (which is not the same as zero length) // then read until plausible end of header marker PINDEX contentLength = mime.GetContentLength(); - if (contentLength > 0) + // assume entity bodies can't be longer than a UDP packet + if (contentLength > 1500) { + PTRACE(2, "SIP\tImplausibly long Content-Length " << contentLength << " received on " << transport); + return FALSE; + } + else if (contentLength < 0) { + PTRACE(2, "SIP\tImpossible negative Content-Length on " << transport); + return FALSE; + } + if (contentLength > 0){ transport.read(entityBody.GetPointer(contentLength+1), contentLength); + } else if (!mime.IsContentLengthPresent()) { PBYTEArray pp;
pgpXmOCpgRWKP.pgp
Description: PGP signature