Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Mon, 3 Dec 2012 12:36:27 -0500 (EST)
From: Jan Lieskovsky <jlieskov@...hat.com>
To: oss-security@...ts.openwall.com
Cc: "Steven M. Christey" <coley@...us.mitre.org>,
        Damien Sandras <dsandras@...onix.com>,
        Eugen Dedu <eugen.dedu@...pm.univ-fcomte.fr>
Subject: CVE Request -- Ekiga (x < 4.0.0): DoS (crash) after receiving call
 from other party with not UTF-8 valid name

Hello Kurt, Steve, vendors,

  a denial of service flaw was found in the way Ekiga,
a Gnome based SIP/H323 teleconferencing application,
processed information from certain OPAL connections
([certain] UTF-8 strings were not verified for validity
prior showing them). A remote attacker (other party with
a not UTF-8 valid name) could use this flaw to cause
ekiga executable crash.

Upstream bug report:
[1] https://bugzilla.gnome.org/show_bug.cgi?id=653009

Relevant upstream patch:
[2] http://git.gnome.org/browse/ekiga/commit/?id=7d09807257

References:
[3] http://ftp.gnome.org/pub/gnome/sources/ekiga/4.0/ekiga-4.0.0.news
[4] https://bugzilla.redhat.com/show_bug.cgi?id=883058

Could you allocate a CVE id for this?

Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.