Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <50BD5809.4040007@redhat.com>
Date: Mon, 03 Dec 2012 18:55:21 -0700
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Jan Lieskovsky <jlieskov@...hat.com>,
        "Steven M. Christey" <coley@...us.mitre.org>,
        Damien Sandras <dsandras@...onix.com>,
        Eugen Dedu <eugen.dedu@...pm.univ-fcomte.fr>
Subject: Re: CVE Request -- Ekiga (x < 4.0.0): DoS (crash)
 after receiving call from other party with not UTF-8 valid name

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 12/03/2012 10:36 AM, Jan Lieskovsky wrote:
> Hello Kurt, Steve, vendors,
> 
> a denial of service flaw was found in the way Ekiga, a Gnome based
> SIP/H323 teleconferencing application, processed information from
> certain OPAL connections ([certain] UTF-8 strings were not verified
> for validity prior showing them). A remote attacker (other party
> with a not UTF-8 valid name) could use this flaw to cause ekiga
> executable crash.
> 
> Upstream bug report: [1]
> https://bugzilla.gnome.org/show_bug.cgi?id=653009
> 
> Relevant upstream patch: [2]
> http://git.gnome.org/browse/ekiga/commit/?id=7d09807257
> 
> References: [3]
> http://ftp.gnome.org/pub/gnome/sources/ekiga/4.0/ekiga-4.0.0.news 
> [4] https://bugzilla.redhat.com/show_bug.cgi?id=883058
> 
> Could you allocate a CVE id for this?
> 
> Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat
> Security Response Team

Please use CVE-2012-5621 for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBAgAGBQJQvVgJAAoJEBYNRVNeJnmTnTkP/1g3hZfD+vEtvLiYKi4ZN3e0
818jnR4mwGxCOriqdgdDuR9in1xcKbs3vocCRdAw5y8MlAQrHf0m0+BinIKNPwHs
lTpfuj3XXl8TpMNjIeQ0hPmQb3wLINt7myzlBQZlc7TXWNT8OTwkT+hIBcHYvxzh
eXm2EDu3z1uW6QiUNCGVESWoMlQmg2s5LaoRHvoc2dBBsEuIgoA5aEcn7XofOe7c
8tL1IEqwpNvBgBSB+PTmMeThSDCtGTzHw/9yrH6WBykKj7CyPsYpvqgD/q6+8cnH
vARomEY6WfTqS6cYo1/D8L87s+iWjbGXrUUESeSRy3IYVLt5GxA7xGqXwRWmFeCi
xYwEqpfIDghDyuTF4eCUsZUG7sdrUVXGtJ6qh00DaPwCDxhNDUapzgY5wloVrbjt
+hqxK7QnlFXANpoFARirBuYhd6Q4tym940RoHmbWieoKIel0PRwK76q9RwjxWUUh
p2YIi2/dyTiwWx9tsdIB77QqKI2agBQrwDLLQiXEHtimBb15ivHm+IPT5AUvyn1r
gQloUzFYJ8ieSaPyKzHcJiU7Z80KXhyAAAbVc2iJ0QhJ1MtYjUUd70Hc4DTwzDb4
hLwii6qtffVE+xuCIqOfZgerP2NdeSy85qXaYMuPyZMK2fA0bk9nFTyBWe3UTsOb
7o3KugCHrmdBh1U2CKYP
=zJJ0
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.