Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

opal: CVE-2007-4924 remote denial of service

Related Vulnerabilities: CVE-2007-4924  

Source

Debian Bug report logs - #454141
opal: CVE-2007-4924 remote denial of service

version graph

Package: opal; Maintainer for opal is Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>;

Reported by: Nico Golde <nion@debian.org>

Date: Mon, 3 Dec 2007 13:15:01 UTC

Severity: grave

Tags: patch, security

Found in version 2.2.3.dfsg-1

Fixed in versions 2.2.11~dfsg1-3, opal/2.2.3.dfsg-3+etch4

Done: Kilian Krause <kilian@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>:
Bug#454141; Package opal. (full text, mbox, link).

Acknowledgement sent to Nico Golde <nion@debian.org>:
New Bug report received and forwarded. Copy sent to Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>. (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>
To: submit@bugs.debian.org
Subject: opal: CVE-2007-4924 remote denial of service
Date: Mon, 3 Dec 2007 14:14:21 +0100
[Message part 1 (text/plain, inline)]
Package: opal
Version: 2.2.3.dfsg-1
Severity: grave
Tags: security patch

Hi, as you wanted a bug report, here it comes:
the following CVE (Common Vulnerabilities & Exposures) id was
published for opal.

CVE-2007-4924[0]:
| The Open Phone Abstraction Library (opal), as used by (1) Ekiga before
| 2.0.10 and (2) OpenH323 before 2.2.4, allows remote attackers to cause
| a denial of service (crash) via an invalid Content-Length header field
| in Session Initiation Protocol (SIP) packets, which causes a 0 byte
| to be written to an "attacker-controlled address."

If you fix this vulnerability please also include the CVE id
in your changelog entry.

http://people.debian.org/~nion/CVE-2007-4924.dpatch
should fix this, I also attached it.

For further information:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4924

Kind regards
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

[CVE-2007-4924.dpatch (text/plain, attachment)]
[Message part 3 (application/pgp-signature, inline)]

Bug marked as fixed in version 2.2.11~dfsg1-3. Request was from Nico Golde <nion@debian.org> to control@bugs.debian.org. (Mon, 03 Dec 2007 13:21:03 GMT) (full text, mbox, link).

Reply sent to Kilian Krause <kilian@debian.org>:
You have taken responsibility. (full text, mbox, link).

Notification sent to Nico Golde <nion@debian.org>:
Bug acknowledged by developer. (full text, mbox, link).

Message #12 received at 454141-close@bugs.debian.org (full text, mbox, reply):

From: Kilian Krause <kilian@debian.org>
To: 454141-close@bugs.debian.org
Subject: Bug#454141: fixed in opal 2.2.3.dfsg-3+etch4
Date: Thu, 20 Dec 2007 19:53:52 +0000
Source: opal
Source-Version: 2.2.3.dfsg-3+etch4

We believe that the bug you reported is fixed in the latest version of
opal, which is due to be installed in the Debian FTP archive:

libopal-2.2.0_2.2.3.dfsg-3+etch4_i386.deb
  to pool/main/o/opal/libopal-2.2.0_2.2.3.dfsg-3+etch4_i386.deb
libopal-dbg_2.2.3.dfsg-3+etch4_i386.deb
  to pool/main/o/opal/libopal-dbg_2.2.3.dfsg-3+etch4_i386.deb
libopal-dev_2.2.3.dfsg-3+etch4_i386.deb
  to pool/main/o/opal/libopal-dev_2.2.3.dfsg-3+etch4_i386.deb
libopal-doc_2.2.3.dfsg-3+etch4_all.deb
  to pool/main/o/opal/libopal-doc_2.2.3.dfsg-3+etch4_all.deb
opal_2.2.3.dfsg-3+etch4.diff.gz
  to pool/main/o/opal/opal_2.2.3.dfsg-3+etch4.diff.gz
opal_2.2.3.dfsg-3+etch4.dsc
  to pool/main/o/opal/opal_2.2.3.dfsg-3+etch4.dsc
simpleopal_2.2.3.dfsg-3+etch4_i386.deb
  to pool/main/o/opal/simpleopal_2.2.3.dfsg-3+etch4_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 454141@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Kilian Krause <kilian@debian.org> (supplier of updated opal package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Tue,  4 Dec 2007 12:28:48 +0100
Source: opal
Binary: libopal-doc simpleopal libopal-2.2.0 libopal-dev libopal-dbg
Architecture: source i386 all
Version: 2.2.3.dfsg-3+etch4
Distribution: proposed-updates
Urgency: high
Maintainer: Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>
Changed-By: Kilian Krause <kilian@debian.org>
Description: 
 libopal-2.2.0 - Open Phone Abstraction Library - successor of OpenH323
 libopal-dbg - OPAL library debug symbols
 libopal-dev - OPAL library header files
 libopal-doc - OPAL library documentation files
 simpleopal - Simple example from the OPAL project
Closes: 454141
Changes: 
 opal (2.2.3.dfsg-3+etch4) proposed-updates; urgency=high
 .
   * Fix CVE-2007-4924: OPAL allows remote attackers to cause a denial of
     service (crash) via an invalid Content-Length header field in Session
     Initiation Protocol (SIP) packets, which causes a \0 byte to be written to
     an "attacker-controlled address." (Closes: #454141)
Files: 
 6a3d18872b5bafcaa3150fbd4ad38dea 1088 libs optional opal_2.2.3.dfsg-3+etch4.dsc
 1bcebb551ba5ad9f9a210bcaab8044e5 14661 libs optional opal_2.2.3.dfsg-3+etch4.diff.gz
 63eed9a1292a36dc48e4cae3a8e86e26 2917386 libs optional libopal-2.2.0_2.2.3.dfsg-3+etch4_i386.deb
 948e163693e7fdf861cf87d7fbdcfb28 448870 libdevel optional libopal-dev_2.2.3.dfsg-3+etch4_i386.deb
 83ef674d07a65dfc70325d108705f89f 61720 comm optional simpleopal_2.2.3.dfsg-3+etch4_i386.deb
 944de1e0e9349e7e6a92288d982cf718 627898 libdevel extra libopal-dbg_2.2.3.dfsg-3+etch4_i386.deb
 e6ce62f878cc6ac9e7b48f646b624ec3 7890174 doc extra libopal-doc_2.2.3.dfsg-3+etch4_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHVm7Evdkzt4X+wX8RAu0jAJ9L0Pt47bsXhFy/LSOKrLvdCTOcRQCfVbe2
i6vgdPQ0nhGCAhamPiv13Yo=
=8lpz
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Fri, 18 Jan 2008 07:30:16 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 17:18:36 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started