Debian Bug report logs -
#454141
opal: CVE-2007-4924 remote denial of service
Reported by: Nico Golde <nion@debian.org>
Date: Mon, 3 Dec 2007 13:15:01 UTC
Severity: grave
Tags: patch, security
Found in version 2.2.3.dfsg-1
Fixed in versions 2.2.11~dfsg1-3, opal/2.2.3.dfsg-3+etch4
Done: Kilian Krause <kilian@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>
:
Bug#454141
; Package opal
.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>
:
New Bug report received and forwarded. Copy sent to Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>
.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: opal
Version: 2.2.3.dfsg-1
Severity: grave
Tags: security patch
Hi, as you wanted a bug report, here it comes:
the following CVE (Common Vulnerabilities & Exposures) id was
published for opal.
CVE-2007-4924[0]:
| The Open Phone Abstraction Library (opal), as used by (1) Ekiga before
| 2.0.10 and (2) OpenH323 before 2.2.4, allows remote attackers to cause
| a denial of service (crash) via an invalid Content-Length header field
| in Session Initiation Protocol (SIP) packets, which causes a 0 byte
| to be written to an "attacker-controlled address."
If you fix this vulnerability please also include the CVE id
in your changelog entry.
http://people.debian.org/~nion/CVE-2007-4924.dpatch
should fix this, I also attached it.
For further information:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4924
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[CVE-2007-4924.dpatch (text/plain, attachment)]
[Message part 3 (application/pgp-signature, inline)]
Bug marked as fixed in version 2.2.11~dfsg1-3.
Request was from Nico Golde <nion@debian.org>
to control@bugs.debian.org
.
(Mon, 03 Dec 2007 13:21:03 GMT) (full text, mbox, link).
Reply sent to Kilian Krause <kilian@debian.org>
:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Nico Golde <nion@debian.org>
:
Bug acknowledged by developer.
(full text, mbox, link).
Message #12 received at 454141-close@bugs.debian.org (full text, mbox, reply):
Source: opal
Source-Version: 2.2.3.dfsg-3+etch4
We believe that the bug you reported is fixed in the latest version of
opal, which is due to be installed in the Debian FTP archive:
libopal-2.2.0_2.2.3.dfsg-3+etch4_i386.deb
to pool/main/o/opal/libopal-2.2.0_2.2.3.dfsg-3+etch4_i386.deb
libopal-dbg_2.2.3.dfsg-3+etch4_i386.deb
to pool/main/o/opal/libopal-dbg_2.2.3.dfsg-3+etch4_i386.deb
libopal-dev_2.2.3.dfsg-3+etch4_i386.deb
to pool/main/o/opal/libopal-dev_2.2.3.dfsg-3+etch4_i386.deb
libopal-doc_2.2.3.dfsg-3+etch4_all.deb
to pool/main/o/opal/libopal-doc_2.2.3.dfsg-3+etch4_all.deb
opal_2.2.3.dfsg-3+etch4.diff.gz
to pool/main/o/opal/opal_2.2.3.dfsg-3+etch4.diff.gz
opal_2.2.3.dfsg-3+etch4.dsc
to pool/main/o/opal/opal_2.2.3.dfsg-3+etch4.dsc
simpleopal_2.2.3.dfsg-3+etch4_i386.deb
to pool/main/o/opal/simpleopal_2.2.3.dfsg-3+etch4_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 454141@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Kilian Krause <kilian@debian.org> (supplier of updated opal package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Tue, 4 Dec 2007 12:28:48 +0100
Source: opal
Binary: libopal-doc simpleopal libopal-2.2.0 libopal-dev libopal-dbg
Architecture: source i386 all
Version: 2.2.3.dfsg-3+etch4
Distribution: proposed-updates
Urgency: high
Maintainer: Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>
Changed-By: Kilian Krause <kilian@debian.org>
Description:
libopal-2.2.0 - Open Phone Abstraction Library - successor of OpenH323
libopal-dbg - OPAL library debug symbols
libopal-dev - OPAL library header files
libopal-doc - OPAL library documentation files
simpleopal - Simple example from the OPAL project
Closes: 454141
Changes:
opal (2.2.3.dfsg-3+etch4) proposed-updates; urgency=high
.
* Fix CVE-2007-4924: OPAL allows remote attackers to cause a denial of
service (crash) via an invalid Content-Length header field in Session
Initiation Protocol (SIP) packets, which causes a \0 byte to be written to
an "attacker-controlled address." (Closes: #454141)
Files:
6a3d18872b5bafcaa3150fbd4ad38dea 1088 libs optional opal_2.2.3.dfsg-3+etch4.dsc
1bcebb551ba5ad9f9a210bcaab8044e5 14661 libs optional opal_2.2.3.dfsg-3+etch4.diff.gz
63eed9a1292a36dc48e4cae3a8e86e26 2917386 libs optional libopal-2.2.0_2.2.3.dfsg-3+etch4_i386.deb
948e163693e7fdf861cf87d7fbdcfb28 448870 libdevel optional libopal-dev_2.2.3.dfsg-3+etch4_i386.deb
83ef674d07a65dfc70325d108705f89f 61720 comm optional simpleopal_2.2.3.dfsg-3+etch4_i386.deb
944de1e0e9349e7e6a92288d982cf718 627898 libdevel extra libopal-dbg_2.2.3.dfsg-3+etch4_i386.deb
e6ce62f878cc6ac9e7b48f646b624ec3 7890174 doc extra libopal-doc_2.2.3.dfsg-3+etch4_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFHVm7Evdkzt4X+wX8RAu0jAJ9L0Pt47bsXhFy/LSOKrLvdCTOcRQCfVbe2
i6vgdPQ0nhGCAhamPiv13Yo=
=8lpz
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Fri, 18 Jan 2008 07:30:16 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:18:36 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.