Bug#479039: CVE-2008-1959: Potential security problems

Fri, 02 May 2008 16:52:33 -0700 

Hi Steffen and Nico

Thank you for rapid mail.
Just now I have checked related process codes in sipp svn trunk.
Actually, (roughly counted), I found 6 wrong process lines.

I promise I will check and contact sipp author team.

ARAKI ([EMAIL PROTECTED])

> Hi Steffen,
> * Steffen Joeris <[EMAIL PROTECTED]> [2008-05-02 14:46]:
>> Package: sip-tester
>> Severity: important
>> Tags: Security
>>
>> Hi
>>
>> The following CVE(0) has been issued against sip-tester.
>>
>> Please check, if it applies to the debian version.
>>
>> CVE-2008-1959:
>> Stack-based buffer overflow in the get_remote_video_port_media function
>> in call.cpp in SIPp 3.0 allows remote attackers to cause a denial of
>> service and possibly execute arbitrary code via a crafted SIP message.
>> NOTE: some of these details are obtained from third party information.
> 
> BTW: the same issue affects get_remote_ip_media() and 
> get_remote_ipv6_media(), both unfixed in latest upstream 
> release (3.1) and the version in Debian:
> 
>     122 uint32_t get_remote_ip_media(char *msg)
>     123 {
>     124     char pattern[] = "c=IN IP4 ";
>     125     char *begin, *end;
>     126     char ip[32];
>     127     begin = strstr(msg, pattern);
>     128     if (!begin) {
>     129       /* Can't find what we're looking at -> return no address */
>     130       return INADDR_NONE;
>     131     }
>     132     begin += sizeof("c=IN IP4 ") - 1;
>     133     end = strstr(begin, "\r\n");
>     134     if (!end)
>     135       return INADDR_NONE;
>     136     memset(ip, 0, 32);
>     137     strncpy(ip, begin, end - begin);
>     138     return inet_addr(ip);
>     139 }
> 
>     145 uint8_t get_remote_ipv6_media(char *msg, struct in6_addr addr)
>     146 {
>     147     char pattern[] = "c=IN IP6 ";
>     148     char *begin, *end;
>     149     char ip[128];
>     150
>     151     memset(&addr, 0, sizeof(addr));
>     152     memset(ip, 0, 128);
>     153
>     154     begin = strstr(msg, pattern);
>     155     if (!begin) {
>     156       /* Can't find what we're looking at -> return no address */
>     157       return 0;
>     158     }
>     159     begin += sizeof("c=IN IP6 ") - 1;
>     160     end = strstr(begin, "\r\n");
>     161     if (!end)
>     162       return 0;
>     163     strncpy(ip, begin, end - begin);
> 
> 
> Kind regards
> Nico


-- 
ARAKI Yasuhiro

[EMAIL PROTECTED]
[EMAIL PROTECTED]

  deb http://cdn.debian.net/debian/ sid main
  deb-src http://cdn.debian.net/debian/ sid main



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to