Package: ekiga
Version: 2.0.3-2
Severity: grave
Tags: patch, security, fixed-upstream
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1006 says:
"Multiple format string vulnerabilities in the
gm_main_window_flash_message function in Ekiga before 2.0.5 allow
attackers to cause a denial of service and possibly execute arbitrary
code via a crafted Q.931 SETUP packet."
See attached patch for upstream fix.
--
Kees Cook @outflux.net
Index: urlhandler.cpp
===================================================================
--- urlhandler.cpp (revision 4825)
+++ urlhandler.cpp (revision 4826)
@@ -532,13 +532,13 @@
if (call_address.Find ("+type=directory") != P_MAX_INDEX) {
- gm_main_window_flash_message (main_window, _("User not found"));
+ gm_main_window_flash_message (main_window, "%s", _("User not found"));
call_history_item->end_reason = g_strdup (_("User not found"));
endpoint->SetCallingState (GMManager::Standby);
}
else {
- gm_main_window_flash_message (main_window, _("Failed to call user"));
+ gm_main_window_flash_message (main_window, "%s", _("Failed to call user"));
call_history_item->end_reason = g_strdup (_("Failed to call user"));
}
Index: manager.cpp
===================================================================
--- manager.cpp (revision 4825)
+++ manager.cpp (revision 4826)
@@ -715,7 +715,7 @@
gnomemeeting_threads_enter ();
msg = g_strdup_printf (_("Forwarding call to %s"),
(const char*) forward_party);
- gm_main_window_flash_message (main_window, msg);
+ gm_main_window_flash_message (main_window, "%s", msg);
gm_history_window_insert (history_window, msg);
gnomemeeting_threads_leave ();
g_free (msg);
@@ -873,7 +873,7 @@
/* Update the log and status bar */
msg = g_strdup_printf (_("Call from %s"), (const char *) utf8_name);
gnomemeeting_threads_enter ();
- gm_main_window_flash_message (main_window, msg);
+ gm_main_window_flash_message (main_window, "%s", msg);
gm_chat_window_push_info_message (chat_window, NULL, msg);
gm_history_window_insert (history_window, msg);
gnomemeeting_threads_leave ();
@@ -913,7 +913,7 @@
/* Display the action message */
gnomemeeting_threads_enter ();
if (short_reason)
- gm_main_window_flash_message (main_window, short_reason);
+ gm_main_window_flash_message (main_window, "%s", short_reason);
if (long_reason)
gm_history_window_insert (history_window, long_reason);
gnomemeeting_threads_leave ();
@@ -1061,7 +1061,7 @@
msg = g_strdup_printf (_("Connected with %s"), utf8_name);
gm_main_window_set_status (main_window, utf8_name);
gm_main_window_set_panel_section (main_window, CALL);
- gm_main_window_flash_message (main_window, msg);
+ gm_main_window_flash_message (main_window, "%s", msg);
gm_chat_window_push_info_message (chat_window, NULL, msg);
gm_main_window_update_calling_state (main_window, GMManager::Connected);
gm_chat_window_update_calling_state (chat_window,
@@ -1351,7 +1351,7 @@
gm_calls_history_item_free (call_history_item);
gm_history_window_insert (history_window, msg_reason);
- gm_main_window_flash_message (main_window, msg_reason);
+ gm_main_window_flash_message (main_window, "%s", msg_reason);
gm_chat_window_push_info_message (chat_window, NULL, "");
gnomemeeting_threads_leave ();
Index: sip.cpp
===================================================================
--- sip.cpp (revision 4825)
+++ sip.cpp (revision 4826)
@@ -319,7 +319,7 @@
#endif
gm_history_window_insert (history_window, msg);
- gm_main_window_flash_message (main_window, msg);
+ gm_main_window_flash_message (main_window, "%s", msg);
if (endpoint.GetCallingState() == GMManager::Standby)
gm_main_window_set_account_info (main_window,
endpoint.GetRegisteredAccounts());
