tags 479039 + patch thanks Hi, attached is a patch to fix the above issues. It's also archived on: http://people.debian.org/~nion/nmu-diff/sip-tester-2.0.1-1.1_2.0.1-1.2.patch
Kind regards Nico P.S. You should maybe update your record in the MIA database, your are MIA referring to the database. -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
diff -u sip-tester-2.0.1/debian/changelog sip-tester-2.0.1/debian/changelog
--- sip-tester-2.0.1/debian/changelog
+++ sip-tester-2.0.1/debian/changelog
@@ -1,3 +1,12 @@
+sip-tester (2.0.1-1.2) unstable; urgency=high
+
+ * Non-maintainer upload by the Security Team.
+ * CVE-2008-1959: Fix stack-based buffer overflows in the
+ get_remote_video_port_media, get_remote_ip_media and get_remote_ipv6_media
+ functions which lead to arbitrary code execution (Closes: #479039).
+
+ -- Nico Golde <[EMAIL PROTECTED]> Sun, 04 May 2008 13:58:41 +0200
+
sip-tester (2.0.1-1.1) unstable; urgency=low
* Non-maintainer upload.
only in patch2:
unchanged:
--- sip-tester-2.0.1.orig/call.cpp
+++ sip-tester-2.0.1/call.cpp
@@ -409,7 +409,10 @@
char pattern[] = "c=IN IP4 ";
char *begin, *end;
char ip[32];
- begin = strstr(msg, pattern);
+ char *tmp = strdup(msg);
+
+ if(!tmp) return INADDR_NONE;
+ begin = strstr(tmp, pattern);
if (!begin) {
/* Can't find what we're looking at -> return no address */
return INADDR_NONE;
@@ -418,8 +421,11 @@
end = strstr(begin, "\r\n");
if (!end)
return INADDR_NONE;
+ *end = 0;
memset(ip, 0, 32);
- strncpy(ip, begin, end - begin);
+ strncpy(ip, begin, sizeof(ip) - 1);
+ ip[sizeof(ip) - 1] = 0;
+ free(tmp);
return inet_addr(ip);
}
@@ -432,11 +438,13 @@
char pattern[] = "c=IN IP6 ";
char *begin, *end;
char ip[128];
+ char *tmp = strdup(msg);
memset(&addr, 0, sizeof(addr));
memset(ip, 0, 128);
- begin = strstr(msg, pattern);
+ if(!tmp) return 0;
+ begin = strstr(tmp, pattern);
if (!begin) {
/* Can't find what we're looking at -> return no address */
return 0;
@@ -445,7 +453,11 @@
end = strstr(begin, "\r\n");
if (!end)
return 0;
- strncpy(ip, begin, end - begin);
+
+ *end = 0;
+ strncpy(ip, begin, sizeof(ip) - 1);
+ ip[sizeof(ip) - 1] = 0;
+ free(tmp);
if (!inet_pton(AF_INET6, ip, &addr)) {
return 0;
}
@@ -461,7 +473,10 @@
char pattern[] = "m=audio ";
char *begin, *end;
char number[6];
- begin = strstr(msg, pattern);
+ char *tmp = strdup(msg);
+
+ if(!tmp) return 0;
+ begin = strstr(tmp, pattern);
if (!begin) {
/* m=audio not found */
return 0;
@@ -470,8 +485,12 @@
end = strstr(begin, "\r\n");
if (!end)
ERROR("get_remote_audio_port_media: no CRLF found");
+
+ *end = 0;
memset(number, 0, sizeof(number));
strncpy(number, begin, sizeof(number) - 1);
+ number[sizeof(number) - 1] = 0;
+ free(tmp);
return atoi(number);
}
@@ -484,7 +503,10 @@
char pattern[] = "m=video ";
char *begin, *end;
char number[5];
- begin = strstr(msg, pattern);
+ char *tmp = strdup(msg);
+
+ if(!tmp) return 0;
+ begin = strstr(tmp, pattern);
if (!begin) {
/* m=video not found */
return 0;
@@ -493,8 +515,12 @@
end = strstr(begin, "\r\n");
if (!end)
ERROR("get_remote_video_port_media: no CRLF found");
+
+ *end = 0;
memset(number, 0, 5);
- strncpy(number, begin, end - begin);
+ strncpy(number, begin, sizeof(number) - 1);
+ number[sizeof(number) - 1] = 0;
+ free(tmp);
return atoi(number);
}
pgp9QzCSuMMIq.pgp
Description: PGP signature
