Ekiga Format String Flaw Lets Remote Users Execute Arbitrary Code
|
|
SecurityTracker Alert ID: 1017673
|
|
SecurityTracker URL: http://securitytracker.com/id?1017673
|
|
CVE Reference: CVE-2007-1007
(Links to External Site)
|
Updated: Feb 21 2007
|
Original Entry Date: Feb 20 2007
|
Impact: Execution of arbitrary code via network, User access via network
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Version(s): prior to 2.0.5
|
Description: A vulnerability was reported in Ekiga (formerly GnomeMeeting). A remote user can execute arbitrary code on the target system.
A remote user can send specially crafted data to trigger a format string flaw and execute arbitrary code on the target system. The
code will run with the privileges of the user running Ekiga.
The format string flaws reside in 'urlhandler.cpp', 'manager.cpp',
and 'sip.cpp'.
Mu Security Team discovered this vulnerability.
The original advisory is available at:
http://labs.musecurity.com/advisories/MU-200702-01.txt
|
Impact: A remote user can execute arbitrary code on the target system.
|
Solution: The vendor has issued a fixed version (2.0.5), available at:
http://www.gnomemeeting.org/index.php?rub=5
|
Vendor URL: www.gnomemeeting.org/ (Links to External Site)
|
Cause: Input validation error, State error
|
Underlying OS: Linux (Any), UNIX (Any)
|
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Tue, 20 Feb 2007 09:00:32 -0500
Subject: gnomemeeting
|
> A format string flaw was found in the way Ekiga processes certain messages form
> remote clients. This flaw could allow a remote attacker to execute arbitrary
> code as the user running Ekiga. This flaw also affects gnomemeeting
CVE-2007-1007
|
|
