CVE-2012-5621: Input Validation
First published: Mon Dec 03 2012(Updated: )
A denial of service flaw was found in the way Ekiga, a Gnome based SIP/H323 teleconferencing application, processed information from certain OPAL connections (UTF-8 strings were not verified for validity prior showing them). A remote attacker (other party with a not UTF-8 valid name) could use this flaw to cause ekiga executable crash. Upstream bug report: [1] <a href="https://bugzilla.gnome.org/show_bug.cgi?id=653009">https://bugzilla.gnome.org/show_bug.cgi?id=653009</a> Relevant upstream patch: [2] <a href="http://git.gnome.org/browse/ekiga/commit/?id=7d09807257">http://git.gnome.org/browse/ekiga/commit/?id=7d09807257</a> References: [3] <a href="http://ftp.gnome.org/pub/gnome/sources/ekiga/4.0/ekiga-4.0.0.news">http://ftp.gnome.org/pub/gnome/sources/ekiga/4.0/ekiga-4.0.0.news</a>
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/Ekiga | <4.0.0 | 4.0.0 |
| Ekiga | <=3.9.90 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://ftp.gnome.org/pub/gnome/sources/ekiga/4.0/ekiga-4.0.0.news
- http://seclists.org/oss-sec/2012/q4/407
- http://www.securityfocus.com/bid/56790
- https://blogs.oracle.com/sunsecurity/entry/cve_2012_5621_denial_of
- https://bugzilla.redhat.com/show_bug.cgi?id=883058
- https://exchange.xforce.ibmcloud.com/vulnerabilities/80640
- https://git.gnome.org/browse/ekiga/commit/?id=7d09807257
- https://lists.fedoraproject.org/pipermail/package-announce/2013-March/099554.html
- https://bugzilla.gnome.org/show_bug.cgi?id=653009
- http://git.gnome.org/browse/ekiga/commit/?id=7d09807257
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=883063
- http://www.openwall.com/lists/oss-security/2012/12/03/5
- https://access.redhat.com/security/cve/CVE-2012-5621
- http://www.openwall.com/lists/oss-security/2012/12/04/3
- http://opalvoip.svn.sourceforge.net/viewvc/opalvoip?view=revision&revision=28824
- http://opalvoip.svn.sourceforge.net/viewvc/opalvoip/ptlib/trunk/samples/pxml/main.cxx?revision=28826&view=markup
Frequently Asked Questions
What is the severity of CVE-2012-5621?
CVE-2012-5621 has a severity rating indicating a denial of service vulnerability that could disrupt service for Ekiga users.
How does CVE-2012-5621 affect Ekiga?
CVE-2012-5621 affects Ekiga by allowing a remote attacker to cause a denial of service through invalid UTF-8 strings.
How do I fix CVE-2012-5621?
To fix CVE-2012-5621, upgrade to a version of Ekiga that is above 3.9.90, as later versions have addressed this vulnerability.
Who is impacted by CVE-2012-5621?
Users of Ekiga versions 3.9.90 and below are impacted by CVE-2012-5621 and should take action to mitigate the risk.
Can CVE-2012-5621 be exploited remotely?
Yes, CVE-2012-5621 can be exploited remotely by any party sending invalid UTF-8 data to Ekiga.
- agent/type
- agent/references
- agent/softwarecombine
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2012-5621
- agent/software-canonical-lookup
- agent/last-modified-date
- agent/remedy
- agent/weakness
- agent/severity
- agent/author
- agent/description
- agent/event
- agent/trending
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- package-manager/redhat
- vendor/ekiga
- canonical/ekiga
- version/ekiga/3.9.90