CVE-2013-1864: Buffer Overflow
First published: Fri May 23 2014(Updated: )
The Portable Tool Library (aka PTLib) before 2.10.10, as used in Ekiga before 4.0.1, does not properly detect recursion during entity expansion, which allows remote attackers to cause a denial of service (memory and CPU consumption) via a crafted PXML document containing a large number of nested entity references, aka a "billion laughs attack."
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| opal Open Phone Abstraction Library | =2.10.1 | |
| opal Open Phone Abstraction Library | =2.10.2 | |
| opal Open Phone Abstraction Library | =2.10.7 | |
| opal Open Phone Abstraction Library | =2.10.9 | |
| Ekiga | <=4.0.0 | |
| SUSE Linux Enterprise Software Development Kit | =11.0-sp3 | |
| SUSE Linux Enterprise Desktop | =11.0-sp3 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://lists.fedoraproject.org/pipermail/package-announce/2013-March/099553.html
- http://osvdb.org/91439
- http://seclists.org/oss-sec/2013/q1/674
- http://secunia.com/advisories/52659
- http://sourceforge.net/p/opalvoip/code/28856
- http://www.ekiga.org/news/2013-02-21/ekiga-4.0.1-stable-available
- http://www.securityfocus.com/bid/58520
- https://exchange.xforce.ibmcloud.com/vulnerabilities/82885
- https://www.suse.com/support/update/announcement/2014/suse-su-20140237-1.html
Frequently Asked Questions
What is the severity of CVE-2013-1864?
CVE-2013-1864 has a severity rating that indicates it can lead to denial of service due to excessive memory and CPU consumption.
How do I fix CVE-2013-1864?
To mitigate CVE-2013-1864, upgrade the Portable Tool Library to version 2.10.10 or later and ensure Ekiga is updated to version 4.0.1 or later.
Which versions are affected by CVE-2013-1864?
CVE-2013-1864 affects Portable Tool Library versions prior to 2.10.10 and Ekiga versions up to and including 4.0.0.
What is the nature of the vulnerability in CVE-2013-1864?
CVE-2013-1864 allows attackers to exploit improper recursion detection during entity expansion, leading to potential denial of service.
Is CVE-2013-1864 a local or remote vulnerability?
CVE-2013-1864 is considered a remote vulnerability as it can be exploited by sending a crafted PXML document from an external source.
- agent/type
- agent/remedy
- collector/mitre-cve
- source/MITRE
- agent/author
- agent/weakness
- agent/references
- agent/severity
- agent/last-modified-date
- agent/description
- agent/first-publish-date
- agent/event
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/opalvoip
- canonical/opal open phone abstraction library
- version/opal open phone abstraction library/2.10.1
- version/opal open phone abstraction library/2.10.2
- version/opal open phone abstraction library/2.10.7
- version/opal open phone abstraction library/2.10.9
- vendor/ekiga
- canonical/ekiga
- version/ekiga/4.0.0
- vendor/suse
- canonical/suse linux enterprise software development kit
- version/suse linux enterprise software development kit/11.0-sp3
- canonical/suse linux enterprise desktop
- version/suse linux enterprise desktop/11.0-sp3