Bugzilla – Bug 828028
VUL-0: ZRTPCPP: multiple issues (CVE-2013-2221 CVE-2013-2222 CVE-2013-2223)
Last modified: 2015-02-18 23:34:46 UTC
public, via oss-sec and others From: Dan Rosenberg <dan.j.rosenberg@gmail.com> I'd like to request CVEs for multiple security vulnerabilities discovered, reported, and published by Mark Dowd of Azimuth Security in GNU ZRTPCPP, an open-source ZRTP implementation used in a number of "secure phone" solutions: http://blog.azimuthsecurity.com/2013/06/attacking-crypto-phones-weaknesses-in.html 1. Remote heap overflow A remote attacker can cause a heap-based buffer overflow by sending an overly-large ZRTP packet of several possible types, including a "Hello" packet. Successful exploitation would allow an attacker to execute arbitrary code in the context of a vulnerable application. 2. Multiple remote stack overflows A remote attacker can cause multiple stack-based buffer overflows by sending a malformed ZRTP Hello packet with an overly-large value in certain fields, including the count of public keys. Exploitation may be difficult due to the details of the layout of stack variables in memory, but successful exploitation would allow an attacker to execute arbitrary code in the context of a vulnerable application. 3. Multiple remote heap memory disclosures By sending a truncated ZRTP Ping packet, the response packet will include several bytes of the affected application's heap memory due to a lack of validation on the incoming packet. This flaw could be exploited to gain knowledge about the heap state of an affected application to enable further attacks, or potentially reveal sensitive information stored on the heap. The fixes for all of these flaws were included in the following commit: https://github.com/wernerd/ZRTPCPP/commit/c8617100f359b217a974938c5539a1dd8a120b0e Regards, Dan
From Kurt: > 1. Remote heap overflow > > A remote attacker can cause a heap-based buffer overflow by sending > an overly-large ZRTP packet of several possible types, including a > "Hello" packet. Successful exploitation would allow an attacker to > execute arbitrary code in the context of a vulnerable application. Please use CVE-2013-2221 for this issue. > 2. Multiple remote stack overflows > > A remote attacker can cause multiple stack-based buffer overflows > by sending a malformed ZRTP Hello packet with an overly-large value > in certain fields, including the count of public keys. Exploitation > may be difficult due to the details of the layout of stack > variables in memory, but successful exploitation would allow an > attacker to execute arbitrary code in the context of a vulnerable > application. Please use CVE-2013-2222 for this issue. > 3. Multiple remote heap memory disclosures > > By sending a truncated ZRTP Ping packet, the response packet will > include several bytes of the affected application's heap memory due > to a lack of validation on the incoming packet. This flaw could be > exploited to gain knowledge about the heap state of an affected > application to enable further attacks, or potentially reveal > sensitive information stored on the heap. Please use CVE-2013-2223 for this issue.
bugbot adjusting priority
New version fails to compile and breaks 3rd packages. Patch does not apply to old 2.3.2.
11.4: created request id Request: #203758 12.1: sr to openSUSE:12.1:Update: BuildService API error: Server did not define a default maintenance project, can't submit. 12.2: created request id Request: #203760 12.3: created request id Request: #203761 13.1: created request id Request: #203762
This is an autogenerated message for OBS integration: This bug (828028) was mentioned in https://build.opensuse.org/request/show/203758 Evergreen:11.4 / libzrtpcpp https://build.opensuse.org/request/show/203760 12.2 / libzrtpcpp https://build.opensuse.org/request/show/203761 12.3 / libzrtpcpp https://build.opensuse.org/request/show/203762 13.1 / libzrtpcpp
After this update fixes security issues, I changed the needinfo to our security-team.
everything accepted and waiting for release 12.1 is not maintained anymore.
Even if 12.1 is not officially maintained anymore, does it hurt to place the fixed package there? It was rather easy to procure libzrtpcpp.
openSUSE-SU-2013:1599-1: An update that fixes three vulnerabilities is now available. Category: security (moderate) Bug References: 828028 CVE References: CVE-2013-2221,CVE-2013-2222,CVE-2013-2223 Sources used: openSUSE 12.3 (src): libzrtpcpp-2.0.0-8.4.1 openSUSE 12.2 (src): libzrtpcpp-2.0.0-6.4.1
openSUSE-SU-2013:1600-1: An update that fixes three vulnerabilities is now available. Category: security (moderate) Bug References: 828028 CVE References: CVE-2013-2221,CVE-2013-2222,CVE-2013-2223 Sources used: openSUSE 11.4 (src): libzrtpcpp-1.6.0-6.1
SUSE employees are asked not to work on discontinued products, like e.g. 12.1 art this time.