Info

Disclosure

Feb 13, 2007

Discovery

Unknown

Dates

Exploit

Unknown

Solution

Unknown

Description

Ekiga softphone contains a flaw that may allow a malicious user to execute arbitrary code resulting in a loss of integrity. This issue is caused due to a format string error within the 'gm_main_window_flash_message()' function in src/endpoints/urlhandler.cpp, src/endpoints/manager.cpp and src/endpoints/sip.cpp.

Classification

Location: Remote / Network Access, Local / Remote, Context Dependent
Attack Type: Input Manipulation
Impact: Loss of Integrity
Exploit: Exploit Unknown
Disclosure: OSVDB Verified

Solution

Upgrade to version 2.0.5 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Products

Ekiga	Ekiga	2.0.0
		2.0.1
		2.0.2
		2.0.3
		2.0.4
		1.99.0
		1.99.1

References

Security Tracker: 1017673
CVE ID: 2007-1006 (see also: NVD)
Bugtraq ID: 22613
Secunia Advisory ID: 24194 24228 24229 24379 24680 25119
VUPEN Advisory: ADV-2007-0655
Other Advisory URL: http://fedoranews.org/cms/node/2682
http://lists.debian.org/debian-security-announce/debian-security-announce-2007/msg00017.html
http://lists.suse.com/archive/suse-security-announce/2007-May/0002.html
http://www.gentoo.org/security/en/glsa/glsa-200703-25.xml
http://www.mandriva.com/security/advisories?name=MDKSA-2007:044
Mail List Post: http://mail.gnome.org/archives/ekiga-list/2007-February/msg00060.html
Vendor URL: http://www.ekiga.org/

Credit

Mu Security - -

Direct URL: http://osvdb.org/31939