Security vulnerability in open source library for IP telephony

The Open Phone Abstraction Library (opal) contains a vulnerability that might be exploited by means of manipulated 'Content Length' header fields in SIP packets to crash SIP applications. Opal is a protocol library that, in addition to SIP, also supports H.323 and video conference standards. The Ekiga free Open Source VoIP softphone is one of the applications that use the library. The flaw in opal's CVS was resolved back in August, but hardly any Linux distributors have published updated packages yet. Red Hat is the only distributor to publish the updated opal packages so far. Version 2.0.10 of Ekiga, which has been available since late September, was released to address this issue.

Advertisement

See also:

• CVS Diff, at openh323.org
• Ekiga 2.0.10 released, announcement at Gnome.org
• CVE-2007-4924 ekiga remote crash caused by insufficient input validation, Red Hat bug report

(mba)