ID: CVE-2007-04924 BID-25955
Product: OPAL (Open Phone Abstraction Layer) is an implementation of various telephony and video communication protocols for use over packet based networks. It's based on code from the OpenH323 project and adds new features such as a stream based architecture, better support for re-use or removal of sub-components, and explicit support for additional protocols.
Scope: Remote Denial of Service
- [2007-06-11] Vulnerability discovered
- [2007-07-09] Vendor contacted
- [2007-08-15] Patched
- [2007-09-17] New version released
- [2007-10-08] Vulnerability published
Author: Jose Miguel Esparza
Affected versions: OPAL <= 2.2.8 (also the applications which use this library, for example Ekiga <= 2.0.9)
Description: Thanks to an insufficient input validation of the Content-Length field of a SIP request it is possible to write a null byte causing a denial of service (crash) of the application using this library.