Ekiga: Format string vulnerability — GLSA 200703-25

A format string vulnerability in Ekiga may allow the remote execution of arbitrary code.

Affected Packages

net-voip/ekiga on all architectures
Affected versions < 2.0.7
Unaffected versions >= 2.0.7

Background

Ekiga is an open source VoIP and video conferencing application.

Description

Mu Security has discovered that Ekiga fails to implement formatted printing correctly.

Impact

An attacker could exploit this vulnerability to crash Ekiga and potentially execute arbitrary code by sending a specially crafted Q.931 SETUP packet to a victim.

Workaround

There is no known workaround at this time.

Resolution

All Ekiga users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=net-voip/ekiga-2.0.7"

References

Release Date
March 29, 2007

Latest Revision
May 28, 2009: 02

Severity
high

Exploitable
remote

Bugzilla entries