FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

libzrtpcpp -- multiple security vulnerabilities

Affected packages
libzrtpcpp < 2.3.4

Details

VuXML ID 04320e7d-ea66-11e2-a96e-60a44c524f57
Discovery 2013-06-27
Entry 2013-07-11

Mark Dowd reports:

Vulnerability 1. Remote Heap Overflow: If an attacker sends a packet larger than 1024 bytes that gets stored temporarily (which occurs many times - such as when sending a ZRTP Hello packet), a heap overflow will occur, leading to potential arbitrary code execution on the vulnerable host.

Vulnerability 2. Multiple Stack Overflows: ZRTPCPP contains multiple stack overflows that arise when preparing a response to a client's ZRTP Hello packet.

Vulnerability 3. Information Leaking / Out of Bounds Reads: The ZRTPCPP library performs very little validation regarding the expected size of a packet versus the actual amount of data received. This can lead to both information leaking and out of bounds data reads (usually resulting in a crash). Information leaking can be performed for example by sending a malformed ZRTP Ping packet.

References

CVE Name CVE-2013-2221
CVE Name CVE-2013-2222
CVE Name CVE-2013-2223