Ubuntu
ekiga package

Ekiga crashes when another Ekiga neighbor quits

Bug #909470 reported by Erik Meitner
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ekiga (Ubuntu)
Fix Released
Medium
Unassigned

Bug Description

To reproduce:
Computers A and B are on the same LAN, running same version of Ekiga on Ubuntu 10.04.

1. Computer A: Run Ekiga
2. Computer A: Enable an account,SIP or Ekiga.net. Registration need no be successful
3. Computer B: Run Ekiga
4. See Ekiga on A and B show the other computer in the "Neighbors" list.
5. Computer B: Chat menu->Quit
6. (If no crash happens go back to step 3. Should not have to repeat more than three times to reproduce.)
7. Computer A: Ekiga segfaults

A tcpdump capture taken the moment when Ekiga on computer B quits shows:
13:19:52.533988 IP 10.1.1.100.5353 > 224.0.0.251.5353: 0*- [0q] 10/0/0[|domain]
13:19:53.538820 IP 10.1.1.180.5060 > 10.1.1.100.5060: SIP, length: 624
13:19:53.539017 IP 10.1.1.100 > 10.1.1.180: ICMP 10.1.1.100 udp port 5060 unreachable, length 556
A=10.1.1.180
B=10.1.1.100

This should be considered a serious bug as it represents a remote denial of service flaw. Thus I am marking it as a security vulnerability.

ProblemType: Crash
DistroRelease: Ubuntu 10.04
Package: ekiga 3.2.6-1ubuntu1
ProcVersionSignature: Ubuntu 2.6.32-35.78-generic 2.6.32.46+drm33.20
Uname: Linux 2.6.32-35-generic x86_64
Architecture: amd64
Date: Wed Dec 28 12:26:02 2011
EcryptfsInUse: Yes
ExecutablePath: /usr/bin/ekiga
InstallationMedia: Ubuntu 10.04 LTS "Lucid Lynx" - Release amd64 (20100429)
ProcCmdline: ekiga -d -u
ProcEnviron:
 SHELL=/bin/bash
 PATH=(custom, user)
 LANG=en_US.UTF-8
 LANGUAGE=en_US:en
SegvAnalysis:
 Segfault happened at: 0x7f78ad339533 <_ZSt18_Rb_tree_incrementPSt18_Rb_tree_node_base+19>: mov 0x10(%rdx),%rdx
 PC (0x7f78ad339533) ok
 source "0x10(%rdx)" (0x726f746361465048) not located in a known VMA region (needed readable region)!
 destination "%rdx" ok
SegvReason: reading unknown VMA
Signal: 11
SourcePackage: ekiga
StacktraceTop:
 std::_Rb_tree_increment(std::_Rb_tree_node_base*) ()
 Ekiga::HeapImpl<Ekiga::URIPresentity>::visit_presentities(sigc::slot1<bool, gmref_ptr<Ekiga::Presentity> >) ()
 Avahi::Heap::BrowserCallback(AvahiServiceBrowser*, int, int, AvahiBrowserEvent, char const*, char const*, char const*, AvahiLookupResultFlags) ()
 avahi_service_browser_event ()
 ?? () from /usr/lib/libavahi-client.so.3
Title: ekiga crashed with SIGSEGV in std::_Rb_tree_increment()
UserGroups: adm admin cdrom dialout lpadmin plugdev sambashare

Revision history for this message
Erik Meitner (e.meitner) wrote :
Revision history for this message
Apport retracing service (apport) wrote :

StacktraceTop:
 std::_Rb_tree_increment (__x=0x726f746361465038) at ../../../../src/libstdc++-v3/src/tree.cc:63
 operator++ (this=<optimized out>) at /usr/include/c++/4.4/bits/stl_tree.h:184
 visit_objects (visitor=<optimized out>, this=<optimized out>) at ../../../../lib/engine/framework/reflister.h:108
 Ekiga::HeapImpl<Ekiga::URIPresentity>::visit_presentities (this=<optimized out>, visitor=<optimized out>) at ../../../../lib/engine/presence/heap-impl.h:126
 Avahi::Heap::BrowserCallback (this=0x7f789800cf20, browser=<optimized out>, interface=<optimized out>, protocol=<optimized out>, event=<optimized out>, name=<optimized out>, type=0x1d94718 "_sip._udp", domain=0x1d94728 "local") at ../../../../lib/engine/components/avahi/avahi-heap.cpp:209

Revision history for this message
Apport retracing service (apport) wrote : Stacktrace.txt
Revision history for this message
Apport retracing service (apport) wrote : ThreadStacktrace.txt
Changed in ekiga (Ubuntu):
importance: Undecided → Medium
tags: removed: need-amd64-retrace
Revision history for this message
Jamie Strandboge (jdstrand) wrote : Bug is not a security issue

Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross privilege boundaries nor directly cause loss of data/privacy. Please feel free to report any other bugs you may find.

security vulnerability: yes → no
security vulnerability: yes → no
visibility: private → public
visibility: private → public
Revision history for this message
Eugen Dedu (eugen-dedu) wrote :

Indeed, this crash was fixed in ekiga 3.3.1, so it is fixed by now.

Changed in ekiga (Ubuntu):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.