CVE-2013-2223

EUVD-2013-2176
GNU ZRTPCPP before 3.2.0 allows remote attackers to obtain sensitive information (uninitialized heap memory) or cause a denial of service (out-of-bounds read) via a crafted packet, as demonstrated by a truncated Ping packet that is not properly handled by the getEpHash function.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.8 UNKNOWN
NETWORK
MEDIUM
AV:N/AC:M/Au:N/C:P/I:N/A:P
Base Score
CVSS 3.x
EPSS Score
Percentile: 88%
Affected Products (NVD)
VendorProductVersion
wernerdzrtpcpp
𝑥
≤ 3.2.1
wernerdzrtpcpp
2.1.2
wernerdzrtpcpp
2.2.0
wernerdzrtpcpp
2.3.0
wernerdzrtpcpp
3.0.0:alpha
wernerdzrtpcpp
3.1.0
wernerdzrtpcpp
3.2.0
𝑥
= Vulnerable software versions
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
libzrtpcpp
artful
dne
bionic
dne
cosmic
dne
disco
dne
lucid
ignored
precise
ignored
quantal
ignored
raring
ignored
saucy
ignored
trusty
dne
utopic
ignored
vivid
ignored
wily
ignored
xenial
not-affected
yakkety
not-affected
zesty
dne
Common Weakness Enumeration
References
http://blog.azimuthsecurity.com/2013/06/attacking-crypto-phones-weaknesses-in.html
http://lists.opensuse.org/opensuse-updates/2013-10/msg00052.html
http://lists.opensuse.org/opensuse-updates/2013-10/msg00053.html
http://seclists.org/oss-sec/2013/q2/638
http://secunia.com/advisories/53818
http://secunia.com/advisories/54998
http://security.gentoo.org/glsa/glsa-201309-13.xml
https://github.com/wernerd/ZRTPCPP/commit/4654f330317c9948bb61d138eb24d49690ca4637
http://blog.azimuthsecurity.com/2013/06/attacking-crypto-phones-weaknesses-in.html
http://lists.opensuse.org/opensuse-updates/2013-10/msg00052.html
http://lists.opensuse.org/opensuse-updates/2013-10/msg00053.html
http://seclists.org/oss-sec/2013/q2/638
http://secunia.com/advisories/53818
http://secunia.com/advisories/54998
http://security.gentoo.org/glsa/glsa-201309-13.xml
https://github.com/wernerd/ZRTPCPP/commit/4654f330317c9948bb61d138eb24d49690ca4637