CVE-2013-2222

Name of the Vulnerable Software and Affected Versions libzrtpcpp versions prior to 3.2.0 libzrtpcpp versions prior to 2.3.4

Description The issue affects the libzrtpcpp package in Gentoo Linux and GNU ZRTPCPP, allowing remote attackers to exploit multiple stack-based buffer overflows. This can lead to a denial of service (crash) and possibly the execution of arbitrary code via crafted ZRTP Hello packets to specific functions, including ZRtp::findBestSASType, ZRtp::findBestAuthLen, ZRtp::findBestCipher, ZRtp::findBestHash, and ZRtp::findBestPubKey. The exploitation of these vulnerabilities can result in the disruption of confidentiality, integrity, and availability of protected information.

Recommendations For versions prior to 3.2.0, update to version 3.2.0 or later to resolve the issue. For versions prior to 2.3.4, update to version 2.3.4 or later to resolve the issue. As a temporary workaround, consider restricting access to the ZRtp::findBestSASType, ZRtp::findBestAuthLen, ZRtp::findBestCipher, ZRtp::findBestHash, and ZRtp::findBestPubKey functions until a patch is available.