NOTE: the vendor plans to continue this behavior for performance reasons unless a WebRTC design change occurs. ** DISPUTED ** The WebRTC component in the Signal Private Messenger application through 4.47.7 for Android processes videoconferencing RTP packets before a callee chooses to answer a call, which might make it easier for remote attackers to cause a denial of service or possibly have unspecified other impact via malformed packets. Signal Private Messenger Android v4.59.0 and up and iOS v3.8.1.5 and up allows a remote non-contact to ring a victim's Signal phone and disclose currently used DNS server due to ICE Candidate handling before call is answered or declined. This occurs via the value parameter to sdp_media_set_lattr in peerflow/sdp.c. This affects Wire AVS (Audio, Video, and Signaling) 5.3 through 6.x before 6.4, the Wire Secure Messenger application before 3.49.918 for Android, and the Wire Secure Messenger application before 3.61 for iOS. Wire before allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a format string. There are currently no known workarounds. The issue has been fixed in wire-avs 7.1.12. A remote format string vulnerability in versions prior to 7.1.12 allows an attacker to cause a denial of service or possibly execute arbitrary code. Wire-avs is the audio visual signaling (AVS) component of Wire, an open-source messenger.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |