Bug#287851: asterisk: format string vulnerabilities
Jan Niehusmann
Jan Niehusmann <jan@debian.org>, 287851@bugs.debian.org
Thu, 30 Dec 2004 15:20:44 +0100
--huq684BweRXVnRxX
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Package: asterisk
Severity: critical
Tags: security
Justification: possible remote security hole
As reported in http://www.sineapps.com/news.php?rssid=3D430, asterisk
contains code like=20
ast_log(LOG_VERBOSE, stuff);
This is prone to format string vulnerabilities. I did not check under
which conditions remote users are able to control the contents of the
logged strings, and therefore don't know if or how this is exploitable.
A quick grep through the sources revealed at least one very suspicious
code path (srv.c indirectly calls the code mentioned above with results
=66rom a name server quers)
This looks likely to be a serious security hole, and is easy enough to
fix. I set the severity to critical under the assumption that remote
exploits are possible.
Jan
--huq684BweRXVnRxX
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
iD8DBQFB1A67nIUccvEtoGURAiamAJwPW22/mo72kKx5NijesZWfgwNHwACffX+x
htPik5pSk9Q/JU/3+7YogSg=
=s4sF
-----END PGP SIGNATURE-----
--huq684BweRXVnRxX--