Bug#315532: asterisk: Buffer overflow in command line parser
Mark Purcell
Mark Purcell <msp@debian.org>, 315532@bugs.debian.org
Sat, 2 Jul 2005 07:29:14 +0100
On Thursday 23 June 2005 10:38, Moritz Muehlenhoff wrote:
> | If the command string is specifically crafted, is it possible to use
> | this stack overflow to execute arbitrary code on the Asterisk system.
> | The resulting execution is (typically) run with root privileges.
Upstream the asterisk package is run as root. By default the Debian GNU/Linux
package of asterisk is run as user asterisk with limited privs, thus the
severity of this exploit is not as extreme.
In addition by default the Debian/GNU linux version of asterisk does not start
the CLI interface by default.
Still the patch should go into sarge, via the security team.
Mark