Bug#315532: Asterisk Manager Interface Overflow
Steve Langasek
vorlon at debian.org
Sun Jul 31 23:02:50 UTC 2005
On Sun, Jul 31, 2005 at 10:48:48PM +0100, Mark Purcell wrote:
> Bug #315532 has been rasied as grave security related bug against
> asterisk-1.0.7, which is included in the released sarge.
> It refers to a potential overflow in the Asterisk Manager Interface, which is
> not enabled by default in the Debian asterisk package. In addition the
> Debian asterisk package is not run as root as upstream, but rather as the
> user asterisk with limited privs.
An exploit that results in escalated, non-root privileges is a grave bug (as
opposed to a root escalation bug, which is critical).
> It has been pointed out that a user of the manager interface can execute
> arbitary commands anyway, so the potential for additional privs is again
> limited even in the case that the manager interface is enabled and exploited.
But a *limited* potential for privilege escalation is still a potential for
privilege escalation. If this bug can lead to privilege escalation in a
normal use case for the package, then this ought to be treated as a security
bug.
> My query is does this warrant an release from the security team of the
> relevant asterisk package? The patch is included against the bug report.
If the patch is included in the bug report, why would we *not* want the
security team to issue a DSA for it?
--
Steve Langasek
postmodern programmer
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/pkg-voip-maintainers/attachments/20050731/7e6d3c91/attachment.pgp
More information about the Pkg-voip-maintainers
mailing list