Bug#315532: Asterisk Manager Interface Overflow

Martin Schulze joey at infodrom.org
Wed Apr 26 14:55:47 UTC 2006


Mark Purcell wrote:
> Bug #315532 has been rasied as grave security related bug against 
> asterisk-1.0.7, which is included in the released sarge.
> 
> It refers to a potential overflow in the Asterisk Manager Interface, which is 
> not enabled by default in the Debian asterisk package.  In addition the 
> Debian asterisk package is not run as root as upstream, but rather as the 
> user asterisk with limited privs.
> 
> It has been pointed out that a user of the manager interface can execute 
> arbitary commands anyway, so the potential for additional privs is again 
> limited even in the case that the manager interface is enabled and exploited.
> 
> My query is does this warrant an release from the security team of the 
> relevant asterisk package?  The patch is included against the bug report.

No.  With regards to sarge, there is no bug to fix since executing
arbitrary commands is the feature.  There doesn't seem to be privelege
escalation.  In my opinion the bug report can be closed.

Regards,

	Joey

-- 
Experience is something you don't get until just after you need it.

Please always Cc to me when replying to me on the lists.




More information about the Pkg-voip-maintainers mailing list