Bug#338116: CVE assignment

Martin Schulze joey at infodrom.org
Wed Apr 26 15:37:41 UTC 2006 

Moritz Muehlenhoff wrote:
> This has been assigned CVE-2005-3559, please mention it in the
> changelog when fixing it.

The attached patch fixes this problem.

This problem is also fixed in the Debian package 1.2.7.1.dfsg-2.

Regards,

	Joey

-- 
Experience is something you don't get until just after you need it.

Please always Cc to me when replying to me on the lists.
-------------- next part --------------
#! /bin/sh /usr/share/dpatch/dpatch-run
## 99_CVE-2005-3559.dpatch by Joey Schulze <joey at debian.org>
##
## DP: Description Directory traversal vulnerability in vmail.cgi in
## DP: Asterisk 1.0.9 through 1.2.0-beta1 allows remote attackers to
## DP: access WAV files via a .. (dot dot) in the folder parameter.

@DPATCH@
diff -u -p -Nr --exclude CVS asterisk-1.0.7.dfsg.1.orig/contrib/scripts/vmail.cgi asterisk-1.0.7.dfsg.1/contrib/scripts/vmail.cgi
--- asterisk-1.0.7.dfsg.1.orig/contrib/scripts/vmail.cgi	2004-09-15 07:11:41.000000000 +0200
+++ asterisk-1.0.7.dfsg.1/contrib/scripts/vmail.cgi	2006-04-26 17:31:30.000000000 +0200
@@ -70,6 +70,19 @@ _EOH
 
 }
 
+sub untaint() {
+
+	my($data) = @_;
+
+	if ($data =~ /^([-\@\w.]+)$/) {
+		$data = $1;
+	} else {
+		die "Security violation.";
+	}
+
+	return $data;
+}
+
 sub check_login()
 {
 	local ($filename, $startcat) = @_;
@@ -489,14 +502,15 @@ _EOH
 sub message_audio()
 {
 	my ($forcedownload) = @_;
-	my $folder = param('folder');
-	my $msgid = param('msgid');
-	my $mailbox = param('mailbox');
-	my $context = param('context');
+	my $folder = &untaint(param('folder'));
+	my $msgid = &untaint(param('msgid'));
+	my $mailbox = &untaint(param('mailbox'));
+	my $context = &untaint(param('context'));
 	my $format = param('format');
 	if (!$format) {
 		$format = &getcookie('format');
 	}
+	&untaint($format);
 	my $path = "/var/spool/asterisk/voicemail/$context/$mailbox/$folder/msg${msgid}.$format";
 
 	$msgid =~ /^\d\d\d\d$/ || die("Msgid Liar ($msgid)!");
@@ -865,6 +879,8 @@ sub message_forward()
 	}
 	$msgcount = &msgcount($context, $newmbox, "INBOX");
 	my $txt;
+	$context = &untaint($context);
+	$newmbox = &untaint($newmbox);
 	if ($newmbox ne $mbox) {
 #		print header;
 		foreach $msg (@msgs) {
@@ -900,6 +916,9 @@ sub message_delete_or_move()
 		$context = "default";
 	}
 	my $passwd = param('password');
+	$context = &untaint($context);
+	$mbox = &untaint($mbox);
+	$folder = &untaint($folder);
 	my $msgcount = &msgcount($context, $mbox, $folder);
 	my $omsgcount = &msgcount($context, $mbox, $newfolder) if $newfolder;
 #	print header;

More information about the Pkg-voip-maintainers mailing list