destar exploit

Alejandro Rios alejandro.rios at avatar.com.co
Wed Nov 18 21:28:15 UTC 2009


Hello.

Regarding this issue (#522123), the upstream (which I'm part of) never came
out with a better patch, so I propose this one:

http://svn.debian.org/wsvn/pkg-voip/destar/trunk/debian/patches/fixCVE-2008-6539.dpatch?rev=7821&sc=1

I'm not sure of what to do with this package. Upstream development is
stalled, but promises new releases soon. Meanwhile, the debian package is
still out there.

I'd like some advice on this one, please.

Thank you

Alejandro.

2009/6/17 Steffen Joeris <steffen.joeris at skolelinux.de>

> Hi Alejandro
>
> > > 3. I'm not sure of an optimal way to avoind junk injection, so I though
> > > of strings containing 'Cfg' which could lead to adding config objects
> as
> > > the exploit suggest.
> >
> > I think the proper way would be to just make sure everything that is
> > written into the conffile ends with " and a , . If these signs are
> included
> > in the parameters, then they should probably be escaped and thus not
> > interpreted as ending the paramter or completely excluded. The problem is
> > that if they are escaped, the escaping sign is probably interpreted as a
> > part of the parameter, right? Otherwise, I'd suggest to blacklist these
> > signs and maybe give out an error.
> > How does that sound? Granted it is not the optimal solution, but I kind
> of
> > fail to come up with something more robust to be honest.
> Any word on that?
>
> cheers
> Steffen
>
>


-- 
Alejandro Rios Peña
Avatar Ltda.
http://www.avatar.com.co
Tel. (571) 742 7070
Calle 86 # 49c-42
Bogotá D.C.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-voip-maintainers/attachments/20091118/efd1e04f/attachment.htm>


More information about the Pkg-voip-maintainers mailing list