Bug#623775: asterisk: AST-2011-006: Check for "system" privilege in the manager interface
Tzafrir Cohen
tzafrir at cohens.org.il
Fri Apr 22 21:15:33 UTC 2011
Package: asterisk
Version: 1:1.6.2.9-2+squeeze2
Justification: user security hole
Severity: grave
Tags: security upstream patch
The 'system' write privilege is required for Asterisk Manager
Interface actions that may result in aexecution of an arbitrary shell
command. However:
* This was not properly tested for asynchronous events
* A previous fix of the logic of this test was not applied in the
Squeeze version.
Upstream also applied a similar fix in 1.4 but 1.4 (e.g. the version in
Lenny) did not include the test for the 'system' write permission in the
first place and hence such a fix can break existing systems.
Also note that access to the Manager Interface requires authentication.
--
Tzafrir Cohen | tzafrir at jabber.org | VIM is
http://tzafrir.org.il | | a Mutt's
tzafrir at cohens.org.il | | best
tzafrir at debian.org | | friend
More information about the Pkg-voip-maintainers
mailing list