Bug#666944: [Secure-testing-team] Bug#666944: asterisk: Buffer overflow vulnerability
Tzafrir Cohen
tzafrir.cohen at xorcom.com
Tue Apr 3 11:55:52 UTC 2012
On Mon, Apr 02, 2012 at 10:50:07PM +0100, Jonathan Wiltshire wrote:
> On Mon, Apr 02, 2012 at 01:38:40PM -0500, John Goerzen wrote:
> > Package: asterisk
> > Version: 1:1.6.2.9-2+squeeze4
> > Severity: grave
> > Tags: security squeeze
> > Justification: user security hole
> >
> > Per:
> >
> > http://downloads.asterisk.org/pub/security/AST-2012-002.txt
> >
> > the asterisk in squeeze is vulnerable to a buffer overflow.
>
> Security team: the tracker says not-affected (Vulnerable code not present);
> this seems not to be the case but the default configuration protects from
> this vulnerability. I will take it on as a no-dsa if you wish.
>
> John: on that basis, do you agree the severity should be reduced (probably
> to important)?
The default configuration is not too big a considiration with the Asterisk
dialplan. That said, the said dialplan application is also not commonly
used.
The Squeeze branch in the SVN includes the fix. As well as, ahem, the patch
for #651552 which was accidentally left out of the previous upload. No
idea how I failed to notice that.
http://anonscm.debian.org/viewvc/pkg-voip/asterisk/branches/squeeze/
>
>
> > The package in testing may also be vulnerable to:
> >
> > http://downloads.asterisk.org/pub/security/AST-2012-003.txt
>
> Currently it is. I have suggested to the release team that they age the
> version in sid to get the fix into testing.
Not applicable to Squeeze: the code in question is new to 1.8 (and not
backported in any patch we carry).
--
Tzafrir Cohen
icq#16849755 jabber:tzafrir.cohen at xorcom.com
+972-50-7952406 mailto:tzafrir.cohen at xorcom.com
http://www.xorcom.com iax:guest at local.xorcom.com/tzafrir
More information about the Pkg-voip-maintainers
mailing list