Bug#315532: marked as done (asterisk: Buffer overflow in command line parser)

Debian Bug Tracking System owner@bugs.debian.org
Fri, 01 Jul 2005 15:33:15 -0700


Your message dated Fri, 1 Jul 2005 23:32:32 +0100
with message-id <200507012332.32762.msp@debian.org>
and subject line Fwd: asterisk_1.0.9.dfsg-1_i386.changes ACCEPTED
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--------------------------------------
Received: (at submit) by bugs.debian.org; 23 Jun 2005 09:38:31 +0000
>From jmm@inutil.org Thu Jun 23 02:38:31 2005
Return-path: <jmm@inutil.org>
Received: from inutil.org (vserver151.vserver151.serverflex.de) [193.22.164.111] 
	by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
	id 1DlOA6-0001Nw-00; Thu, 23 Jun 2005 02:38:18 -0700
Received: from wlan-client-069.informatik.uni-bremen.de ([134.102.116.70] helo=localhost.localdomain)
	by vserver151.vserver151.serverflex.de with esmtpsa (TLS-1.0:RSA_AES_256_CBC_SHA:32)
	(Exim 4.50)
	id 1DlO5A-0002yY-1A
	for submit@bugs.debian.org; Thu, 23 Jun 2005 11:33:12 +0200
Received: from jmm by localhost.localdomain with local (Exim 4.51)
	id 1DlOA5-0001mP-C8; Thu, 23 Jun 2005 11:38:17 +0200
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Moritz Muehlenhoff <jmm@inutil.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: asterisk: Buffer overflow in command line parser
X-Mailer: reportbug 3.15
Date: Thu, 23 Jun 2005 11:38:17 +0200
X-Debbugs-Cc: security@debian.org
Message-Id: <E1DlOA5-0001mP-C8@localhost.localdomain>
X-SA-Exim-Connect-IP: 134.102.116.70
X-SA-Exim-Mail-From: jmm@inutil.org
X-SA-Exim-Scanned: No (on vserver151.vserver151.serverflex.de); SAEximRunCond expanded to false
Delivered-To: submit@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-11.0 required=4.0 tests=BAYES_00,HAS_PACKAGE,
	X_DEBBUGS_CC autolearn=ham version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level: 

Package: asterisk
Severity: grave
Tags: security
Justification: user security hole

An exploitable security problem has been found in Asterisk by Wade
Alcorn:

| There is a programming error in the function that parses commands in the
| Asterisk system. This is used by the manager interface if the user is
| allowed to submit CLI commands. The coding error can result in the
| overflow of one of the parameters of the calling function. That is, the
| command parsing function will return without error. However, the calling
| function will cause a segmentation fault.
|
| If the command string is specifically crafted, is it possible to use
| this stack overflow to execute arbitrary code on the Asterisk system.
| The resulting execution is (typically) run with root privileges.
|
| A command consisting of a recurring string of two double quotes followed
| by a tab character will induce the segmentation fault within a Call
| Manager thread.

The full advisory can found at 
http://www.bindshell.net/voip/advisory-05-013.txt

Version 1.0.8 fixes this issue.

Cheers,
        Moritz

-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.12-rc5
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15@euro (charmap=ISO-8859-15)

---------------------------------------
Received: (at 315532-done) by bugs.debian.org; 1 Jul 2005 22:31:28 +0000
>From msp@debian.org Fri Jul 01 15:31:28 2005
Return-path: <msp@debian.org>
Received: from dsl-80-43-204-178.access.as9105.com (bristol.purcell.id.au) [80.43.204.178] (Debian-exim)
	by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
	id 1DoU2i-0004Os-00; Fri, 01 Jul 2005 15:31:28 -0700
Received: from dell.purcell.id.au ([192.168.3.15] ident=Debian-exim)
	by bristol.purcell.id.au with esmtp (Exim 4.51)
	id 1DoU2d-00021w-4t; Fri, 01 Jul 2005 23:31:26 +0100
Received: from mark by dell.purcell.id.au with local (Exim 4.51)
	id 1DoU3k-0000a3-SO; Fri, 01 Jul 2005 23:32:33 +0100
From: Mark Purcell <msp@debian.org>
To: 315532-done@bugs.debian.org,
 308885-done@bugs.debian.org
Date: Fri, 1 Jul 2005 23:32:32 +0100
User-Agent: KMail/1.8.1
MIME-Version: 1.0
Disposition-Notification-To: Mark Purcell <msp@debian.org>
Content-Type: Multipart/Mixed;
  boundary="Boundary-00=_AScxCreFlbDKEK3"
Message-Id: <200507012332.32762.msp@debian.org>
X-SA-Exim-Connect-IP: 192.168.3.15
X-SA-Exim-Rcpt-To: 315532-done@bugs.debian.org, 308885-done@bugs.debian.org
X-SA-Exim-Mail-From: msp@debian.org
Subject: Fwd: asterisk_1.0.9.dfsg-1_i386.changes ACCEPTED
X-SA-Exim-Version: 4.2 (built Thu, 03 Mar 2005 10:44:12 +0100)
X-SA-Exim-Scanned: Yes (on bristol.purcell.id.au)
Delivered-To: 315532-done@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-3.0 required=4.0 tests=BAYES_00 autolearn=no 
	version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level: 
X-CrossAssassin-Score: 2

--Boundary-00=_AScxCreFlbDKEK3
Content-Type: text/plain;
  charset="us-ascii"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

New upstream release fixes both of these issues.

Mark

--Boundary-00=_AScxCreFlbDKEK3
Content-Type: message/rfc822;
  name="forwarded message"
Content-Transfer-Encoding: 7bit
Content-Description: Debian Installer <installer@ftp-master.debian.org>: asterisk_1.0.9.dfsg-1_i386.changes ACCEPTED
Content-Disposition: inline

Return-path: <katie@ftp-master.debian.org>
Envelope-to: debian@purcell.id.au
Delivery-date: Fri, 01 Jul 2005 23:22:56 +0100
Received: from newraff.debian.org ([208.185.25.31] ident=mail)
	by bristol.purcell.id.au with esmtp (Exim 4.51)
	id 1DoTuP-00021G-LG
	for debian@purcell.id.au; Fri, 01 Jul 2005 23:22:55 +0100
Received: from katie by newraff.debian.org with local (Exim 3.35 1 (Debian))
	id 1DoTos-0005qo-00; Fri, 01 Jul 2005 18:17:10 -0400
From: Debian Installer <installer@ftp-master.debian.org>
To: Mark Purcell <msp@debian.org>,
 Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>
X-Katie: $Revision: 1.56 $
Precedence: bulk
Message-Id: <E1DoTos-0005qo-00@newraff.debian.org>
Sender: Archive Administrator <katie@ftp-master.debian.org>
Date: Fri, 01 Jul 2005 18:17:10 -0400
X-SA-Exim-Connect-IP: 208.185.25.31
X-SA-Exim-Rcpt-To: debian@purcell.id.au
X-SA-Exim-Mail-From: katie@ftp-master.debian.org
Subject: asterisk_1.0.9.dfsg-1_i386.changes ACCEPTED
X-Spam-Checker-Version: SpamAssassin 3.0.4 (2005-06-05) on debian
X-Spam-Level: 
X-Spam-Status: No, score=-2.5 required=1.0 tests=AWL,BAYES_00 autolearn=ham 
	version=3.0.4
X-SA-Exim-Version: 4.2 (built Thu, 03 Mar 2005 10:44:12 +0100)
X-SA-Exim-Scanned: Yes (on bristol.purcell.id.au)
X-UID: 1195
Content-Length: 1186
X-Keywords:                                                                                                    
Content-Type: 
X-Length: 2662


Accepted:
asterisk-config_1.0.9.dfsg-1_all.deb
  to pool/main/a/asterisk/asterisk-config_1.0.9.dfsg-1_all.deb
asterisk-dev_1.0.9.dfsg-1_all.deb
  to pool/main/a/asterisk/asterisk-dev_1.0.9.dfsg-1_all.deb
asterisk-doc_1.0.9.dfsg-1_all.deb
  to pool/main/a/asterisk/asterisk-doc_1.0.9.dfsg-1_all.deb
asterisk-gtk-console_1.0.9.dfsg-1_i386.deb
  to pool/main/a/asterisk/asterisk-gtk-console_1.0.9.dfsg-1_i386.deb
asterisk-h323_1.0.9.dfsg-1_i386.deb
  to pool/main/a/asterisk/asterisk-h323_1.0.9.dfsg-1_i386.deb
asterisk-sounds-main_1.0.9.dfsg-1_all.deb
  to pool/main/a/asterisk/asterisk-sounds-main_1.0.9.dfsg-1_all.deb
asterisk-web-vmail_1.0.9.dfsg-1_all.deb
  to pool/main/a/asterisk/asterisk-web-vmail_1.0.9.dfsg-1_all.deb
asterisk_1.0.9.dfsg-1.diff.gz
  to pool/main/a/asterisk/asterisk_1.0.9.dfsg-1.diff.gz
asterisk_1.0.9.dfsg-1.dsc
  to pool/main/a/asterisk/asterisk_1.0.9.dfsg-1.dsc
asterisk_1.0.9.dfsg-1_i386.deb
  to pool/main/a/asterisk/asterisk_1.0.9.dfsg-1_i386.deb
asterisk_1.0.9.dfsg.orig.tar.gz
  to pool/main/a/asterisk/asterisk_1.0.9.dfsg.orig.tar.gz
Announcing to debian-devel-changes@lists.debian.org
Closing bugs: 315578 


Thank you for your contribution to Debian.

--Boundary-00=_AScxCreFlbDKEK3--