Bug#315532: asterisk: Buffer overflow in command line parser

Mark Purcell Mark Purcell <msp@debian.org>, 315532@bugs.debian.org
Sat, 2 Jul 2005 07:29:14 +0100


On Thursday 23 June 2005 10:38, Moritz Muehlenhoff wrote:
> | If the command string is specifically crafted, is it possible to use
> | this stack overflow to execute arbitrary code on the Asterisk system.
> | The resulting execution is (typically) run with root privileges.

Upstream the asterisk package is run as root. By default the Debian GNU/Linux 
package of asterisk is run as user asterisk with limited privs, thus the 
severity of this exploit is not as extreme.

In addition by default the Debian/GNU linux version of asterisk does not start 
the CLI interface by default.

Still the patch should go into sarge, via the security team.

Mark