Bug#315532: And Sarge?

Helge Kreutzmann Helge Kreutzmann <kreutzm@itp.uni-hannover.de>, 315532@bugs.debian.org
Sat, 2 Jul 2005 18:28:33 +0200


--NzB8fVQJ5HfG6fxh
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Hello Tzafrir,
(I readded the bug log)
On Sat, Jul 02, 2005 at 03:05:22PM +0300, Tzafrir Cohen wrote:
> On Sat, Jul 02, 2005 at 07:57:44AM +0200, Helge Kreutzmann wrote:
> > Please keep this bug open until a DSA for sarge has been issued.
> > Thanks.
> >=20
> > Greetings
>=20
> What is it exactly you want to fix?!

I read "Justification: user security hole" and "An exploitable
security problem has been found". This indicates to me, that there is
a serious security problem. Since the version in stable seems
vulnerable, I added this as a reminder to be fixed.

> Are you stupid enough to give any untrusted user the ability to execute
> arbitrary CLI commands? If so, even after the fix, that user will be

Sorry, are you talking with me?=20

> able to execute '!sh' or '!rm -rf /var/spool/asterisk/voicemail' even
> after you've applied this fix.
>=20
> Please go over the changelogs of 1.0.8 and review those changes. I
> believe that there were some more relevant stability-related changes
> there.

Ok, if I understand you correctly, than this is really a no-issue,
because the user can use his elevated privileges to create havoc
anyways.=20

Please note, that I do not use asterisk (currently) but I see a
tendency for security related bugs to get fixed in unstable, but not
in stable. So this reopening was a reminder. If you say this was no
real security issue, fine. But the report, rated grave (not serious!),
the reply by Santiago (talking about exploitation).

Also there is the remark regarding this isue by Mark, who agrees that
a DSA should be issued.

Please do not take re-openings as a personal issue. A polite
explanation, that the bug submitter made a mistake by rating it grave,
and explaining (as you did), that the severity is such low, that no
DSA for stable needs to be made, would be fine.

Greetings

         Helge

--=20
Dr. Helge Kreutzmann, Dipl.-Phys.           Helge.Kreutzmann@itp.uni-hannov=
er.de
                       gpg signed mail preferred=20
    64bit GNU powered                  http://www.itp.uni-hannover.de/~kreu=
tzm
          Help keep free software "libre": http://www.ffii.de/

--NzB8fVQJ5HfG6fxh
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFCxsCxRsxcY/MYpWoRAkQMAKCn7ldyYcUuAkj0uGhaZ4pdDe8h6ACfS19L
w2EO+puhae8zEvYbTQjw994=
=0qbE
-----END PGP SIGNATURE-----

--NzB8fVQJ5HfG6fxh--