Bug#315532: Asterisk Manager Interface Overflow

Mark Purcell msp at debian.org
Sun Jul 31 21:48:48 UTC 2005


Bug #315532 has been rasied as grave security related bug against 
asterisk-1.0.7, which is included in the released sarge.

It refers to a potential overflow in the Asterisk Manager Interface, which is 
not enabled by default in the Debian asterisk package.  In addition the 
Debian asterisk package is not run as root as upstream, but rather as the 
user asterisk with limited privs.

It has been pointed out that a user of the manager interface can execute 
arbitary commands anyway, so the potential for additional privs is again 
limited even in the case that the manager interface is enabled and exploited.

My query is does this warrant an release from the security team of the 
relevant asterisk package?  The patch is included against the bug report.

Or can we close this bug?

Mark





More information about the Pkg-voip-maintainers mailing list