Security bug in CAPI code; please test updates
Ben Hutchings
ben at decadent.org.uk
Wed Feb 21 21:27:30 UTC 2007
There is a potential buffer overflow in logging of CAPI messages in
libcapi20 (part of isdnutils; bug 408530). The same broken code from
libcapi20 is present in the Linux kernel (bug 411294). Also, the
affected functions are not thread-safe and are unlikely to be made so
without API changes; multithreaded programs calling them must use a
mutex to avoid another security flaw; (such as asterisk-chan-capi; bug
411293).
I have prepared updates of asterisk-chan-capi and isdnutils for sarge
and sid but I have no ISDN hardware to test them with. I would
appreciate it if users of these packages would test the updates and
report their results to the associated bugs.
The patches can be found attached to the bug reports. Updated packages
are at:
deb http://womble.decadent.org.uk/debian/ distribution/
deb-src http://womble.decadent.org.uk/debian/ distribution/
(the repository is signed with my personal GPG key).
Ben.
--
Ben Hutchings
The obvious mathematical breakthrough [to break modern encryption] would be
development of an easy way to factor large prime numbers. - Bill Gates
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.alioth.debian.org/pipermail/pkg-voip-maintainers/attachments/20070221/018d69a2/attachment.pgp
More information about the Pkg-voip-maintainers
mailing list