Bug#623775: asterisk: AST-2011-006: Check for "system" privilege in the manager interface

Tzafrir Cohen tzafrir at cohens.org.il
Fri Apr 22 21:15:33 UTC 2011


Package: asterisk
Version: 1:1.6.2.9-2+squeeze2
Justification: user security hole
Severity: grave
Tags: security upstream patch

The 'system' write privilege is required for Asterisk Manager
Interface actions that may result in aexecution of an arbitrary shell
command. However:

* This was not properly tested for asynchronous events
* A previous fix of the logic of this test was not applied in the
  Squeeze version.

Upstream also applied a similar fix in 1.4 but 1.4 (e.g. the version in
Lenny) did not include the test for the 'system' write permission in the
first place and hence such a fix can break existing systems.

Also note that access to the Manager Interface requires authentication.

-- 
Tzafrir Cohen         | tzafrir at jabber.org | VIM is
http://tzafrir.org.il |                    | a Mutt's
tzafrir at cohens.org.il |                    |  best
tzafrir at debian.org    |                    | friend





More information about the Pkg-voip-maintainers mailing list