Bug#610487: asterisk: AST-2011-001: buffer overflow in caller ID URI encoding

Moritz Mühlenhoff jmm at inutil.org
Tue Jan 25 20:28:40 UTC 2011

On Tue, Jan 18, 2011 at 11:36:01PM +0000, Tzafrir Cohen wrote:
> Package: asterisk
> Version: 1:
> Justification: user security hole
> Severity: grave
> Tags: security patch upstream
> *** Please type your report below this line ***
> The Asterisk project has reported security advisory ASA-2011-011
> http://downloads.asterisk.org/pub/security/AST-2011-001.html
> (No CVE ATM)
> "When forming an outgoing SIP request while in pedantic mode, a stack
> buffer can be made to overflow if supplied with carefully crafted caller
> ID information. "
> Caller ID information may be provided by remote users. The advisory details
> potential workaround in the dialplan, but applying it varies greatly on
> different configurations.
> Issue applies both to the Lenny and Squeeze packages. For patches:
> http://svn.debian.org/viewsvn/pkg-voip?view=rev&revision=8708  (Squeeze)
> http://svn.debian.org/viewsvn/pkg-voip?view=rev&revision=8711  (Lenny)

What's the status of a Squeeze upload? This should be uploaded with
the minimal fix and urgency=high.


More information about the Pkg-voip-maintainers mailing list