[asterisk-bugs] [Asterisk 0017908]: [patch] MeetMe PIN handling broken

Asterisk Bug Tracker noreply at bugs.digium.com
Mon Sep 20 19:00:24 CDT 2010


A NOTE has been added to this issue. 
====================================================================== 
https://issues.asterisk.org/view.php?id=17908 
====================================================================== 
Reported By:                kuj
Assigned To:                bbryant
====================================================================== 
Project:                    Asterisk
Issue ID:                   17908
Category:                   Applications/app_meetme
Reproducibility:            always
Severity:                   minor
Priority:                   normal
Status:                     closed
Target Version:             1.4.38
Asterisk Version:           1.4.35 
JIRA:                       SWP-2123 
Regression:                 No 
Reviewboard Link:            
SVN Branch (only for SVN checkouts, not tarball releases): N/A 
SVN Revision (number only!):  
Request Review:              
Resolution:                 fixed
Fixed in Version:           
====================================================================== 
Date Submitted:             2010-08-24 20:35 CDT
Last Modified:              2010-09-20 19:00 CDT
====================================================================== 
Summary:                    [patch] MeetMe PIN handling broken
Description: 
The handling of PINs in app_meetme is broken. Users are prompted for PINs
that don't exist, and regular users can gain conference admin privileges
without a conference's admin PIN.
======================================================================
Relationships       ID      Summary
----------------------------------------------------------------------
related to          0015704 [patch] MeetMe privilege escalation in ...
====================================================================== 

---------------------------------------------------------------------- 
 (0127170) svnbot (reporter) - 2010-09-20 19:00
 https://issues.asterisk.org/view.php?id=17908#c127170 
---------------------------------------------------------------------- 
Repository: asterisk
Revision: 287760

_U  branches/1.8/
U   branches/1.8/apps/app_meetme.c

------------------------------------------------------------------------
r287760 | bbryant | 2010-09-20 19:00:24 -0500 (Mon, 20 Sep 2010) | 30
lines

Merged revisions 287759 via svnmerge from 
https://origsvn.digium.com/svn/asterisk/branches/1.6.2

................
  r287759 | bbryant | 2010-09-20 19:58:26 -0400 (Mon, 20 Sep 2010) | 23
lines
  
  Merged revisions 287758 via svnmerge from 
  https://origsvn.digium.com/svn/asterisk/branches/1.4
  
  ........
    r287758 | bbryant | 2010-09-20 19:57:08 -0400 (Mon, 20 Sep 2010) | 16
lines
    
    Fix misvalidation of meetme pins in conjunction with the 'a' MeetMe
flag.
    
    When using the 'a' MeetMe flag and having a user and admin pin setup
for your
    conference, using the user pin would gain you admin priviledges. Also,
when no
    user pin was set, an admin pin was, the 'a' MeetMe flag wasn't used,
and the
    user tried to enter a conference then they were still prompted for a
pin and
    forced to hit #.
    
    (closes issue https://issues.asterisk.org/view.php?id=17908)
    Reported by: kuj
    Patches:
          pins_2.patch uploaded by kuj (license 1111)
          Tested by: kuj
    
          Review: [full review board URL with trailing slash]
  ........
................

------------------------------------------------------------------------

http://svn.digium.com/view/asterisk?view=rev&revision=287760 

Issue History 
Date Modified    Username       Field                    Change               
====================================================================== 
2010-09-20 19:00 svnbot         Checkin                                      
2010-09-20 19:00 svnbot         Note Added: 0127170                          
======================================================================




More information about the asterisk-bugs mailing list