[Asterisk-Dev] patch for the Asterisk Manager Interface Overflow

Tzafrir Cohen tzafrir.cohen at xorcom.com
Thu Jun 23 23:37:18 MST 2005


On Fri, Jun 24, 2005 at 01:23:44AM -0500, Santiago José Ruano Rincón wrote:
> 
> Hi,
> 
> I need the patch that fix Asterisk Manager Interface Overflow [0]
> against asterisk 1.0.7 to build the debian packages. I tried to look for
> it on bugs.digium.com, asterisk-cvs mailing list and the cvs logs, but I
> couldn't find it. Anyone could help me to find it?
> 
> [0]
> http://lists.digium.com/pipermail/asterisk-security/2005-June/000032.html

If I understand corrently you want to backport fixes. Well, this one is
probably hardly worth it. It is kind of "using root to gain root"
(well, s/root/asterisk/g). A user with an ability to exploit this can
already order Asterisk do do practically anything.

OTOH, 1.0.8 has quite a few other fixes which may be worth backporting.
What are the user-visible changes of 1.0.8? How much potentially
dangerous is an upgrade?

-- 
Tzafrir Cohen     icq#16849755  +972-50-7952406
tzafrir.cohen at xorcom.com  http://www.xorcom.com



More information about the asterisk-dev mailing list