[asterisk-dev] Security Issue in Asterisk trunk IMAP_STORAGE

Russell Bryant russell at digium.com
Mon Jun 25 13:53:52 CDT 2007

A bug was fixed in IMAP_STORAGE in Asterisk trunk today in revision 71630.  The 
problem was that the function, manager_list_voicemail_users() used the function 
count_messages() to determine the number of new messages waiting for a mailbox. 
  However, this function was never defined for IMAP_STORAGE.  Also, since we use 
lazy symbol resolution for our modules, the code could still actually build 
(with a warning, which is how I found it), and load happily into Asterisk. 
However, if you used this manager command, it will make Asterisk crash.

So, if your usage of Asterisk meets this criteria, you need to update:

1) You are using Asterisk trunk between revisions 66028 (about a month ago) and 

2) You are using IMAP_STORAGE for voicemail

3) You have the manager interface enabled

Also, I did not feel an official security advisory was justified for this since 
the problem never existed in a released version.

Russell Bryant
Software Engineer
Digium, Inc.

More information about the asterisk-dev mailing list