[asterisk-dev] AST-2007-024 - Fallacious security advisory spread on the Internet involving buffer overflow in Zaptel's sethdlc application
Vadim Lebedev
vadim at mbdsys.com
Fri Nov 9 05:20:29 CST 2007
The Asterisk Development Team wrote:
> +------------------------------------------------------------------------+
> | Description | This advisory is a response to a false security |
> | | vulnerability published in several places on the |
> | | Internet. Had Asterisk's developers been notified prior |
> | | to its publication, there would be no need for this. |
> | | |
> | | There is a potential for a buffer overflow in the |
> | | sethdlc application; however, running this application |
> | | requires root access to the server, which means that |
> | | exploiting this vulnerability gains the attacker no more |
> | | advantage than what he already has. As such, this is a |
> | | bug, not a security vulnerability. |
> +------------------------------------------------------------------------+
>
Well,
If this sethdlc program is installed as setuid root for some reason it,
DOES represent security risk
Thanks
Vadim
More information about the asterisk-dev
mailing list