[Asterisk-Users] Security Vulnerability in Asterisk
Jim Rosenberg
jr at amanue.com
Mon Jun 28 12:51:56 MST 2004
The following is pasted from SecurityFocus Newsletter #254:
-------------------------
Asterisk PBX Multiple Logging Format String Vulnerabilities
BugTraq ID: 10569
Remote: Yes
Date Published: Jun 18 2004
Relevant URL: http://www.securityfocus.com/bid/10569
Summary:
It is reported that Asterisk is susceptible to format string
vulnerabilities in its logging functions.
An attacker may use these vulnerabilities to corrupt memory, and read or
write arbitrary memory. Remote code execution is likely possible.
Due to the nature of these vulnerabilities, there may exist many different
avenues of attack. Anything that can potentially call the logging functions
with user-supplied data is vulnerable.
Versions 0.7.0 through to 0.7.2 are reported vulnerable.
-------------------------
What is the status of CVS-current with respect to this?
I don't remember seeing any discussion of this issue here; apologies if I
missed it.
More information about the asterisk-users
mailing list