Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 200792 (CVE-2007-6170) - net-misc/asterisk <1.2.25 cdr_pgsql SQL injection (CVE-2007-6170)
Summary: net-misc/asterisk <1.2.25 cdr_pgsql SQL injection (CVE-2007-6170)
Status: RESOLVED FIXED
Alias: CVE-2007-6170
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: http://lists.digium.com/pipermail/ast...
Whiteboard: C3 [glsa]
Keywords:
: 199268 212306 (view as bug list)
Depends on: 213883
Blocks:
  Show dependency tree
 
Reported: 2007-11-29 22:54 UTC by Rajiv Aaron Manglani (RETIRED)
Modified: 2008-04-14 22:32 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Rajiv Aaron Manglani (RETIRED) gentoo-dev 2007-11-29 22:54:14 UTC
From: Asterisk Security Team <security@asterisk.org>
Date: Thu, 29 Nov 2007 16:10:53 -0600
Subject: [asterisk-announce] Asterisk 1.4.15 and 1.2.25 Released

The Asterisk.org development team has released Asterisk versions 1.4.15 and
1.2.25.  These releases contain two fixes for security issues.

http://downloads.digium.com/pub/asa/AST-2007-025.pdf
 * This is a SQL injection vulnerability in the res_config_pgsql module.
Default installations of Asterisk are not affected.  However, any system using
the Postgres Realtime Engine may be remotely exploitable.  This issue only
affects Asterisk 1.4, as this module was not in Asterisk 1.2.

http://downloads.digium.com/pub/asa/AST-2007-026.pdf
 * This is another SQL injection vulnerability.  The input for the ANI and DNIS
fields were not properly escaped.  Default installations of Asterisk are not
vulnerable.  However, systems that use the Postgres CDR logging module may be
remotely exploitable.  This issue affects both Asterisk 1.2 and 1.4.

Both releases are available on http://downloads.digium.com.

Thank you very much for your support!
Comment 1 Rajiv Aaron Manglani (RETIRED) gentoo-dev 2007-11-29 22:55:18 UTC
*** Bug 199268 has been marked as a duplicate of this bug. ***
Comment 2 Rajiv Aaron Manglani (RETIRED) gentoo-dev 2007-11-29 23:19:32 UTC
               Asterisk Project Security Advisory - AST-2007-026

   +------------------------------------------------------------------------+
   |       Product        | Asterisk                                        |
   |----------------------+-------------------------------------------------|
   |       Summary        | SQL Injection issue in cdr_pgsql                |
   |----------------------+-------------------------------------------------|
   |  Nature of Advisory  | SQL Injection                                   |
   |----------------------+-------------------------------------------------|
   |    Susceptibility    | Remote Authenticated Sessions                   |
   |----------------------+-------------------------------------------------|
   |       Severity       | Moderate                                        |
   |----------------------+-------------------------------------------------|
   |    Exploits Known    | No                                              |
   |----------------------+-------------------------------------------------|
   |     Reported On      | November 29, 2007                               |
   |----------------------+-------------------------------------------------|
   |     Reported By      | Tilghman Lesher <tlesher AT digium DOT com>     |
   |----------------------+-------------------------------------------------|
   |      Posted On       | November 29, 2007                               |
   |----------------------+-------------------------------------------------|
   |   Last Updated On    | November 29, 2007                               |
   |----------------------+-------------------------------------------------|
   |   Advisory Contact   | Tilghman Lesher <tlesher AT digium DOT com>     |
   |----------------------+-------------------------------------------------|
   |       CVE Name       | CVE-2007-6170                                   |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Description | Input buffers were not properly escaped when providing   |
   |             | the ANI and DNIS strings to the Call Detail Record       |
   |             | Postgres logging engine. An attacker could potentially   |
   |             | compromise the administrative database containing users' |
   |             | usernames and passwords used for SIP authentication,     |
   |             | among other things.                                      |
   |             |                                                          |
   |             | This module is not active by default and must be         |
   |             | configured for use by the administrator. Default         |
   |             | installations of Asterisk are not affected.              |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Workaround | Convert your installation to use cdr_odbc with the        |
   |            | PgsqlODBC driver. This module provides similar            |
   |            | functionality but is not vulnerable.                      |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |    Resolution    | Upgrade to Asterisk release 1.4.15 or higher.       |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |                           Affected Versions                            |
   |------------------------------------------------------------------------|
   |            Product            |   Release   |                          |
   |                               |   Series    |                          |
   |-------------------------------+-------------+--------------------------|
   |     Asterisk Open Source      |    1.0.x    | All versions             |
   |-------------------------------+-------------+--------------------------|
   |     Asterisk Open Source      |    1.2.x    | 1.2.24 and previous      |
   |-------------------------------+-------------+--------------------------|
   |     Asterisk Open Source      |    1.4.x    | 1.4.14 and previous      |
   |-------------------------------+-------------+--------------------------|
   |   Asterisk Business Edition   |    A.x.x    | All versions             |
   |-------------------------------+-------------+--------------------------|
   |   Asterisk Business Edition   |    B.x.x    | B.2.3.3 and previous     |
   |-------------------------------+-------------+--------------------------|
   |   Asterisk Business Edition   |    C.x.x    | C.1.0-beta5 and previous |
   |-------------------------------+-------------+--------------------------|
   |          AsteriskNOW          | pre-release | None                     |
   |-------------------------------+-------------+--------------------------|
   | Asterisk Appliance Developer  |    0.x.x    | None                     |
   |              Kit              |             |                          |
   |-------------------------------+-------------+--------------------------|
   |  s800i (Asterisk Appliance)   |    1.0.x    | None                     |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |                              Corrected In                              |
   |------------------------------------------------------------------------|
   |                  Product                  |          Release           |
   |-------------------------------------------+----------------------------|
   |           Asterisk Open Source            |           1.2.25           |
   |-------------------------------------------+----------------------------|
   |           Asterisk Open Source            |           1.4.15           |
   |-------------------------------------------+----------------------------|
   |         Asterisk Business Edition         |          B.2.3.4           |
   |-------------------------------------------+----------------------------|
   |         Asterisk Business Edition         |        C.1.0-beta6         |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |        Links        |                                                  |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Asterisk Project Security Advisories are posted at                     |
   | http://www.asterisk.org/security                                       |
   |                                                                        |
   | This document may be superseded by later versions; if so, the latest   |
   | version will be posted at                                              |
   | http://downloads.digium.com/pub/security/AST-2007-026.pdf and          |
   | http://downloads.digium.com/pub/security/AST-2007-026.html             |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |                            Revision History                            |
   |------------------------------------------------------------------------|
   |      Date      |       Editor       |          Revisions Made          |
   |----------------+--------------------+----------------------------------|
   | 2007-11-29     | Tilghman Lesher    | Initial release                  |
   |----------------+--------------------+----------------------------------|
   | 2007-11-29     | Tilghman Lesher    | Added CVE, ABE C version         |
   +------------------------------------------------------------------------+

               Asterisk Project Security Advisory - AST-2007-026
              Copyright (c) 2007 Digium, Inc. All Rights Reserved.
  Permission is hereby granted to distribute and publish this advisory in its
                           original, unaltered form.
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2007-11-30 00:45:41 UTC
Thanks for the report. voip, please advise.
Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2007-12-05 01:39:22 UTC
voip, please provide an updated ebuild.
Comment 5 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-12-14 15:51:43 UTC
(In reply to comment #4)
> voip, please provide an updated ebuild.
> 

*ping*
Comment 6 Vieri 2007-12-28 10:43:58 UTC
1.2.26 Released
http://www.asterisk.org/node/48438
Comment 7 Jakub Moc (RETIRED) gentoo-dev 2008-03-04 19:13:46 UTC
*** Bug 212306 has been marked as a duplicate of this bug. ***
Comment 8 Jakub Moc (RETIRED) gentoo-dev 2008-03-04 19:14:07 UTC
Updated ebuild available on Bug 212306
Comment 9 Vieri 2008-03-16 20:34:56 UTC
Previous ebuild in bug report 212306 did not emerge correctly with bristuff.
I setup a test box and now it emerges fine with/without bri/backports, etc.
If someone gets errors while emerging then please let me know.
Comment 10 Vieri 2008-03-19 09:18:55 UTC
asterisk 1.2.27 has been released:
http://bugs.gentoo.org/show_bug.cgi?id=212306
Comment 11 Rajiv Aaron Manglani (RETIRED) gentoo-dev 2008-03-23 08:33:29 UTC
net-misc/asterisk-1.2.27 in cvs.
target keywords are amd64 sparc x86.
Comment 12 Robert Buchholz (RETIRED) gentoo-dev 2008-03-23 11:06:18 UTC
stabling on bug 213883.
Comment 13 Tobias Heinlein (RETIRED) gentoo-dev 2008-03-29 20:18:22 UTC
Two YES on bug 213883.
Comment 14 Robert Buchholz (RETIRED) gentoo-dev 2008-04-14 22:32:01 UTC
GLSA 200804-13