net-misc/asterisk-0.7.2 should be removed from portage. see also bug #49393 (version 0.9.0 should prob just be marked stable and all other versions removed). http://www.securityfocus.com/bid/10569 Asterisk PBX Multiple Logging Format String Vulnerabilities bugtraq id 10569 object class Input Validation Error cve CVE-MAP-NOMATCH remote Yes local No published Jun 18, 2004 updated Jun 18, 2004 vulnerable Asterisk Asterisk 0.7 .0 Asterisk Asterisk 0.7.1 Asterisk Asterisk 0.7.2 not vulnerable Asterisk Asterisk 0.9 .0 It is reported that Asterisk is susceptible to format string vulnerabilities in its logging functions. An attacker may use these vulnerabilities to corrupt memory, and read or write arbitrary memory. Remote code execution is likely possible. Due to the nature of these vulnerabilities, there may exist many different avenues of attack. Anything that can potentially call the logging functions with user-supplied data is vulnerable. Versions 0.7.0 through to 0.7.2 are reported vulnerable. A proof-of-concept exploit was provided. http://www.securityfocus.com/data/vulnerabilities/exploits/asterisk_fmt_string.pl It is reported that version 0.9.0 is not vulnerable to these vulnerabilities. All affected users are urged to upgrade. Credit: kfinisterre@secnetops.com disclosed these vulnerabilities.
voip/stkn: can we get a patched version in portage?
0.9.0 is in portage and unaffected. 0.7.2 should be removed. This is probably ready for a GLSA (or for no GLSA as this is ~)
GLSA drafted, but I would like to have external confirmation of this. I find no information about this on Asterisk website/mailing-lists...
nothing about that on the asterisk-dev ml
exploit from securityfocus w/ asterisk-0.7.2: Jun 25 15:37:29 NOTICE[65541]: chan_iax.c:3868 socket_read: Rejected connect attempt from 127.0.0.1, request 'exten=;callerid=;dnid=;context=;AAAABBBB%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.;username=language=;formats=;version=;
exploit from securityfocus w/ asterisk-0.7.2: Jun 25 15:37:29 NOTICE[65541]: chan_iax.c:3868 socket_read: Rejected connect attempt from 127.0.0.1, request 'exten=;callerid=;dnid=;context=;AAAABBBB%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.;username=language=;formats=;version=;£}ÿÿ'
So whats the deal here? Are you going to move it into stable or just paste how to exploit things? asterisk-0.2.0.ebuild:KEYWORDS="x86" asterisk-0.5.0.ebuild:KEYWORDS="~x86" asterisk-0.7.2.ebuild:KEYWORDS="~x86" asterisk-0.9.0.ebuild:KEYWORDS="~x86"
i think we could safely skip the glsa on this one. asterisk users are probably all running version 0.9.0 anyway. (in fact, most want to run the cvs version, see bug 33345.) let's just mark 0.9.0 as stable.
Removing asterisk-0.7.2 from CVS Stabling asterisk-0.9.0 _after_ i'm back from Linuxtag and Munich
*** Bug 49393 has been marked as a duplicate of this bug. ***
Will be closed without GLSA when 0.9.0 will be marked stable.
Stefan : if LinuxTag is finished, could you mark 0.9.0 stable ? Thanks :)
stkn removed asterisk 0.7.2 from portage and marked 0.9.0 stable. no glsa needed. closing.