| Summary: | net-misc/asterisk AEL possible security issue in switch blocks (CVE-2007-1595) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Sune Kloppenborg Jeppesen (RETIRED) <jaervosz> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | minor | CC: | radek, voip+disabled |
| Priority: | High | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://bugs.digium.com/view.php?id=9316 | ||
| Whiteboard: | B4 [noglsa] jaervosz | ||
| Package list: | Runtime testing required: | --- | |
| Bug Depends on: | |||
| Bug Blocks: | 177062 | ||
fyi this only affects asterisk 1.4.x which is not in portage (but in the voip overlay). there is a backport of AEL for asterisk 1.2.x but we do not include it in our patch set. Rajiv, do you mean that the fix is only for 1.4? AFAIR AEL has been in Asterisk for some time, at least since 1.2. (In reply to comment #2) you are correct. i originally thought this bug was only in AEL2 but it is in AEL. from http://bugs.digium.com/view.php?id=9316 > I have not touched the original AEL compiler in 1.2; it was experimental, and as per > previous statements, to resolve this bug, the user is encouraged to either > use the AEL2 patches for 1.2, or to upgrade to 1.4 or trunk. asterisk 1.2.x maintainers, please patch. fyi, links to patches at http://www.securityfocus.com/bid/23155/solution Bah, sorry for the bug spam. VOIP please provide an updated ebuild. Actually those patches are against a backported AEL2 for asterisk-1.2 which we don't ship. So i have to pull the backport, check that nothing breaks and only then patch up security-wise... Gustavo, what about putting a note in the ebuild or disable compilation of AEL perhaps? Gustavo did you decide on a course of action? Gustavo did you decide on a course of action? SUSE fixed this issue. No they didn't, i've checked their SRPM (asterisk-1.2.13-23.src.rpm for opensuse 10.2) and there's no CVE-2007-1595 patch or any other patch that touches pbx_ael.c I haven't checked the source but according to their advisory the issue is fixed. http://www.novell.com/linux/security/advisories/2007_34_asterisk.html That's what they say, but it's not fixed in 1.2.13-23 at least (which is the quoted fixed versions for 10.2 and the latest on their ftp too). Gustavo did you inform SUSE about it? gustavoz ping on comment #15 NO i didn't notify them, i haven't the slightest clue of who/where to do so. asterisk-1.2.21.1 is in, it disables pbx_ael violently (a user would have to modify the ebuild to re-enable it), warning included in pkg_postinst. Targets for stabilization are: net-misc/zaptel-1.2.18 net-libs/libpri-1.2.5 net-misc/asterisk-1.2.21.1 thanks Gustavo. Arches, please test and mark stable: net-misc/zaptel-1.2.18 (target "~amd64 ~ppc x86") net-libs/libpri-1.2.5 (target "~amd64 ~ppc x86 sparc") net-misc/asterisk-1.2.21.1 (target "~alpha ~amd64 ~hppa ~ppc sparc x86") sparc stable. x86 stable, we are last arch, changing status to glsa? Ready for GLSA vote. I tend to vote NO. voting NO as well. I also vote no. closing without glsa. Feel free to reopen if you disagree. |
From the bug report: The AEL compiler generates extensions from the "case"s in a switch{} block. A SIP user might guess one of the sw-X-.. extensions and execute dialplan code which he shouldn't be allowed to execute.