Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 313341 (CVE-2010-1224) - net-misc/asterisk: remote host access control bypass (CVE-2010-1224)
Summary: net-misc/asterisk: remote host access control bypass (CVE-2010-1224)
Status: RESOLVED FIXED
Alias: CVE-2010-1224
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: http://downloads.asterisk.org/pub/sec...
Whiteboard: ~3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2010-04-06 03:59 UTC by Stefan Behte (RETIRED)
Modified: 2010-04-11 14:02 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Behte (RETIRED) gentoo-dev Security 2010-04-06 03:59:46 UTC 
CVE-2010-1224 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1224):
  main/acl.c in Asterisk Open Source 1.6.0.x before 1.6.0.25, 1.6.1.x
  before 1.6.1.17, and 1.6.2.x before 1.6.2.5 does not properly enforce
  remote host access controls when CIDR notation "/0" is used in
  permit= and deny= configuration rules, which causes an improper
  arithmetic shift and might allow remote attackers to bypass ACL rules
  and access services from unauthorized hosts.
Comment 1 Tony Vroon (RETIRED) gentoo-dev 2010-04-06 08:16:19 UTC 
+  06 Apr 2010; <chainsaw@gentoo.org> -asterisk-1.6.1.17.ebuild,
+  -asterisk-1.6.2.5.ebuild:
+  Removing vulnerable ebuilds for CVE-2010-1224 / AST-2010-003 (Remote host
+  access control bypass) as requested by Stefan "Craig" Behte
+  <craig@gentoo.org> in security bug #313341.

Voting no for GLSA; stable Asterisk (1.2 branch) is not affected. No upgrades will have to be forced as the secure versions have been in the tree since March 15 (1.6.2) / March 16 (1.6.1)
Comment 2 Stefan Behte (RETIRED) gentoo-dev Security 2010-04-09 16:07:53 UTC 
No, too.
We never had 1.6.x stable, closing NOGLSA.
Comment 3 Stefan Behte (RETIRED) gentoo-dev Security 2010-04-11 14:02:38 UTC 
CVE-2010-1224 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1224):
  main/acl.c in Asterisk Open Source 1.6.0.x before 1.6.0.25, 1.6.1.x
  before 1.6.1.17, and 1.6.2.x before 1.6.2.5 does not properly enforce
  remote host access controls when CIDR notation "/0" is used in
  permit= and deny= configuration rules, which causes an improper
  arithmetic shift and might allow remote attackers to bypass ACL rules
  and access services from unauthorized hosts.