Package: asterisk Version: 1:1.8.13.1~dfsg-3 Severity: important Tags: patch
Dear Maintainer, Bug #545272 has been closed because the fix was incorporated in 1:1.8.13.1~dfsg-2 but due to a decision by the release team as documented in /usr/share/doc/asterisk/changelog.Debian.gz the fix was reverted. The changelog says the bug would be reopened. But the bug was not re-opened as stated. I don't understand the decision of the release-team as the issue is security relevant. Someone controlling a jabber server to which asterisk connects can make asterisk segfault. I've already stated this in Message #25 of #545272. Note that many people connect to outside servers like google talk. Contrary to the title of Bug #545272 the problem also happens when the jabber server is remote. The issue occurs if asterisk receives a buddy information from an unknown buddy and the search in the local buddy database returns a NULL pointer. The bug makes asterisk dereference that pointer and crash. This can happen with both remote and local jabber servers. Please fix this issue as a security upgrade! And please don't make me code up an exploit. For reference, the patch is here: https://issues.asterisk.org/jira/secure/attachment/43441/xmpp_no_crash_with_ejabberd.patch [short sidenote: Bug #701505, the fix for which was also reverted in 1:1.8.13.1~dfsg-3 and for which the changelog mentiones that it would be re-opened is also still closed as of this writing, you may want to reopen it] Thanks. Ralf Schlatterbeck -- System Information: Debian Release: 7.0 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-4-amd64 (SMP w/1 CPU core) Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Shell: /bin/sh linked to /bin/dash Versions of packages asterisk depends on: ii adduser 3.113+nmu3 ii asterisk-config 1:1.8.13.1~dfsg-3 ii asterisk-core-sounds-en [asterisk-prompt-en] 1.4.22-1 ii asterisk-core-sounds-en-gsm 1.4.22-1 ii asterisk-modules 1:1.8.13.1~dfsg-3 ii libc6 2.13-38 ii libcap2 1:2.22-1.2 ii libgcc1 1:4.7.2-5 ii libssl1.0.0 1.0.1e-2 ii libstdc++6 4.7.2-5 ii libtinfo5 5.9-10 ii libxml2 2.8.0+dfsg1-7+nmu1 Versions of packages asterisk recommends: ii asterisk-moh-opsound-gsm 2.03-1 ii asterisk-voicemail [asterisk-voicemail-storage] 1:1.8.13.1~dfsg-3 ii sox 14.4.0-3 Versions of packages asterisk suggests: ii asterisk-dahdi 1:1.8.13.1~dfsg-3 ii asterisk-dev 1:1.8.13.1~dfsg-3 ii asterisk-doc 1:1.8.13.1~dfsg-3 pn asterisk-ooh323 <none> -- no debconf information -- Dr. Ralf Schlatterbeck Tel: +43/2243/26465-16 Open Source Consulting www: http://www.runtux.com Reichergasse 131, A-3411 Weidling email: off...@runtux.com allmenda.com member email: r...@allmenda.com -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
