On Wed, Oct 31, 2007 at 07:44:13PM +0100, Nico Golde wrote:
> Package: zaptel
> Severity: normal
> Tags: security
>
> Hi,
> the following CVE (Common Vulnerabilities & Exposures) id was
> published for zaptel.
>
> CVE-2007-5690[0]:
> | Buffer overflow in sethdlc.c in the Asterisk Zaptel 1.4.5.1 might
> | allow local users to gain privileges via a long device name (interface
> | name) in the ifr_name field.
>
> If you fix this vulnerability please also include the CVE id
> in your changelog entry.
>
> This is not really a security problem in Debian since
> sethdlc-new is not suid root so it will just segfault.
>
> For further information:
> [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5690
Note, however, that sethdlc.c does not get installed by default on
Debian. The issue does seem to affect sethdlc-new.
In fact, it will not even build on kernels newer than 2.4.20 .
sethdlc-new is not installed by default in any automated script.
Looking into this right now.
--
Tzafrir Cohen
icq#16849755 jabber:[EMAIL PROTECTED]
+972-50-7952406 mailto:[EMAIL PROTECTED]
http://www.xorcom.com iax:[EMAIL PROTECTED]/tzafrir
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
