On Sun, Jul 31, 2005 at 10:48:48PM +0100, Mark Purcell wrote: > Bug #315532 has been rasied as grave security related bug against > asterisk-1.0.7, which is included in the released sarge.
> It refers to a potential overflow in the Asterisk Manager Interface, which is > not enabled by default in the Debian asterisk package. In addition the > Debian asterisk package is not run as root as upstream, but rather as the > user asterisk with limited privs. An exploit that results in escalated, non-root privileges is a grave bug (as opposed to a root escalation bug, which is critical). > It has been pointed out that a user of the manager interface can execute > arbitary commands anyway, so the potential for additional privs is again > limited even in the case that the manager interface is enabled and exploited. But a *limited* potential for privilege escalation is still a potential for privilege escalation. If this bug can lead to privilege escalation in a normal use case for the package, then this ought to be treated as a security bug. > My query is does this warrant an release from the security team of the > relevant asterisk package? The patch is included against the bug report. If the patch is included in the bug report, why would we *not* want the security team to issue a DSA for it? -- Steve Langasek postmodern programmer
signature.asc
Description: Digital signature
