The submitter sent me private mail, telling me:
- a little more explanation of how this can be exploited
- that this is exploitable in a stock installation in sarge
- that read() can overwrite part of the buffer before returning EFAULT
- that company policy forbids him from providing a working expl
forwarded 394025 http://bugs.digium.com/view.php?id=7770
tags 394025 + patch
thanks
I'm adding a reference to the upstream bug report in case you really
want to read further details of this clusterfuck.
The upstream change is simply:
--- asterisk-1.2.12.1/channels/chan_skinny.c
+++ asterisk-1.2.
Package: asterisk
Version: 1.0.7.dfsg.1-2sarge3
Severity: Critical
Tags: Security
Asterisk 1.0 and 1.2 versions up to and including 1.2.12.1 and 1.0.11 are
vulnerable to a remote, unauthenticated heap overflow leading to arbitrary
code execution as root.
New upstream releases 1.0.12 and 1.2.
3 matches
Mail list logo
