Red Hat Bugzilla – Bug 438130
CVE-2008-1333 asterisk: Format String Vulnerability in Logger and Manager (AST-2008-004)
Last modified: 2008-03-31 05:35:24 EDT
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-1333 to the following vulnerability:
Asterisk Project Security Advisory - AST-2008-004
Logging messages displayed using the ast_verbose logging API call are not
displayed as a character string, they are displayed as a format string.
Output as a result of the Manager command “command” is not appended to the
resulting response message as a character string, it is appended as a format
It is possible in both instances for an attacker to provide a formatted string
as a value for input which can cause a crash.
This issue only affected asterisk version in rawhide, which is fixed now.