A stack-based buffer overflow was found in the way Asterisk, an open source telephony toolkit, encoded text strings to their URI-encoded version, when forming an outgoing SIP request. A remote, authenticated attacker could use this flaw to cause asterisk daemon to crash (denial of service) or, potentially, execute arbitrary code with the privileges of the user running asterisk via a specially-crafted caller ID information provided to Asterisk's URIs encoding routine. References: [1] http://downloads.asterisk.org/pub/security/AST-2011-001.html [2] http://seclists.org/fulldisclosure/2011/Jan/297 [3] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=610487 Upstream changesets: [4] http://downloads.asterisk.org/pub/security/AST-2011-001-1.4.diff (against v1.4 branch) [5] http://downloads.asterisk.org/pub/security/AST-2011-001-1.6.1.diff (against v1.6.1 branch) [6] http://downloads.asterisk.org/pub/security/AST-2011-001-1.6.2.diff (against v1.6.2 branch) [7] http://downloads.asterisk.org/pub/security/AST-2011-001-1.8.diff (against v1.8 branch)
This issue affects the versions of the asterisk package, as shipped with Fedora release of 13 and 14. This issue affects the version of the asterisk package, as present within EPEL-6 repository. Please fix.
Created asterisk tracking bugs for this issue Affects: fedora-all [bug 670779]
CVE Request: [8] http://www.openwall.com/lists/oss-security/2011/01/19/2
The CVE identifier of CVE-2011-0495 has been assigned to this issue: [9] http://www.openwall.com/lists/oss-security/2011/01/19/3
The CVE description from MITRE indicates fixed versions and some further details: Stack-based buffer overflow in the ast_uri_encode function in main/utils.c in Asterisk Open Source before 1.4.38.1, 1.4.39.1, 1.6.1.21, 1.6.2.15.1, 1.6.2.16.1, 1.8.1.2, 1.8.2.; and Business Edition before C.3.6.2; when running in pedantic mode allows remote authenticated users to execute arbitrary code via crafted caller ID data in vectors involving the (1) SIP channel driver, (2) URIENCODE dialplan function, or (3) AGI dialplan function.
*** Bug 670648 has been marked as a duplicate of this bug. ***
Current Asterisk in Fedora should correct this: Fedora-13: asterisk-1.6.2.17-1.fc13 Fedora-14: asterisk-1.6.2.17-1.fc14 Fedora-15: asterisk-1.8.3-1.fc15 Fedora-Rawhide: asterisk-1.8.3-1.fc16 and in EPEL: EPEL-6-testing: asterisk-1.8.3-1.el6 These versions also fix AST-2011-002 (CVE-2011-1147)