A stack-based buffer overflow was found in the way Asterisk,
an open source telephony toolkit, encoded text strings to
their URI-encoded version, when forming an outgoing SIP
request. A remote, authenticated attacker could use this
flaw to cause asterisk daemon to crash (denial of service) or,
potentially, execute arbitrary code with the privileges of
the user running asterisk via a specially-crafted caller
ID information provided to Asterisk's URIs encoding routine.
(against v1.4 branch)
(against v1.6.1 branch)
(against v1.6.2 branch)
(against v1.8 branch)
This issue affects the versions of the asterisk package, as shipped
with Fedora release of 13 and 14.
This issue affects the version of the asterisk package, as present
within EPEL-6 repository.
Created asterisk tracking bugs for this issue
Affects: fedora-all [bug 670779]
The CVE identifier of CVE-2011-0495 has been assigned to this issue:
The CVE description from MITRE indicates fixed versions and some further details:
Stack-based buffer overflow in the ast_uri_encode function in main/utils.c in Asterisk Open Source before 126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11.1, 18.104.22.168.1, 22.214.171.124, 1.8.2.; and Business Edition before C.3.6.2; when running in pedantic mode allows remote authenticated users to execute arbitrary code via crafted caller ID data in vectors involving the (1) SIP channel driver, (2) URIENCODE dialplan function, or (3) AGI dialplan function.
*** Bug 670648 has been marked as a duplicate of this bug. ***
Current Asterisk in Fedora should correct this:
and in EPEL:
These versions also fix AST-2011-002 (CVE-2011-1147)