Joined: 12 May 2004
|Posted: Wed Jun 14, 2006 7:26 pm Post subject: [ GLSA 200606-15 ] Asterisk: IAX2 video frame buffer overflo
|Gentoo Linux Security Advisory
Title: Asterisk: IAX2 video frame buffer overflow (GLSA 200606-15)
Date: June 14, 2006
Asterisk contains a bug in the IAX2 channel driver making it vulnerable to the remote execution of arbitrary code.
Asterisk is an open source implementation of a telephone private branch exchange (PBX).
Vulnerable: < 1.0.11_p1
Unaffected: >= 1.0.11_p1
Architectures: All supported architectures
Asterisk fails to properly check the length of truncated video frames in the IAX2 channel driver which results in a buffer overflow.
An attacker could exploit this vulnerability by sending a specially crafted IAX2 video stream resulting in the execution of arbitrary code with the permissions of the user running Asterisk.
Disable public IAX2 support.
All Asterisk users should upgrade to the latest version:
|# emerge --sync
# emerge --ask --oneshot --verbose ">=net-misc/asterisk-1.0.11_p1"
Corelabs Asterisk PBX truncated video frame vulnerability advisory