lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <46CF5B3E.60404@asterisk.org>
Date: Fri, 24 Aug 2007 17:27:10 -0500
From: Asterisk Security Team <security@...erisk.org>
To: full-disclosure@...ts.grok.org.uk
Subject: AST-2007-021: Crash from invalid/corrupted MIME
 bodies when using voicemail with IMAP storage

              Asterisk Project Security Advisory - AST-2007-021

   +------------------------------------------------------------------------+
   |      Product       | Asterisk                                          |
   |--------------------+---------------------------------------------------|
   |      Summary       | Crash from invalid/corrupted MIME bodies when     |
   |                    | using voicemail with IMAP storage                 |
   |--------------------+---------------------------------------------------|
   | Nature of Advisory | Crash                                             |
   |--------------------+---------------------------------------------------|
   |   Susceptibility   | Remote Unauthenticated Sessions                   |
   |--------------------+---------------------------------------------------|
   |      Severity      | minor                                             |
   |--------------------+---------------------------------------------------|
   |   Exploits Known   | No                                                |
   |--------------------+---------------------------------------------------|
   |    Reported On     | August 23, 2007                                   |
   |--------------------+---------------------------------------------------|
   |    Reported By     | Kevin Stewart                                     |
   |--------------------+---------------------------------------------------|
   |     Posted On      | August 24, 2007                                   |
   |--------------------+---------------------------------------------------|
   |  Last Updated On   | August 24, 2007                                   |
   |--------------------+---------------------------------------------------|
   |  Advisory Contact  | Mark Michelson <mmichelson@...ium.com>            |
   |--------------------+---------------------------------------------------|
   |      CVE Name      |CVE-2007-4521                                      |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Description | If Asterisk is configured to use IMAP as its backend     |
   |             | storage for voicemail, then an e-mail sent to a user     |
   |             | with an invalid/corrupted MIME body will cause Asterisk  |
   |             | to crash when the user listens to their voicemail using  |
   |             | the phone.                                               |
   |             |                                                          |
   |             | This does not affect any other voicemail storage option, |
   |             | nor does it affect users who check their voicemail via   |
   |             | e-mail when using IMAP storage.                          |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Resolution | Since this is a minor issue, a new release is not         |
   |            | immediately planned. However, the issue will be fixed in  |
   |            | Asterisk Open Source version 1.4.12 when it is released.  |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |                           Affected Versions                            |
   |------------------------------------------------------------------------|
   |            Product             |   Release   |                         |
   |                                |   Series    |                         |
   |--------------------------------+-------------+-------------------------|
   |      Asterisk Open Source      |    1.0.x    | Not Affected            |
   |--------------------------------+-------------+-------------------------|
   |      Asterisk Open Source      |    1.2.x    | Not Affected            |
   |--------------------------------+-------------+-------------------------|
   |      Asterisk Open Source      |    1.4.x    | Versions 1.4.5 - 1.4.11 |
   |--------------------------------+-------------+-------------------------|
   |   Asterisk Business Edition    |    A.x.x    | Not Affected            |
   |--------------------------------+-------------+-------------------------|
   |   Asterisk Business Edition    |    B.x.x    | Not Affected            |
   |--------------------------------+-------------+-------------------------|
   |          AsteriskNOW           | pre-release | Not Affected            |
   |--------------------------------+-------------+-------------------------|
   |  Asterisk Appliance Developer  |    0.x.x    | Not Affected            |
   |              Kit               |             |                         |
   |--------------------------------+-------------+-------------------------|
   |   s800i (Asterisk Appliance)   |    1.0.x    | Not Affectted           |
   +------------------------------------------------------------------------+

+-----------------------------------------------------------------------------------+
|                                   Corrected In                                    |
|-----------------------------------------------------------------------------------|
|Product |                                 Release                                  |
|--------+--------------------------------------------------------------------------|
|Asterisk|             1.4.12 (not released), patch can be found here:              |
|  Open  |http://lists.digium.com/pipermail/asterisk-commits/2007-August/015743.html|
| Source |                                                                          |
|--------+--------------------------------------------------------------------------|
|--------+--------------------------------------------------------------------------|
+-----------------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |      Links       | http://bugs.digium.com/view.php?id=10544            |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Asterisk Project Security Advisories are posted at                     |
   | http://www.asterisk.org/security.                                      |
   |                                                                        |
   | This document may be superseded by later versions; if so, the latest   |
   | version will be posted at                                              |
   | http://downloads.digium.com/pub/asa/AST-2007-021.pdf and               |
   | http://downloads.digium.com/pub/asa/AST-2007-021.html.                 |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |                            Revision History                            |
   |------------------------------------------------------------------------|
   |         Date         |       Editor        |      Revisions Made       |
   |----------------------+---------------------+---------------------------|
   | August 24, 2007      | Mark Michelson      | Initial Release           |
   +------------------------------------------------------------------------+

               Asterisk Project Security Advisory - AST-2007-021
              Copyright (c) 2007 Digium, Inc. All Rights Reserved.
  Permission is hereby granted to distribute and publish this advisory in its
                           original, unaltered form.


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ