| Summary: | ASTERISK-11801: parkandannounce_exec uses sizeof wrongly on array of strings to announce | ||
| Reporter: | David Woolley (davidw) | Labels: | |
| Date Opened: | 2008-04-08 12:41:51 | Date Closed: | 2008-04-08 14:05:17 |
| Priority: | Major | Regression? | No |
| Status: | Closed/Complete | Components: | Applications/app_parkandannounce |
| Versions: | Frequency of Occurrence | ||
| Related Issues: | |||
| Environment: | Attachments: | ||
| Description: | Based on code reading, it looks to me as though parkandannounce_exec limits the number of parts in the announcement to the number of bytes in the tmp array, not the number of entries, i.e. typically 4 times the correct number. The offending line is 214. ****** ADDITIONAL INFORMATION ****** As this would seem to be a buffer overrun vulnerability, I'm setting the view status to private and the severity to major, even though it is a one line change. I leave it to the managers' discretion as to whether to open up access, assuming that view status does what I think it does. | ||
| Comments: | By: David Woolley (davidw) 2008-04-08 13:07:15 At the moment, I cannot think of any sensible way to exploit this remotely without a dial plan that wouldn't, itself, be a security hazard. By: Mark Michelson (mmichelson) 2008-04-08 13:58:36 Good find! This definitely has the potential to overflow the buffer, but due to the fact that this could only be exploited through the dialplan and cannot be exploited remotely (except via a manager session that had proper permission), this does not warrant a security advisory. Instead, we're just going to commit the necessary one-line fix so that the potential segfault may not happen. Thanks for your input and for taking the cautious route of making this private to begin with. By: Digium Subversion (svnbot) 2008-04-08 14:02:54 Repository: asterisk Revision: 113507 U branches/1.4/apps/app_parkandannounce.c ------------------------------------------------------------------------ r113507 | mmichelson | 2008-04-08 14:02:52 -0500 (Tue, 08 Apr 2008) | 8 lines Fix potential buffer overflow that could happen if more than 100 announce files were specified when calling ParkAndAnnounce. This overflow is not exploitable remotely and so there is no need for a security advisory. (closes issue ASTERISK-11801) Reported by: davidw ------------------------------------------------------------------------ http://svn.digium.com/view/asterisk?view=rev&revision=113507 By: Digium Subversion (svnbot) 2008-04-08 14:04:23 Repository: asterisk Revision: 113508 _U trunk/ ------------------------------------------------------------------------ r113508 | mmichelson | 2008-04-08 14:04:22 -0500 (Tue, 08 Apr 2008) | 15 lines Blocked revisions 113507 via svnmerge ........ r113507 | mmichelson | 2008-04-08 14:07:38 -0500 (Tue, 08 Apr 2008) | 8 lines Fix potential buffer overflow that could happen if more than 100 announce files were specified when calling ParkAndAnnounce. This overflow is not exploitable remotely and so there is no need for a security advisory. (closes issue ASTERISK-11801) Reported by: davidw ........ ------------------------------------------------------------------------ http://svn.digium.com/view/asterisk?view=rev&revision=113508 By: Digium Subversion (svnbot) 2008-04-08 14:05:17 Repository: asterisk Revision: 113509 _U branches/1.6.0/ ------------------------------------------------------------------------ r113509 | mmichelson | 2008-04-08 14:05:16 -0500 (Tue, 08 Apr 2008) | 22 lines Blocked revisions 113508 via svnmerge ................ r113508 | mmichelson | 2008-04-08 14:09:16 -0500 (Tue, 08 Apr 2008) | 15 lines Blocked revisions 113507 via svnmerge ........ r113507 | mmichelson | 2008-04-08 14:07:38 -0500 (Tue, 08 Apr 2008) | 8 lines Fix potential buffer overflow that could happen if more than 100 announce files were specified when calling ParkAndAnnounce. This overflow is not exploitable remotely and so there is no need for a security advisory. (closes issue ASTERISK-11801) Reported by: davidw ........ ................ ------------------------------------------------------------------------ http://svn.digium.com/view/asterisk?view=rev&revision=113509 | ||