CVE-2006-1827: arbitrary code execution

Debian Bug report logs - #364195
CVE-2006-1827: arbitrary code execution

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Stefan Fritsch <sf@sfritsch.de>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: CVE-2006-1827: arbitrary code execution

Date: Fri, 21 Apr 2006 22:24:16 +0200

Package: asterisk
Severity: grave
Tags: security
Justification: user security hole


CVE-2006-1827:
Integer signedness error in format_jpeg.c in Asterisk 1.2.6 and
earlier allows remote attackers to execute arbitrary code via a length
value that passes a length check as a negative number, but triggers a
buffer overflow when it is used as an unsigned length.

This is fixed in 1.2.7.

Please mention the CVE-id in the changelog.

Message #10 received at 364195@bugs.debian.org (full text, mbox, reply):

From: Kilian Krause <kilian@debian.org>

To: Stefan Fritsch <sf@sfritsch.de>, 364195@bugs.debian.org

Subject: Re: Bug#364195: CVE-2006-1827: arbitrary code execution

Date: Fri, 21 Apr 2006 22:41:13 +0200

[Message part 1 (text/plain, inline)]

Hi Stefan,

Am Freitag, den 21.04.2006, 22:24 +0200 schrieb Stefan Fritsch:
> Package: asterisk
> Severity: grave
> Tags: security
> Justification: user security hole
> 
> 
> CVE-2006-1827:
> Integer signedness error in format_jpeg.c in Asterisk 1.2.6 and
> earlier allows remote attackers to execute arbitrary code via a length
> value that passes a length check as a negative number, but triggers a
> buffer overflow when it is used as an unsigned length.
> 
> This is fixed in 1.2.7.

well, 1.2.7 is unlikely to hit Sarge, we'll try to include the fix 
http://svn.digium.com/view/asterisk/branches/1.2/formats/format_jpeg.c?r1=7221&r2=18436&diff_format=u
into the sarge package and propose it to the security team as we have it
ready.

For SID and Etch, we have just rolled out 1.2.7.1 into unstable today
which will sooner or later hit Etch and implicitly fix this.

-- 
Best regards,
 Kilian

[signature.asc (application/pgp-signature, inline)]

Message #15 received at 364195-done@bugs.debian.org (full text, mbox, reply):

From: Stefan Fritsch <sf@sfritsch.de>

To: 364195-done@bugs.debian.org

Subject: CVE-2006-1827: arbitrary code execution

Date: Sat, 22 Apr 2006 12:40:53 +0200

Version: 1:1.2.7.1.dfsg-1

Thanks.

Message #24 received at 364195-close@bugs.debian.org (full text, mbox, reply):

From: Mark Purcell <msp@debian.org>

To: 364195-close@bugs.debian.org

Subject: Bug#364195: fixed in asterisk 1:1.2.7.1.dfsg-2

Date: Sun, 23 Apr 2006 07:47:09 -0700

Source: asterisk
Source-Version: 1:1.2.7.1.dfsg-2

We believe that the bug you reported is fixed in the latest version of
asterisk, which is due to be installed in the Debian FTP archive:

asterisk-bristuff_1.2.7.1.dfsg-2_i386.deb
  to pool/main/a/asterisk/asterisk-bristuff_1.2.7.1.dfsg-2_i386.deb
asterisk-classic_1.2.7.1.dfsg-2_i386.deb
  to pool/main/a/asterisk/asterisk-classic_1.2.7.1.dfsg-2_i386.deb
asterisk-config_1.2.7.1.dfsg-2_all.deb
  to pool/main/a/asterisk/asterisk-config_1.2.7.1.dfsg-2_all.deb
asterisk-dev_1.2.7.1.dfsg-2_all.deb
  to pool/main/a/asterisk/asterisk-dev_1.2.7.1.dfsg-2_all.deb
asterisk-doc_1.2.7.1.dfsg-2_all.deb
  to pool/main/a/asterisk/asterisk-doc_1.2.7.1.dfsg-2_all.deb
asterisk-h423_1.2.7.1.dfsg-2_i386.deb
  to pool/main/a/asterisk/asterisk-h423_1.2.7.1.dfsg-2_i386.deb
asterisk-sounds-main_1.2.7.1.dfsg-2_all.deb
  to pool/main/a/asterisk/asterisk-sounds-main_1.2.7.1.dfsg-2_all.deb
asterisk-web-vmail_1.2.7.1.dfsg-2_all.deb
  to pool/main/a/asterisk/asterisk-web-vmail_1.2.7.1.dfsg-2_all.deb
asterisk_1.2.7.1.dfsg-2.diff.gz
  to pool/main/a/asterisk/asterisk_1.2.7.1.dfsg-2.diff.gz
asterisk_1.2.7.1.dfsg-2.dsc
  to pool/main/a/asterisk/asterisk_1.2.7.1.dfsg-2.dsc
asterisk_1.2.7.1.dfsg-2_all.deb
  to pool/main/a/asterisk/asterisk_1.2.7.1.dfsg-2_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 364195@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Mark Purcell <msp@debian.org> (supplier of updated asterisk package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sun, 23 Apr 2006 13:26:29 +0100
Source: asterisk
Binary: asterisk-h423 asterisk-web-vmail asterisk asterisk-classic asterisk-dev asterisk-doc asterisk-sounds-main asterisk-bristuff asterisk-config
Architecture: source all i386
Version: 1:1.2.7.1.dfsg-2
Distribution: unstable
Urgency: high
Maintainer: Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>
Changed-By: Mark Purcell <msp@debian.org>
Description: 
 asterisk   - Open Source Private Branch Exchange (PBX) - dummy package
 asterisk-bristuff - Open Source Private Branch Exchange (PBX) - BRIstuff-enabled vers
 asterisk-classic - Open Source Private Branch Exchange (PBX) - original Digium versi
 asterisk-config - config files for asterisk
 asterisk-dev - development files for asterisk
 asterisk-doc - documentation for asterisk
 asterisk-h423 - asterisk H.323 VoIP channel
 asterisk-sounds-main - sound files for asterisk
 asterisk-web-vmail - Web-based (CGI) voice mail interface for Asterisk
Closes: 359970 360181 360220 360233 364195
Changes: 
 asterisk (1:1.2.7.1.dfsg-2) unstable; urgency=high
 .
   [ Kilian Krause ]
   * Urgency bumped since 1.2.7 is a security update [CVE-2006-1827]
     (Closes: #364195)
 .
   [ Mark Purcell ]
   * Previous Upload also fixes:
     - cannot install - directories not created (Closes: #360233)
     - package uninstallable (Closes: #359970)
   * Update postinst to fix: fails to upgrade when /etc/asterisk/voicemail.conf
     is deleted (Closes: #360220)
   * Link debian/asterisk-bristuff.asterisk.{logrotate,init} &
     provide debian/asterisk-classic.asterisk.logfile
     - Fixes: init.d and logrotate.d conflicts (Closes: #360181)
Files: 
 a5e8dc639af412de5679b33607e3d572 1399 comm optional asterisk_1.2.7.1.dfsg-2.dsc
 580f2d075c29e381d763e2ff6d397b9a 141628 comm optional asterisk_1.2.7.1.dfsg-2.diff.gz
 a12140a77feedcbe7d00baf0751cb023 218304 comm optional asterisk_1.2.7.1.dfsg-2_all.deb
 ffd5e6ffd06c0955686afdf40e19e460 18810280 doc optional asterisk-doc_1.2.7.1.dfsg-2_all.deb
 db8d32add93edc7a39ef86f254bcd853 143952 devel optional asterisk-dev_1.2.7.1.dfsg-2_all.deb
 9bd800da31bd7c3334e82b0b7513af8f 1475216 comm optional asterisk-sounds-main_1.2.7.1.dfsg-2_all.deb
 3eac43034aaf83db5135589db8527737 48344 comm optional asterisk-web-vmail_1.2.7.1.dfsg-2_all.deb
 bf0fb65bb22807c363c6bee3499cf1d2 104526 comm optional asterisk-config_1.2.7.1.dfsg-2_all.deb
 d5d8b18db59496f6e971dfdfdd4df54e 1641190 comm optional asterisk-classic_1.2.7.1.dfsg-2_i386.deb
 67caa0a400e8f02321f0e1a2d0c27d22 1669424 comm optional asterisk-bristuff_1.2.7.1.dfsg-2_i386.deb
 68c11622a96064985ef95b4dd6b42432 108972 comm optional asterisk-h423_1.2.7.1.dfsg-2_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFES43YoCzanz0IthIRAtBDAJ0Qv74iqaBbCC/tFBBsyAsq1ng60wCcDHb3
nwltbR7BqYHD97KzA51Ysvs=
=qCCR
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.