Debian Bug report logs -
#338116
asterisk-web-vmail: Information disclosure of voice mail messages through vmail.cgi
Reported by: Moritz Muehlenhoff <jmm@inutil.org>
Date: Tue, 8 Nov 2005 09:33:14 UTC
Severity: important
Tags: patch, security
Found in version asterisk-web-vmail/1:1.0.9.dfsg-5
Fixed in version asterisk/1:1.2.13~dfsg-1
Done: Mark Purcell <msp@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>:
Bug#338116; Package asterisk-web-vmail.
(full text, mbox, link).
Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: asterisk-web-vmail
Version: 1:1.0.9.dfsg-5
Severity: important
Tags: security
vmail.cgi doesn't clean a parameter passed by the web user which is
later used to open a file and return a raw stream to the user.
This allows any authenticated user of the voicemail system to listen to
other peoples messages, or to open any file with the extension .wav/.WAV
on the system.
For more information please see
http://www.assurance.com.au/advisories/200511-asterisk.txt
Cheers,
Moritz
-- System Information:
Debian Release: testing/unstable
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.14-1-686
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15@euro (charmap=ISO-8859-15)
Information forwarded to debian-bugs-dist@lists.debian.org, Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>:
Bug#338116; Package asterisk-web-vmail.
(full text, mbox, link).
Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>.
(full text, mbox, link).
Message #10 received at 338116@bugs.debian.org (full text, mbox, reply):
This has been assigned CVE-2005-3559, please mention it in the
changelog when fixing it.
Information forwarded to debian-bugs-dist@lists.debian.org, Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>:
Bug#338116; Package asterisk-web-vmail.
(full text, mbox, link).
Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and forwarded to list. Copy sent to Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>.
(full text, mbox, link).
Message #15 received at 338116@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Moritz Muehlenhoff wrote:
> This has been assigned CVE-2005-3559, please mention it in the
> changelog when fixing it.
The attached patch fixes this problem.
This problem is also fixed in the Debian package 1.2.7.1.dfsg-2.
Regards,
Joey
--
Experience is something you don't get until just after you need it.
Please always Cc to me when replying to me on the lists.
[patch.CVE-2005-3559.asterisk (text/plain, attachment)]
Tags added: patch
Request was from Alec Berryman <alec@thened.net>
to control@bugs.debian.org.
(full text, mbox, link).
Tags added: pending
Request was from Mark Purcell <msp@debian.org>
to control@bugs.debian.org.
(full text, mbox, link).
Reply sent to Mark Purcell <msp@debian.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Moritz Muehlenhoff <jmm@inutil.org>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #24 received at 338116-close@bugs.debian.org (full text, mbox, reply):
Source: asterisk
Source-Version: 1:1.2.13~dfsg-1
We believe that the bug you reported is fixed in the latest version of
asterisk, which is due to be installed in the Debian FTP archive:
asterisk-bristuff_1.2.13~dfsg-1_i386.deb
to pool/main/a/asterisk/asterisk-bristuff_1.2.13~dfsg-1_i386.deb
asterisk-classic_1.2.13~dfsg-1_i386.deb
to pool/main/a/asterisk/asterisk-classic_1.2.13~dfsg-1_i386.deb
asterisk-config_1.2.13~dfsg-1_all.deb
to pool/main/a/asterisk/asterisk-config_1.2.13~dfsg-1_all.deb
asterisk-dev_1.2.13~dfsg-1_all.deb
to pool/main/a/asterisk/asterisk-dev_1.2.13~dfsg-1_all.deb
asterisk-doc_1.2.13~dfsg-1_all.deb
to pool/main/a/asterisk/asterisk-doc_1.2.13~dfsg-1_all.deb
asterisk-h423_1.2.13~dfsg-1_i386.deb
to pool/main/a/asterisk/asterisk-h423_1.2.13~dfsg-1_i386.deb
asterisk-sounds-main_1.2.13~dfsg-1_all.deb
to pool/main/a/asterisk/asterisk-sounds-main_1.2.13~dfsg-1_all.deb
asterisk-web-vmail_1.2.13~dfsg-1_all.deb
to pool/main/a/asterisk/asterisk-web-vmail_1.2.13~dfsg-1_all.deb
asterisk_1.2.13~dfsg-1.diff.gz
to pool/main/a/asterisk/asterisk_1.2.13~dfsg-1.diff.gz
asterisk_1.2.13~dfsg-1.dsc
to pool/main/a/asterisk/asterisk_1.2.13~dfsg-1.dsc
asterisk_1.2.13~dfsg-1_all.deb
to pool/main/a/asterisk/asterisk_1.2.13~dfsg-1_all.deb
asterisk_1.2.13~dfsg.orig.tar.gz
to pool/main/a/asterisk/asterisk_1.2.13~dfsg.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 338116@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Mark Purcell <msp@debian.org> (supplier of updated asterisk package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Wed, 25 Oct 2006 06:46:52 +0100
Source: asterisk
Binary: asterisk-h423 asterisk-web-vmail asterisk asterisk-classic asterisk-dev asterisk-doc asterisk-sounds-main asterisk-bristuff asterisk-config
Architecture: source all i386
Version: 1:1.2.13~dfsg-1
Distribution: unstable
Urgency: high
Maintainer: Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>
Changed-By: Mark Purcell <msp@debian.org>
Description:
asterisk - Open Source Private Branch Exchange (PBX)
asterisk-bristuff - Open Source Private Branch Exchange (PBX) - BRIstuff-enabled vers
asterisk-classic - Open Source Private Branch Exchange (PBX) - original Digium versi
asterisk-config - config files for asterisk
asterisk-dev - development files for asterisk
asterisk-doc - documentation for asterisk
asterisk-h423 - asterisk H.323 VoIP channel
asterisk-sounds-main - sound files for asterisk
asterisk-web-vmail - Web-based (CGI) voice mail interface for Asterisk
Closes: 338116 342138 348194 375141 386113 389376 394025 394122 395080
Changes:
asterisk (1:1.2.13~dfsg-1) unstable; urgency=high
.
[ Kilian Krause ]
* Fixup dfsg versions with increased upstream build count.
.
[ Santiago Ruano Rincón ]
* Added cdr_sqlite3_custom dpatch
.
[ Mark Purcell ]
* New upstream release
- Remote compromise (Closes: #394025)
- CVE-2006-5444/5:security issues in asterisk (Closes: #395080)
- Urgency high as this fixes remote compromise security issue
- Information disclosure of voice mail messages through vmail.cgi
(Closes: #338116)
- package asterisk-dev should contain asterisk.h main header (Closes:
#342138)
- format_ogg_vorbis.so was present in i386, no longer in packages
(Closes: #375141)
* Update debian/patches/bristuff.dpatch
* bristuff-0.3.0-PRE-1v
- Please package bristuff 0.3.0PREu (Closes: #394122)
- please include app_pickup.c from bristuff (Closes: #348194)
* Build Depends: dpkg ( >= 1.13.19)
- Asterisk must build-depend upon dpkg ( >= 1.13.19) (Closes: #386113)
* Build-Depends: libpq-dev
- obsolete build dependency postgresql-dev (Closes: #389376)
Files:
14426527db1c7abf12a02b745cae91b0 1395 comm optional asterisk_1.2.13~dfsg-1.dsc
f8ee088b2e4feffe2b35d78079f90b69 3835589 comm optional asterisk_1.2.13~dfsg.orig.tar.gz
a75d403e861600e0a50e5d3f5688985f 173367 comm optional asterisk_1.2.13~dfsg-1.diff.gz
e9a80c1e404ac596ba7c31074e348e7b 145536 comm optional asterisk_1.2.13~dfsg-1_all.deb
73d0100ba93d2f1193c9e227be83d8e5 19121500 doc optional asterisk-doc_1.2.13~dfsg-1_all.deb
f25a5e8e52b262c07d3645024f6e1b14 168992 devel optional asterisk-dev_1.2.13~dfsg-1_all.deb
189167a3c013dda5bb26b80c1518f313 1503672 comm optional asterisk-sounds-main_1.2.13~dfsg-1_all.deb
0d31a0872756006e310c64e171f1e268 72796 comm optional asterisk-web-vmail_1.2.13~dfsg-1_all.deb
ecae111f8aa9e43ee65e31dcac7e0e3b 130726 comm optional asterisk-config_1.2.13~dfsg-1_all.deb
8da1c58282bcfccc944ab62f3f35321a 1614394 comm optional asterisk-classic_1.2.13~dfsg-1_i386.deb
0e6df112a50fb2d859e713e2a1922c95 1647624 comm optional asterisk-bristuff_1.2.13~dfsg-1_i386.deb
46e7f3bf3fbbfb248fc20ae839b7a854 129878 comm optional asterisk-h423_1.2.13~dfsg-1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iD8DBQFFPv4ToCzanz0IthIRAlenAJ9wJZlZlwJB7pGtrhrC916T9FZprACfYtx+
fpIysXNrCHdbPtaFLWqZfL8=
=y4D5
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 24 Jun 2007 17:30:31 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:23:17 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon