Ubuntu
asterisk package

[asterisk] [CVE-2007-6170] missing input sanitising

Bug #173610 reported by disabled.user on 2007-12-03

260

Affects		Status	Importance	Assigned to	Milestone
	asterisk (Ubuntu)	Fix Released	High	Unassigned
	Dapper	Won't Fix	High	Unassigned
	Edgy	Won't Fix	High	Unassigned
	Feisty	Won't Fix	High	Unassigned
	Gutsy	Won't Fix	High	Unassigned
	Hardy	Fix Released	High	Unassigned

Bug Description

Binary package hint: asterisk

References:
http://www.debian.org/security/2007/dsa-1417

Quoting DSA-1417-1:
"Tilghman Lesher discovered that the logging engine of Asterisk, a free software PBX and telephony toolkit performs insufficient sanitising of call-related data, which may lead to SQL injection."

Quoting CVE-2007-6170:
"SQL injection vulnerability in the Call Detail Record Postgres logging engine (cdr_pgsql) in Asterisk 1.4.x before 1.4.15, 1.2.x before 1.2.25, B.x before B.2.3.4, and C.x before C.1.0-beta6 allows remote authenticated users to execute arbitrary SQL commands via (1) ANI and (2) DNIS arguments."

CVE References

2007-6170

Emanuele Gentili (emgent) on 2008-03-06

Changed in asterisk:
assignee:	nobody → emgent
importance:	Undecided → High
status:	New → In Progress
assignee:	emgent → nobody

Revision history for this message

Kees Cook (kees) wrote on 2008-03-06:

#1

Thanks for the report! I'm flipping to "Confirmed" until there is a debdiff available.

Changed in asterisk:
status:	In Progress → Confirmed

Revision history for this message

Emanuele Gentili (emgent) wrote on 2008-03-21:

#2

working to it.

Revision history for this message

William Grant (wgrant) wrote on 2008-03-26:

#3

Fixed in Debian 1:1.4.15~dfsg-1, which is now in Hardy.

Changed in asterisk:
importance:	Undecided → High
status:	New → Confirmed
importance:	Undecided → High
status:	New → Confirmed
importance:	Undecided → High
status:	New → Confirmed
importance:	Undecided → High
status:	New → Confirmed
status:	Confirmed → Fix Released

Revision history for this message

Luca Falavigna (dktrkranz) wrote on 2008-07-08:

#4

Edgy reached EOL on April 25th, 2008.

Changed in asterisk:
status:	Confirmed → Won't Fix

Revision history for this message

LumpyCustard (orangelumpycustard) wrote on 2008-12-13:

#5

Please could someone mark this as Won't Fix for Feisty?

Daniel T Chen (crimsun) on 2008-12-13

Changed in asterisk:
status:	Confirmed → Won't Fix

Revision history for this message

Sergio Zanchetta (primes2h) wrote on 2009-05-07:

#6

The 18 month support period for Gutsy Gibbon 7.10 has reached its end of life -
http://www.ubuntu.com/news/ubuntu-7.10-eol . As a result, we are closing the
Gutsy task.

Changed in asterisk (Ubuntu Gutsy):
status:	Confirmed → Won't Fix

Rolf Leggewie (r0lf) on 2011-10-03

Changed in asterisk (Ubuntu Dapper):
status:	Confirmed → Won't Fix

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.