Hosting Provided By
AST-2007-021: Crash from invalid/corrupted MIME bodies when using voicemail with IMAP storage

From: Asterisk Security Team <security(at)asterisk.org>
Date: Fri Aug 24 2007 - 18:26:10 EDT
Asterisk Project Security Advisory - AST-2007-021
+------------------------------------------------------------------------+
   |      Product       | Asterisk                                          |
   |--------------------+---------------------------------------------------|
   |      Summary       | Crash from invalid/corrupted MIME bodies when     |
   |                    | using voicemail with IMAP storage                 |
   |--------------------+---------------------------------------------------|
   | Nature of Advisory | Crash                                             |
   |--------------------+---------------------------------------------------|
   |   Susceptibility   | Remote Unauthenticated Sessions                   |
   |--------------------+---------------------------------------------------|
   |      Severity      | minor                                             |
   |--------------------+---------------------------------------------------|
   |   Exploits Known   | No                                                |
   |--------------------+---------------------------------------------------|
   |    Reported On     | August 23, 2007                                   |
   |--------------------+---------------------------------------------------|
   |    Reported By     | Kevin Stewart                                     |
   |--------------------+---------------------------------------------------|
   |     Posted On      | August 24, 2007                                   |
   |--------------------+---------------------------------------------------|
   |  Last Updated On   | August 24, 2007                                   |
   |--------------------+---------------------------------------------------|
   |  Advisory Contact  | Mark Michelson             |
   |--------------------+---------------------------------------------------|
Do you need help? 
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related securityfocus.com Links
bugtraq
certification
focus-bsd
focus-ids
focus-ih
focus-linux
focus-ms
focus-sun
focus-unix-other
focus-virus
forensics
incidents
libnet
linux-secnews
ms-secnews
pen-test
secpapers
secprog
sectools
secureshell
security-basics
securityjobs
sf-news
vuln-dev
webappsec
Request more information about Pantek
   |      CVE Name      |CVE-2007-4521                                      |

   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+

   | Description | If Asterisk is configured to use IMAP as its backend     |
   |             | storage for voicemail, then an e-mail sent to a user     |
   |             | with an invalid/corrupted MIME body will cause Asterisk  |
   |             | to crash when the user listens to their voicemail using  |
   |             | the phone.                                               |
   |             |                                                          |
   |             | This does not affect any other voicemail storage option, |
   |             | nor does it affect users who check their voicemail via   |
   |             | e-mail when using IMAP storage.                          |

   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+

   | Resolution | Since this is a minor issue, a new release is not         |
   |            | immediately planned. However, the issue will be fixed in  |
   |            | Asterisk Open Source version 1.4.12 when it is released.  |

   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+

   |                           Affected Versions                            |
   |------------------------------------------------------------------------|
   |            Product             |   Release   |                         |
   |                                |   Series    |                         |
   |--------------------------------+-------------+-------------------------|
   |      Asterisk Open Source      |    1.0.x    | Not Affected            |
   |--------------------------------+-------------+-------------------------|
   |      Asterisk Open Source      |    1.2.x    | Not Affected            |
   |--------------------------------+-------------+-------------------------|
Do you need more help? 
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related securityfocus.com Links
bugtraq
certification
focus-bsd
focus-ids
focus-ih
focus-linux
focus-ms
focus-sun
focus-unix-other
focus-virus
forensics
incidents
libnet
linux-secnews
ms-secnews
pen-test
secpapers
secprog
sectools
secureshell
security-basics
securityjobs
sf-news
vuln-dev
webappsec
Request more information about Pantek
   |      Asterisk Open Source      |    1.4.x    | Versions 1.4.5 - 1.4.11 |
   |--------------------------------+-------------+-------------------------|
   |   Asterisk Business Edition    |    A.x.x    | Not Affected            |
   |--------------------------------+-------------+-------------------------|
   |   Asterisk Business Edition    |    B.x.x    | Not Affected            |
   |--------------------------------+-------------+-------------------------|
   |          AsteriskNOW           | pre-release | Not Affected            |
   |--------------------------------+-------------+-------------------------|
   |  Asterisk Appliance Developer  |    0.x.x    | Not Affected            |
   |              Kit               |             |                         |
   |--------------------------------+-------------+-------------------------|
   |   s800i (Asterisk Appliance)   |    1.0.x    | Not Affectted           |

   +------------------------------------------------------------------------+


+-----------------------------------------------------------------------------------+
|                                   Corrected In                                    |
|-----------------------------------------------------------------------------------|
|Product |                                 Release                                  |
|--------+--------------------------------------------------------------------------|
|Asterisk|             1.4.12 (not released), patch can be found here:              |
|  Open  |
http://lists.digium.com/pipermail/asterisk-commits/2007-August/015743.html|
| Source |                                                                          |
|--------+--------------------------------------------------------------------------|
|--------+--------------------------------------------------------------------------|
+-----------------------------------------------------------------------------------+
Can we help you? 
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related securityfocus.com Links
bugtraq
certification
focus-bsd
focus-ids
focus-ih
focus-linux
focus-ms
focus-sun
focus-unix-other
focus-virus
forensics
incidents
libnet
linux-secnews
ms-secnews
pen-test
secpapers
secprog
sectools
secureshell
security-basics
securityjobs
sf-news
vuln-dev
webappsec
Request more information about Pantek

   +------------------------------------------------------------------------+

   |      Links       | 
http://bugs.digium.com/view.php?id=10544            |

   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+

   | Asterisk Project Security Advisories are posted at                     |
   | 
http://www.asterisk.org/security.                                      |
   |                                                                        |
   | This document may be superseded by later versions; if so, the latest   |
   | version will be posted at                                              |
   | 
http://downloads.digium.com/pub/asa/AST-2007-021.pdf and               |
   | 
http://downloads.digium.com/pub/asa/AST-2007-021.html.                 |

   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+

   |                            Revision History                            |
   |------------------------------------------------------------------------|
   |         Date         |       Editor        |      Revisions Made       |
   |----------------------+---------------------+---------------------------|
   | August 24, 2007      | Mark Michelson      | Initial Release           |

   +------------------------------------------------------------------------+


               Asterisk Project Security Advisory - AST-2007-021
              Copyright (c) 2007 Digium, Inc. All Rights Reserved.
  Permission is hereby granted to distribute and publish this advisory in its
                           original, unaltered form.
Received on Sat Aug 25 11:13:36 2007
This message: [ Message body ]
Next message: Magnus Holmgren: "Re: SPIP v1.7 Remote File Inclusion Bug"
Previous message: seppi(at)seppig.de: "Security vulnerability in BufferZone 2.5"
Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]
This archive was generated by hypermail 2.1.8 : Sun Oct 28 2007 - 06:13:30 EDT