Debian Bug report logs - #338116
asterisk-web-vmail: Information disclosure of voice mail messages through vmail.cgi

version graph

Package: asterisk-web-vmail; Maintainer for asterisk-web-vmail is (unknown);

Reported by: Moritz Muehlenhoff <jmm@inutil.org>

Date: Tue, 8 Nov 2005 09:33:14 UTC

Severity: important

Tags: patch, security

Found in version asterisk-web-vmail/1:1.0.9.dfsg-5

Fixed in version asterisk/1:1.2.13~dfsg-1

Done: Mark Purcell <msp@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>:
Bug#338116; Package asterisk-web-vmail. Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: asterisk-web-vmail: Information disclosure of voice mail messages through vmail.cgi
Date: Tue, 08 Nov 2005 10:31:05 +0100
Package: asterisk-web-vmail
Version: 1:1.0.9.dfsg-5
Severity: important
Tags: security

 vmail.cgi doesn't clean a parameter passed by the web user which is
 later used to open a file and return a raw stream to the user.
 This allows any authenticated user of the voicemail system to listen to
 other peoples messages, or to open any file with the extension .wav/.WAV
 on the system.

For more information please see
http://www.assurance.com.au/advisories/200511-asterisk.txt

Cheers,
        Moritz

-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.14-1-686
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15@euro (charmap=ISO-8859-15)



Information forwarded to debian-bugs-dist@lists.debian.org, Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>:
Bug#338116; Package asterisk-web-vmail. Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #10 received at 338116@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: 338116@bugs.debian.org
Subject: CVE assignment
Date: Fri, 18 Nov 2005 11:02:35 +0100
This has been assigned CVE-2005-3559, please mention it in the
changelog when fixing it.



Information forwarded to debian-bugs-dist@lists.debian.org, Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>:
Bug#338116; Package asterisk-web-vmail. Full text and rfc822 format available.

Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and forwarded to list. Copy sent to Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #15 received at 338116@bugs.debian.org (full text, mbox):

From: Martin Schulze <joey@infodrom.org>
To: 338116@bugs.debian.org
Subject: Re: CVE assignment
Date: Wed, 26 Apr 2006 17:37:41 +0200
[Message part 1 (text/plain, inline)]
Moritz Muehlenhoff wrote:
> This has been assigned CVE-2005-3559, please mention it in the
> changelog when fixing it.

The attached patch fixes this problem.

This problem is also fixed in the Debian package 1.2.7.1.dfsg-2.

Regards,

	Joey

-- 
Experience is something you don't get until just after you need it.

Please always Cc to me when replying to me on the lists.
[patch.CVE-2005-3559.asterisk (text/plain, attachment)]

Tags added: patch Request was from Alec Berryman <alec@thened.net> to control@bugs.debian.org. Full text and rfc822 format available.

Tags added: pending Request was from Mark Purcell <msp@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Reply sent to Mark Purcell <msp@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Moritz Muehlenhoff <jmm@inutil.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #24 received at 338116-close@bugs.debian.org (full text, mbox):

From: Mark Purcell <msp@debian.org>
To: 338116-close@bugs.debian.org
Subject: Bug#338116: fixed in asterisk 1:1.2.13~dfsg-1
Date: Tue, 24 Oct 2006 23:32:19 -0700
Source: asterisk
Source-Version: 1:1.2.13~dfsg-1

We believe that the bug you reported is fixed in the latest version of
asterisk, which is due to be installed in the Debian FTP archive:

asterisk-bristuff_1.2.13~dfsg-1_i386.deb
  to pool/main/a/asterisk/asterisk-bristuff_1.2.13~dfsg-1_i386.deb
asterisk-classic_1.2.13~dfsg-1_i386.deb
  to pool/main/a/asterisk/asterisk-classic_1.2.13~dfsg-1_i386.deb
asterisk-config_1.2.13~dfsg-1_all.deb
  to pool/main/a/asterisk/asterisk-config_1.2.13~dfsg-1_all.deb
asterisk-dev_1.2.13~dfsg-1_all.deb
  to pool/main/a/asterisk/asterisk-dev_1.2.13~dfsg-1_all.deb
asterisk-doc_1.2.13~dfsg-1_all.deb
  to pool/main/a/asterisk/asterisk-doc_1.2.13~dfsg-1_all.deb
asterisk-h323_1.2.13~dfsg-1_i386.deb
  to pool/main/a/asterisk/asterisk-h323_1.2.13~dfsg-1_i386.deb
asterisk-sounds-main_1.2.13~dfsg-1_all.deb
  to pool/main/a/asterisk/asterisk-sounds-main_1.2.13~dfsg-1_all.deb
asterisk-web-vmail_1.2.13~dfsg-1_all.deb
  to pool/main/a/asterisk/asterisk-web-vmail_1.2.13~dfsg-1_all.deb
asterisk_1.2.13~dfsg-1.diff.gz
  to pool/main/a/asterisk/asterisk_1.2.13~dfsg-1.diff.gz
asterisk_1.2.13~dfsg-1.dsc
  to pool/main/a/asterisk/asterisk_1.2.13~dfsg-1.dsc
asterisk_1.2.13~dfsg-1_all.deb
  to pool/main/a/asterisk/asterisk_1.2.13~dfsg-1_all.deb
asterisk_1.2.13~dfsg.orig.tar.gz
  to pool/main/a/asterisk/asterisk_1.2.13~dfsg.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 338116@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Mark Purcell <msp@debian.org> (supplier of updated asterisk package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Wed, 25 Oct 2006 06:46:52 +0100
Source: asterisk
Binary: asterisk-h323 asterisk-web-vmail asterisk asterisk-classic asterisk-dev asterisk-doc asterisk-sounds-main asterisk-bristuff asterisk-config
Architecture: source all i386
Version: 1:1.2.13~dfsg-1
Distribution: unstable
Urgency: high
Maintainer: Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>
Changed-By: Mark Purcell <msp@debian.org>
Description: 
 asterisk   - Open Source Private Branch Exchange (PBX)
 asterisk-bristuff - Open Source Private Branch Exchange (PBX) - BRIstuff-enabled vers
 asterisk-classic - Open Source Private Branch Exchange (PBX) - original Digium versi
 asterisk-config - config files for asterisk
 asterisk-dev - development files for asterisk
 asterisk-doc - documentation for asterisk
 asterisk-h323 - asterisk H.323 VoIP channel
 asterisk-sounds-main - sound files for asterisk
 asterisk-web-vmail - Web-based (CGI) voice mail interface for Asterisk
Closes: 338116 342138 348194 375141 386113 389376 394025 394122 395080
Changes: 
 asterisk (1:1.2.13~dfsg-1) unstable; urgency=high
 .
   [ Kilian Krause ]
   * Fixup dfsg versions with increased upstream build count.
 .
   [ Santiago Ruano Rincón ]
   * Added cdr_sqlite3_custom dpatch
 .
   [ Mark Purcell ]
   * New upstream release
     - Remote compromise (Closes: #394025)
     - CVE-2006-5444/5:security issues in asterisk (Closes: #395080)
     - Urgency high as this fixes remote compromise security issue
     - Information disclosure of voice mail messages through vmail.cgi
     (Closes: #338116)
     - package asterisk-dev should contain asterisk.h main header (Closes:
     #342138)
     - format_ogg_vorbis.so was present in i386, no longer in packages
     (Closes: #375141)
   * Update debian/patches/bristuff.dpatch
   * bristuff-0.3.0-PRE-1v
     - Please package bristuff 0.3.0PREu (Closes: #394122)
     - please include app_pickup.c from bristuff (Closes: #348194)
   * Build Depends: dpkg ( >= 1.13.19)
     - Asterisk must build-depend upon dpkg ( >= 1.13.19) (Closes: #386113)
   * Build-Depends: libpq-dev
     - obsolete build dependency postgresql-dev (Closes: #389376)
Files: 
 14426527db1c7abf12a02b745cae91b0 1395 comm optional asterisk_1.2.13~dfsg-1.dsc
 f8ee088b2e4feffe2b35d78079f90b69 3835589 comm optional asterisk_1.2.13~dfsg.orig.tar.gz
 a75d403e861600e0a50e5d3f5688985f 173367 comm optional asterisk_1.2.13~dfsg-1.diff.gz
 e9a80c1e404ac596ba7c31074e348e7b 145536 comm optional asterisk_1.2.13~dfsg-1_all.deb
 73d0100ba93d2f1193c9e227be83d8e5 19121500 doc optional asterisk-doc_1.2.13~dfsg-1_all.deb
 f25a5e8e52b262c07d3645024f6e1b14 168992 devel optional asterisk-dev_1.2.13~dfsg-1_all.deb
 189167a3c013dda5bb26b80c1518f313 1503672 comm optional asterisk-sounds-main_1.2.13~dfsg-1_all.deb
 0d31a0872756006e310c64e171f1e268 72796 comm optional asterisk-web-vmail_1.2.13~dfsg-1_all.deb
 ecae111f8aa9e43ee65e31dcac7e0e3b 130726 comm optional asterisk-config_1.2.13~dfsg-1_all.deb
 8da1c58282bcfccc944ab62f3f35321a 1614394 comm optional asterisk-classic_1.2.13~dfsg-1_i386.deb
 0e6df112a50fb2d859e713e2a1922c95 1647624 comm optional asterisk-bristuff_1.2.13~dfsg-1_i386.deb
 46e7f3bf3fbbfb248fc20ae839b7a854 129878 comm optional asterisk-h323_1.2.13~dfsg-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFFPv4ToCzanz0IthIRAlenAJ9wJZlZlwJB7pGtrhrC916T9FZprACfYtx+
fpIysXNrCHdbPtaFLWqZfL8=
=y4D5
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 24 Jun 2007 17:30:31 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 16 07:42:34 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.