Asterisk Project Security Advisory - AST-2007-021
±-----------------------------------------------------------------------+
| Product | Asterisk |
|--------------------±--------------------------------------------------|
| Summary | Crash from invalid/corrupted MIME bodies when |
| | using voicemail with IMAP storage |
|--------------------±--------------------------------------------------|
| Nature of Advisory | Crash |
|--------------------±--------------------------------------------------|
| Susceptibility | Remote Unauthenticated Sessions |
|--------------------±--------------------------------------------------|
| Severity | minor |
|--------------------±--------------------------------------------------|
| Exploits Known | No |
|--------------------±--------------------------------------------------|
| Reported On | August 23, 2007 |
|--------------------±--------------------------------------------------|
| Reported By | Kevin Stewart |
|--------------------±--------------------------------------------------|
| Posted On | August 24, 2007 |
|--------------------±--------------------------------------------------|
| Last Updated On | August 24, 2007 |
|--------------------±--------------------------------------------------|
| Advisory Contact | Mark Michelson <[email protected]> |
|--------------------±--------------------------------------------------|
| CVE Name |CVE-2007-4521 |
±-----------------------------------------------------------------------+
±-----------------------------------------------------------------------+
| Description | If Asterisk is configured to use IMAP as its backend |
| | storage for voicemail, then an e-mail sent to a user |
| | with an invalid/corrupted MIME body will cause Asterisk |
| | to crash when the user listens to their voicemail using |
| | the phone. |
| | |
| | This does not affect any other voicemail storage option, |
| | nor does it affect users who check their voicemail via |
| | e-mail when using IMAP storage. |
±-----------------------------------------------------------------------+
±-----------------------------------------------------------------------+
| Resolution | Since this is a minor issue, a new release is not |
| | immediately planned. However, the issue will be fixed in |
| | Asterisk Open Source version 1.4.12 when it is released. |
±-----------------------------------------------------------------------+
±-----------------------------------------------------------------------+
Affected Versions |
---|
Product |
--------------------------------±------------±------------------------ |
Asterisk Open Source |
--------------------------------±------------±------------------------ |
Asterisk Open Source |
--------------------------------±------------±------------------------ |
Asterisk Open Source |
--------------------------------±------------±------------------------ |
Asterisk Business Edition |
--------------------------------±------------±------------------------ |
Asterisk Business Edition |
--------------------------------±------------±------------------------ |
AsteriskNOW |
--------------------------------±------------±------------------------ |
Asterisk Appliance Developer |
Kit |
--------------------------------±------------±------------------------ |
s800i (Asterisk Appliance) |
±-----------------------------------------------------------------------+ |
±----------------------------------------------------------------------------------+
Corrected In |
---|
Product |
--------±------------------------------------------------------------------------- |
Asterisk |
Open |
Source |
--------±------------------------------------------------------------------------- |
--------±------------------------------------------------------------------------- |
±----------------------------------------------------------------------------------+ |
±-----------------------------------------------------------------------+
| Links | http://bugs.digium.com/view.php?id=10544 |
±-----------------------------------------------------------------------+
±-----------------------------------------------------------------------+
| Asterisk Project Security Advisories are posted at |
| http://www.asterisk.org/security. |
| |
| This document may be superseded by later versions; if so, the latest |
| version will be posted at |
| http://downloads.digium.com/pub/asa/AST-2007-021.pdf and |
| http://downloads.digium.com/pub/asa/AST-2007-021.html. |
±-----------------------------------------------------------------------+
±-----------------------------------------------------------------------+
Revision History |
---|
Date |
----------------------±--------------------±-------------------------- |
August 24, 2007 |
±-----------------------------------------------------------------------+ |
Asterisk Project Security Advisory - AST-2007-021
Copyright (c) 2007 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.