Asterisk Project Security Advisory - AST-2007-021
+-----------------------------------------------------------------------
-+
| Product | Asterisk |
|--------------------+--------------------------------------------------
-|
| Summary | Crash from invalid/corrupted MIME bodies when |
| | using voicemail with IMAP storage |
|--------------------+--------------------------------------------------
-|
| Nature of Advisory | Crash |
|--------------------+--------------------------------------------------
-|
| Susceptibility | Remote Unauthenticated Sessions |
|--------------------+--------------------------------------------------
-|
| Severity | minor |
|--------------------+--------------------------------------------------
-|
| Exploits Known | No |
|--------------------+--------------------------------------------------
-|
| Reported On | August 23, 2007 |
|--------------------+--------------------------------------------------
-|
| Reported By | Kevin Stewart |
|--------------------+--------------------------------------------------
-|
| Posted On | August 24, 2007 |
|--------------------+--------------------------------------------------
-|
| Last Updated On | August 24, 2007 |
|--------------------+--------------------------------------------------
-|
| Advisory Contact | Mark Michelson <mmichelson (at) digium (dot) com [email concealed]> |
|--------------------+--------------------------------------------------
-|
| CVE Name |CVE-2007-4521 |
+-----------------------------------------------------------------------
-+
+-----------------------------------------------------------------------
-+
| Description | If Asterisk is configured to use IMAP as its backend |
| | storage for voicemail, then an e-mail sent to a user |
| | with an invalid/corrupted MIME body will cause Asterisk |
| | to crash when the user listens to their voicemail using |
| | the phone. |
| | |
| | This does not affect any other voicemail storage option, |
| | nor does it affect users who check their voicemail via |
| | e-mail when using IMAP storage. |
+-----------------------------------------------------------------------
-+
+-----------------------------------------------------------------------
-+
| Resolution | Since this is a minor issue, a new release is not |
| | immediately planned. However, the issue will be fixed in |
| | Asterisk Open Source version 1.4.12 when it is released. |
+-----------------------------------------------------------------------
-+
+-----------------------------------------------------------------------
-+
| Affected Versions |
|-----------------------------------------------------------------------
-|
| Product | Release | |
| | Series | |
|--------------------------------+-------------+------------------------
-|
| Asterisk Open Source | 1.0.x | Not Affected |
|--------------------------------+-------------+------------------------
-|
| Asterisk Open Source | 1.2.x | Not Affected |
|--------------------------------+-------------+------------------------
-|
| Asterisk Open Source | 1.4.x | Versions 1.4.5 - 1.4.11 |
|--------------------------------+-------------+------------------------
-|
| Asterisk Business Edition | A.x.x | Not Affected |
|--------------------------------+-------------+------------------------
-|
| Asterisk Business Edition | B.x.x | Not Affected |
|--------------------------------+-------------+------------------------
-|
| AsteriskNOW | pre-release | Not Affected |
|--------------------------------+-------------+------------------------
-|
| Asterisk Appliance Developer | 0.x.x | Not Affected |
| Kit | | |
|--------------------------------+-------------+------------------------
-|
| s800i (Asterisk Appliance) | 1.0.x | Not Affectted |
+-----------------------------------------------------------------------
-+
+-----------------------------------------------------------------------
------------+
| Corrected In |
|-----------------------------------------------------------------------
------------|
|Product | Release |
|--------+--------------------------------------------------------------
------------|
|Asterisk| 1.4.12 (not released), patch can be found here: |
| Open |http://lists.digium.com/pipermail/asterisk-commits/2007-August/015743.h
tml|
| Source | |
|--------+--------------------------------------------------------------
------------|
|--------+--------------------------------------------------------------
------------|
+-----------------------------------------------------------------------
------------+
+-----------------------------------------------------------------------
-+
| Links | http://bugs.digium.com/view.php?id=10544 |
+-----------------------------------------------------------------------
-+
+-----------------------------------------------------------------------
-+
| Asterisk Project Security Advisories are posted at |
| http://www.asterisk.org/security. |
| |
| This document may be superseded by later versions; if so, the latest |
| version will be posted at |
| http://downloads.digium.com/pub/asa/AST-2007-021.pdf and |
| http://downloads.digium.com/pub/asa/AST-2007-021.html. |
+-----------------------------------------------------------------------
-+
+-----------------------------------------------------------------------
-+
| Revision History |
|-----------------------------------------------------------------------
-|
| Date | Editor | Revisions Made |
|----------------------+---------------------+--------------------------
-|
| August 24, 2007 | Mark Michelson | Initial Release |
+-----------------------------------------------------------------------
-+
Asterisk Project Security Advisory - AST-2007-021
Copyright (c) 2007 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.