Asterisk Project Security Advisory - AST-2007-021

Product

Asterisk

Summary

Crash from invalid/corrupted MIME bodies when using voicemail with IMAP storage

Nature of Advisory

Crash

Susceptibility

Remote Unauthenticated Sessions

Severity

minor

Exploits Known

No

Reported On

August 23, 2007

Reported By

Kevin Stewart

Posted On

August 24, 2007

Last Updated On

August 24, 2007

Advisory Contact

Mark Michelson <mmichelson@digium.com>

CVE Name

CVE-2007-4521



Description

If Asterisk is configured to use IMAP as its backend storage for voicemail, then an e-mail sent to a user with an invalid/corrupted MIME body will cause Asterisk to crash when the user listens to their voicemail using the phone.


This does not affect any other voicemail storage option, nor does it affect users who check their voicemail via e-mail when using IMAP storage.


Resolution

Since this is a minor issue, a new release is not immediately planned. However, the issue will be fixed in Asterisk Open Source version 1.4.12 when it is released.


Affected Versions

Product

Release Series


Asterisk Open Source

1.0.x

Not Affected

Asterisk Open Source

1.2.x

Not Affected

Asterisk Open Source

1.4.x

Versions 1.4.5 – 1.4.11

Asterisk Business Edition

A.x.x

Not Affected

Asterisk Business Edition

B.x.x

Not Affected

AsteriskNOW

pre-release

Not Affected

Asterisk Appliance Developer Kit

0.x.x

Not Affected

s800i (Asterisk Appliance)

1.0.x

Not Affectted


Corrected In

Product

Release

Asterisk Open Source

1.4.12 (not released), patch can be found here: http://lists.digium.com/pipermail/asterisk-commits/2007-August/015743.html







Links

http://bugs.digium.com/view.php?id=10544


Asterisk Project Security Advisories are posted at http://www.asterisk.org/security.

This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/asa/AST-2007-021.pdf and http://downloads.digium.com/pub/asa/AST-2007-021.html.


Revision History

Date

Editor

Revisions Made

August 24, 2007

Mark Michelson

Initial Release


Asterisk Project Security Advisory - AST-2007-021
Copyright © 2007 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its original, unaltered form.