Asterisk contains a bug in the IAX2 channel driver making it vulnerable to the remote execution of arbitrary code.
|Package||net-misc/asterisk on all architectures|
|Affected versions||< 1.0.11_p1|
|Unaffected versions||>= 1.0.11_p1|
Asterisk is an open source implementation of a telephone private branch exchange (PBX).
Asterisk fails to properly check the length of truncated video frames in the IAX2 channel driver which results in a buffer overflow.
An attacker could exploit this vulnerability by sending a specially crafted IAX2 video stream resulting in the execution of arbitrary code with the permissions of the user running Asterisk.
Disable public IAX2 support.
All Asterisk users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=net-misc/asterisk-1.0.11_p1"
June 14, 2006
June 14, 2006: 01