OpenPKG Corporation → Security → Security Advisories

OpenPKG Security Advisory

OpenPKG-SA-2006.042

Publisher Name:          OpenPKG GmbH
Publisher Home:          http://openpkg.com/

Advisory Id (public):    OpenPKG-SA-2006.042
Advisory Type:           OpenPKG Security Advisory (SA)
Advisory Directory:      http://openpkg.com/go/OpenPKG-SA
Advisory Document:       http://openpkg.com/go/OpenPKG-SA-2006.042
Advisory Published:      2008-10-06 23:04 UTC

Issue Id (internal):     OpenPKG-SI-20061226.01
Issue First Created:     2006-12-26
Issue Last Modified:     2007-04-13
Issue Revision:          13


Subject Name:            OpenSER
Subject Summary:         SIP router
Subject Home:            http://www.openser.org/
Subject Versions:        * <= 1.1.0

Vulnerability Id:        BID:21706
Vulnerability Scope:     global (not OpenPKG specific)

Attack Feasibility:      run-time
Attack Vector:           local system
Attack Impact:           denial of service, arbitrary code execution

Description:
    A buffer overflow was discovered [0] in the "parse_expression"
    function of the "permissions" module of the SIP router OpenSER [1],
    versions up to and including 1.1.0. The OpenSER "permissions" module
    is used to determine if a SIP call has appropriate permission to be
    established. The "parse_expression" function is used during parsing
    of the modules local allow/deny configuration files.
    
    The buffer overflow is triggered by parsing a configuration
    line expression consisting of more than 500 characters and
    potentially could lead to the execution of arbitrary code under
    the privileges of the OpenSER process. Successfully exploiting the
    vulnerability requires that the local attacker has write access
    to the configuration files used with the configuration functions
    "allow_routing", "allow_register" and "allow_refer_to".

References:
    [0] http://www.securityfocus.com/archive/1/455097
    [1] http://www.openser.org/


Primary Package Name:    openser
Primary Package Home:    http://openpkg.org/go/package/openser

Affected Distribution:   Affected Branch:  Affected Package:
OpenPKG Enterprise       E1.0-SOLID        openser-1.1.0-E1.0.0
OpenPKG Community        2-STABLE-20061018 openser-1.1.0-2.20061024
OpenPKG Community        2-STABLE          openser-1.1.0-2.20061018
OpenPKG Community        CURRENT           openser-1.1.0-20061205

Corrected Distribution:  Corrected Branch: Corrected Package:
OpenPKG Enterprise       E1.0-SOLID        openser-1.1.0-E1.0.1
OpenPKG Community        2-STABLE-20061018 pending
OpenPKG Community        2-STABLE          pending
OpenPKG Community        CURRENT           openser-1.2.0-20070413

→ Plain Text Version

Latest Advisories:
2007.023 perl
2007.022 bind
2007.021 wordpress
2007.020 php
2007.019 php
2007.018 freetype
2007.017 ratbox
2007.016 gd
2007.015 quagga
2007.014 bind
→ more...

Validation: XHTML | CSS

Organisations
Products
- OpenPKG Community
- Features
- Technology Pitch
- Package Database
- Registration
  - Registration Overview
  - Registry Service
- Download
  - Download Policy
  - Download Service
- Sales
  - Request
Services
Security
Documentation
- Flyer
- Presentation
- Showcase
- Article
- Thesis
- Tutorial
- Packaging
- F.A.Q
Community
My OpenPKG