CVE-2011-0495 Information

Description

Stack-based buffer overflow in the ast_uri_encode function in main/utils.c in Asterisk Open Source before 1.4.38.1 1.4.39.1 1.6.1.21 1.6.2.15.1 1.6.2.16.1 1.8.1.2 1.8.2.; and Business Edition before C.3.6.2; when running in pedantic mode allows remote authenticated users to execute arbitrary code via crafted caller ID data in vectors involving the (1) SIP channel driver (2) URIENCODE dialplan function or (3) AGI dialplan function.

Reference

http://downloads.asterisk.org/pub/security/AST-2011-001.html http://downloads.asterisk.org/pub/security/AST-2011-001-1.6.2.diff http://lists.fedoraproject.org/pipermail/package-announce/2011-February/053689.html http://lists.fedoraproject.org/pipermail/package-announce/2011-February/053713.html http://osvdb.org/70518 http://secunia.com/advisories/42935 http://secunia.com/advisories/43119 http://secunia.com/advisories/43373 http://www.debian.org/security/2011/dsa-2171 http://www.securityfocus.com/archive/1/515781/100/0/threaded http://www.securityfocus.com/bid/45839 http://www.vupen.com/english/advisories/2011/0159 http://www.vupen.com/english/advisories/2011/0281 http://www.vupen.com/english/advisories/2011/0449 https://exchange.xforce.ibmcloud.com/vulnerabilities/64831