UBUNTU-CVE-2017-16671

A Buffer Overflow issue was discovered in Asterisk Open Source 13 before 13.18.1, 14 before 14.7.1, and 15 before 15.1.1 and Certified Asterisk 13.13 before 13.13-cert7. No size checking is done when setting the user field for Party B on a CDR. Thus, it is possible for someone to use an arbitrarily large string and write past the end of the user field storage buffer. NOTE: this is different from CVE-2017-7617, which was only about the Party A buffer.

References

Affected packages

Ubuntu:Pro:16.04:LTS / asterisk

Package

Name: asterisk
Purl: pkg:deb/ubuntu/asterisk@1:13.1.0~dfsg-1.1ubuntu4.1+esm1?arch=source&distro=esm-apps/xenial

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1:13.1.0~dfsg-1.1ubuntu4.1+esm1

Affected versions

1:13.*

1:13.1.0~dfsg-1.1ubuntu3

1:13.1.0~dfsg-1.1ubuntu4

1:13.1.0~dfsg-1.1ubuntu4.1

Ecosystem specific

{
    "availability": "Available with Ubuntu Pro: https://ubuntu.com/pro",
    "binaries": [
        {
            "binary_name": "asterisk",
            "binary_version": "1:13.1.0~dfsg-1.1ubuntu4.1+esm1"
        },
        {
            "binary_name": "asterisk-config",
            "binary_version": "1:13.1.0~dfsg-1.1ubuntu4.1+esm1"
        },
        {
            "binary_name": "asterisk-dahdi",
            "binary_version": "1:13.1.0~dfsg-1.1ubuntu4.1+esm1"
        },
        {
            "binary_name": "asterisk-dev",
            "binary_version": "1:13.1.0~dfsg-1.1ubuntu4.1+esm1"
        },
        {
            "binary_name": "asterisk-mobile",
            "binary_version": "1:13.1.0~dfsg-1.1ubuntu4.1+esm1"
        },
        {
            "binary_name": "asterisk-modules",
            "binary_version": "1:13.1.0~dfsg-1.1ubuntu4.1+esm1"
        },
        {
            "binary_name": "asterisk-mp3",
            "binary_version": "1:13.1.0~dfsg-1.1ubuntu4.1+esm1"
        },
        {
            "binary_name": "asterisk-mysql",
            "binary_version": "1:13.1.0~dfsg-1.1ubuntu4.1+esm1"
        },
        {
            "binary_name": "asterisk-ooh323",
            "binary_version": "1:13.1.0~dfsg-1.1ubuntu4.1+esm1"
        },
        {
            "binary_name": "asterisk-voicemail",
            "binary_version": "1:13.1.0~dfsg-1.1ubuntu4.1+esm1"
        },
        {
            "binary_name": "asterisk-voicemail-imapstorage",
            "binary_version": "1:13.1.0~dfsg-1.1ubuntu4.1+esm1"
        },
        {
            "binary_name": "asterisk-voicemail-odbcstorage",
            "binary_version": "1:13.1.0~dfsg-1.1ubuntu4.1+esm1"
        },
        {
            "binary_name": "asterisk-vpb",
            "binary_version": "1:13.1.0~dfsg-1.1ubuntu4.1+esm1"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2017/UBUNTU-CVE-2017-16671.json"