Asterisk: IAX2 video frame buffer overflow Asterisk contains a bug in the IAX2 channel driver making it vulnerable to the remote execution of arbitrary code. asterisk 2006-06-14 2006-06-14 135680 remote 1.0.11_p1 1.0.11_p1

Asterisk is an open source implementation of a telephone private branch exchange (PBX).

Asterisk fails to properly check the length of truncated video frames in the IAX2 channel driver which results in a buffer overflow.

An attacker could exploit this vulnerability by sending a specially crafted IAX2 video stream resulting in the execution of arbitrary code with the permissions of the user running Asterisk.

Disable public IAX2 support.

All Asterisk users should upgrade to the latest version:

# emerge --sync # emerge --ask --oneshot --verbose ">=net-misc/asterisk-1.0.11_p1" CVE-2006-2898 Corelabs Asterisk PBX truncated video frame vulnerability advisory falco jaervosz jaervosz