Has Asterisk ever been audited for common security holes, such as buffer overruns? A quick grep through the source for routines that should never be used, like strcpy, strcat, etc., reveals a lot of it. I fear I fear. Has anyone flung pathology at IAX2 to see if it stands up to malformed packets? (This is always an issue when you have a protocol that only a small number of programs use ...) I hope I'm wrong, but I have a very queasy feeling ... [We already know that H.323 is not being looked after, security-wise ...]
If you ever get an answer to this please let me know off-line, johnv@comcast.net I have a security expert friend using Asterisk who is interested in running a whole set of such tests on it. My theory is it is security swiss cheese. Thanks, John V. -----Original Message----- From: asterisk-users-admin@lists.digium.com [mailto:asterisk-users-admin@lists.digium.com] On Behalf Of Jim Rosenberg Sent: Tuesday, March 30, 2004 2:53 PM To: asterisk-users@lists.digium.com Subject: [Asterisk-Users] Asterisk Security Audit? Has Asterisk ever been audited for common security holes, such as buffer overruns? A quick grep through the source for routines that should never be used, like strcpy, strcat, etc., reveals a lot of it. I fear I fear. Has anyone flung pathology at IAX2 to see if it stands up to malformed packets? (This is always an issue when you have a protocol that only a small number of programs use ...) I hope I'm wrong, but I have a very queasy feeling ... [We already know that H.323 is not being looked after, security-wise ...] _______________________________________________ Asterisk-Users mailing list Asterisk-Users@lists.digium.com http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
On Tue, 2004-03-30 at 16:53, Jim Rosenberg wrote:> Has Asterisk ever been audited for common security holes, such as buffer > overruns? > > A quick grep through the source for routines that should never be used, > like strcpy, strcat, etc., reveals a lot of it. I fear I fear.These functions aren't as bad as you make out. They are only dangerous when used with unchecked buffers that where accepted from outside sources. There are quite a few instances of strcpy and strcat that are using string constants and therefore are safe. Don't take that as an argument against checking other possible security concerns. Just as a reminder that the mere existence of certain functions doesn't mean it is unsafe. Also this discussion is probably better dealt with on the -dev list where the noise level is better suited for the developers you need to target to actually see this message. -- Steven Critchfield <critch@basesys.com>