CVE-2006-4346

NameCVE-2006-4346
DescriptionAsterisk 1.2.10 supports the use of client-controlled variables to determine filenames in the Record function, which allows remote attackers to (1) execute code via format string specifiers or (2) overwrite files via directory traversals involving unspecified vectors, as demonstrated by the CALLERIDNAME variable.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs385060

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
asterisk (PTS)bullseye1:16.28.0~dfsg-0+deb11u4fixed
bullseye (security)1:16.28.0~dfsg-0+deb11u6fixed
sid1:22.3.0~dfsg+~cs6.15.60671435-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
asterisksource(unstable)1:1.2.11.dfsg-1medium385060
Search for package or bug name: Reporting problems