From the Red Hat bugzilla:
CVE-2008-1289: Two buffer overflows exist in the RTP payload handling code of Asterisk. Both
overflows can be caused by an INVITE or any other SIP packet with SDP. The
request may need to be authenticated depending on configuration of the Asterisk
installation.
The first overflow is caused by sending a payload number that surpasses the
programmed maximum payload number of 256. This causes an invalid memory write
outside of the buffer. While this does not allow the attacker to write
arbitrary data it does allow the attacker to write a 0 to other memory
locations.
The second overflow is caused by sending more than 32 RTP payloads. This causes
a buffer on the stack to overflow allowing the attacker to write values between
0 and 256 (the maximum payload number) to memory locations after the buffer.
CVE-2008-1390: Due to the way that manager IDs are calculated, this 32-bit integer is likely
to have a much larger than average number of 1s, which greatly reduces the
number of guesses an attacker would have to make to successfully predict the
manager ID, which is used across multiple HTTP queries to hold manager state.
| 