Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 135680 - net-misc/asterisk iax vulnerability in all asterisk versions (CVE-2006-2898)
Summary: net-misc/asterisk iax vulnerability in all asterisk versions (CVE-2006-2898)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
URL: http://www.coresecurity.com/common/sh...
Whiteboard: B1 [glsa] jaervosz
Keywords:
Depends on:
Blocks:
 
Reported: 2006-06-05 13:53 UTC by Jon Hood (RETIRED)
Modified: 2019-12-22 11:57 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Jon Hood (RETIRED) gentoo-dev 2006-06-05 13:53:18 UTC
An iax vulnerability was discovered in all asterisk versions. Asterisk 1.2.9 will be released soon with the fixes. All versions of iax affected. The details have not been posted yet and should be out tomorrow sometime, this is early notice so people can be ready to update and fix.

in #asterisk-dev:
(15:50:48) squinky86: kpfleming: what versions of asterisk does the iax vuln affect? I need to know what boxes to update or where to find details about the vulnerability.
(15:50:58) kpfleming: all of them
(15:51:11) kpfleming: the vulnerability details have not been posted yet, will go out tomorrow i suspect
Comment 1 Jasmin Buchert 2006-06-05 17:40:38 UTC
Asterisk 1.2.9/1.0.11 is available for download
Comment 2 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-06-06 01:11:38 UTC
voip please provide an updated ebuild.
Comment 3 Jon Hood (RETIRED) gentoo-dev 2006-06-06 05:56:07 UTC
I can't find the full report, but this will need a glsa. In asterisk 1.0.11, the only thing that changed is chan_iax2, and in 1.2.9, only chan_iax2 and app_queue were changed, so this should be a simple version bump. Information:
from the changelogs:
"A security vulnerability that could lead to denial of service attacks and Asterisk process crashes was fixed in this release."
"ensure that the received number of bytes is included in all IAX2 incoming frame analysis checks (fixes a known vulnerability)"

And from asterisk.org:
"The vulnerability affects all users with IAX2 clients that might be compromised or used by a malicious user, and can lead to denial of service attacks and random Asterisk server crashes via a relatively trivial exploit."
Comment 4 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-06-06 08:46:37 UTC
I rated it B1?(major) for now wich will for sure result in a GLSA publication if I didn't misunderstand the impact drastically.
Comment 5 Jon Hood (RETIRED) gentoo-dev 2006-06-06 16:07:05 UTC
asterisk 1.2.9.1 and 1.0.11.1 were released.
"A bug in the vulnerability fix in the last release could cause Asterisk to improperly reject incoming video frames and result in deadlocks."
Comment 6 Stefan Knoblich (RETIRED) gentoo-dev 2006-06-07 11:18:42 UTC
Asterisk-1.2.9_p1 and 1.0.11_p1 have been added to the main tree.

I'm going to remove the affected 1.2.x ebuild(s) now. Older 1.2.x versions will
still be available from the gentoo-voip overlay with the backported fix.


Please mark 1.0.11_p1 stable, i'll remove the affected 1.0.x ebuilds after that.

If you have the time, please mark the latest 1.0.x versions of libpri and zaptel 
stable too.


Btw. i haven't gotten a notification mail from bugzilla after the voip@ CC has been added, did something change there?
Comment 7 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-06-07 11:22:15 UTC
Thanks Stefan.

Arches please test and mark stable.
Comment 8 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-06-10 00:14:27 UTC
Remote code execution seems to be confirmed.
Comment 9 Rajiv Aaron Manglani (RETIRED) gentoo-dev 2006-06-11 08:39:18 UTC
we are going to need the following stabilized as well:

  zaptel-1.0.10 on x86 ppc amd64
  libpri-1.0.9-r2 on x86 ppc amd64 sparc

i can take care of these for x86.
Comment 10 Rajiv Aaron Manglani (RETIRED) gentoo-dev 2006-06-12 06:01:39 UTC
zaptel-1.0.10-r1 stable on x86.
libpri-1.0.9-r2 stable on x86.
asterisk-1.0.11_p1 stable on x86.

1.2 branch still needs x86 attention from the x86 herd or stkn.
Comment 11 Gustavo Zacarias (RETIRED) gentoo-dev 2006-06-12 12:41:24 UTC
Someone did a revbumpstable that sent sparc into the stable domain directly *SMACK*
It works, but please next time please DO check the keywords and don't assume things.
Comment 12 Jon Hood (RETIRED) gentoo-dev 2006-06-12 12:57:42 UTC
rajiv, why do those need to go stable on amd64? There is no vulnerability in those packages, no libpri or zaptel package was ever stable amd64, and asterisk is not stable on amd64 due to multilib problems (fixed in asterisk 1.4, not released yet though).
Comment 13 Tobias Scherbaum (RETIRED) gentoo-dev 2006-06-13 06:18:08 UTC
asterisk wasn't stable on ppc before and I don't have the necessary hardware to confirm if it's working as expected or not. Therefore I see no reason why ppc should stable asterisk _now_. Removing us from CC.
Comment 14 Jon Hood (RETIRED) gentoo-dev 2006-06-13 07:30:51 UTC
amd64 has no stable versions of the listed packages and cannot mark most stable due to unstandard Makefiles. These have been fixed by the asterisk 1.4 build system (not back-portable at this time), so we will be eager to mark that version stable when the time comes.
Comment 15 Rajiv Aaron Manglani (RETIRED) gentoo-dev 2006-06-13 11:33:13 UTC
(In reply to comment #9, comment #12, comment #13, comment #14)

sorry about that, i'm not sure what i was thinking. libpri and zaptel do _not_
need to be marked stable on amd64 or ppc. at this point all the 1.0.x ebuilds of asterisk, libpri, and zaptel are ready to go.
Comment 16 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-06-14 10:48:15 UTC
Thx everyone.

GLSA 200606-15