Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 387453 (CVE-2011-4063) - <net-misc/asterisk-1.8.7.1 Remote crash vulnerability in SIP channel driver (CVE-2011-4063)
Summary: <net-misc/asterisk-1.8.7.1 Remote crash vulnerability in SIP channel driver (...
Status: RESOLVED FIXED
Alias: CVE-2011-4063
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://downloads.asterisk.org/pub/sec...
Whiteboard: B3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2011-10-17 19:43 UTC by Sean Amoss (RETIRED)
Modified: 2011-10-24 18:46 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sean Amoss (RETIRED) gentoo-dev Security 2011-10-17 19:43:03 UTC
From advisory at $URL:

A remote authenticated user can cause a crash with a malformed request due to an unitialized variable.

Affected Versions:
Asterisk Open Source     1.8.x     All versions
Asterisk Open Source     10.x      All versions (currently in beta)

Corrected In
Asterisk Open Source     1.8.7.1, 10.0.0-rc1
Comment 1 Tony Vroon (RETIRED) gentoo-dev 2011-10-18 10:00:38 UTC
+*asterisk-1.8.7.1 (18 Oct 2011)
+
+  18 Oct 2011; Tony Vroon <chainsaw@gentoo.org> -asterisk-1.8.7.0-r1.ebuild,
+  +asterisk-1.8.7.1.ebuild:
+  Update to fix remote crash vulnerability (caused by unitialised variable) in
+  SIP channel driver, remove vulnerable versions except last stable. Advisories
+  CVE-2011-4063 & AST-2011-012.

Arches, please test & mark stable. Compilation followed by repeated start/stop cycles on the default configuration file will suffice.
Comment 2 Agostino Sarubbo gentoo-dev 2011-10-18 12:05:07 UTC
amd64 ok
Comment 3 Ian Delaney (RETIRED) gentoo-dev 2011-10-18 14:32:01 UTC
ditto Ago
Comment 4 Tony Vroon (RETIRED) gentoo-dev 2011-10-18 15:04:19 UTC
+  18 Oct 2011; Tony Vroon <chainsaw@gentoo.org> asterisk-1.8.7.1.ebuild:
+  Marked stable on AMD64 based on arch testing by Agostino "ago" Sarubbo & Ian
+  "idella4" Delaney in security bug #387453.
Comment 5 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-10-21 16:53:22 UTC
x86 stable
Comment 6 Tim Sammut (RETIRED) gentoo-dev 2011-10-21 16:58:53 UTC
Thanks, everyone. GLSA Vote: yes.
Comment 7 Tony Vroon (RETIRED) gentoo-dev 2011-10-21 17:03:12 UTC
+  21 Oct 2011; Tony Vroon <chainsaw@gentoo.org> -asterisk-1.8.6.0.ebuild:
+  Purge vulnerable ebuilds for security bug #387453 now that stabling has
+  completed.
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2011-10-22 04:38:39 UTC
CVE-2011-4063 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4063):
  chan_sip.c in the SIP channel driver in Asterisk Open Source 1.8.x before
  1.8.7.1 and 10.x before 10.0.0-rc1 does not properly initialize variables
  during request parsing, which allows remote authenticated users to cause a
  denial of service (daemon crash) via a malformed request.
Comment 9 Tim Sammut (RETIRED) gentoo-dev 2011-10-23 04:26:08 UTC
Let's just include this with the other Asterisk bugs. Moving to [glsa].
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2011-10-24 18:46:11 UTC
This issue was resolved and addressed in
 GLSA 201110-21 at http://security.gentoo.org/glsa/glsa-201110-21.xml
by GLSA coordinator Tim Sammut (underling).