Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 494630 (CVE-2013-7100) - <net-misc/asterisk-{1.8.25.0,11.7.0} : Security Bypass and Memory Corruption Vulnerabilities (CVE-2013-7100)
Summary: <net-misc/asterisk-{1.8.25.0,11.7.0} : Security Bypass and Memory Corruption ...
Status: RESOLVED FIXED
Alias: CVE-2013-7100
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: http://secunia.com/advisories/55907/
Whiteboard: B1 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2013-12-18 10:09 UTC by Agostino Sarubbo
Modified: 2014-01-21 04:41 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-12-18 10:09:06 UTC
From ${URL} :

Description

Multiple vulnerabilities have been reported in Asterisk, which can be exploited by malicious users to 
bypass certain security restrictions and by malicious people to cause a DoS (Denial of Service).

1) An error when processing a 16-bit SMS message can be exploited to corrupt memory via a specially 
crafted message length value.

2) The application allows external control protocols to get and set channel variables, which can be 
exploited to execute dialplan functions.

The vulnerabilities are reported in versions 1.8.x, 10.x, and 11.x.


Solution:
Update to a fixed versions. Please see the vendor's advisories for more details.

Provided and/or discovered by:
The vendor credits:
1) Jan Juergens
2) Matt Jordan

Original Advisory:
http://downloads.asterisk.org/pub/security/AST-2013-006.html
http://downloads.asterisk.org/pub/security/AST-2013-007.html


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Tony Vroon (RETIRED) gentoo-dev 2013-12-18 11:53:36 UTC
+*asterisk-11.7.0 (18 Dec 2013)
+*asterisk-1.8.25.0 (18 Dec 2013)
+
+  18 Dec 2013; Tony Vroon <chainsaw@gentoo.org> +asterisk-1.8.25.0.ebuild,
+  +asterisk-11.7.0.ebuild:
+  Upgrades on both branches for memory corruption (AST-2013-006) & security
+  bypass (AST-2013-007) vulnerabilities, as per Agostino Sarubbo in security
+  bug #494630. Squelch unnecessary chatter from build system, as per Patryk
+  Rzadzinski in bug #489862.

Arches, please test & mark stable:
=net-misc/asterisk-1.8.25.0
=net-misc/asterisk-11.7.0

Due to the need for specialty hardware and/or paid accounts, three stop-start cycles on the default (USE=samples) configuration files will suffice.

Could the last arch to stabilise please remove all previous Asterisk ebuilds from the tree. Security team, please check that this has been done.
Comment 2 Agostino Sarubbo gentoo-dev 2013-12-23 11:34:59 UTC
amd64 stable
Comment 3 Agostino Sarubbo gentoo-dev 2013-12-23 11:36:01 UTC
x86 stable. Maintainer(s), please cleanup
Comment 4 Tony Vroon (RETIRED) gentoo-dev 2013-12-23 12:27:37 UTC
+  23 Dec 2013; Tony Vroon <chainsaw@gentoo.org> -asterisk-1.8.23.1.ebuild,
+  -asterisk-1.8.24.0.ebuild, -asterisk-11.5.1.ebuild, -asterisk-11.6.0.ebuild,
+  -asterisk-11.6.0-r1.ebuild:
+  Remove all vulnerable ebuilds for AST-2013-006 & AST-2013-007; for security
+  bug #494630.
Comment 5 Yury German Gentoo Infrastructure gentoo-dev 2013-12-26 18:59:29 UTC
Maintainer(s), Thank you for your work!

Added to existing GLSA
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2013-12-27 00:09:48 UTC
CVE-2013-7100 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-7100):
  Buffer overflow in the unpacksms16 function in apps/app_sms.c in Asterisk
  Open Source 1.8.x before 1.8.24.1, 10.x before 10.12.4, and 11.x before
  11.6.1; Asterisk with Digiumphones 10.x-digiumphones before
  10.12.4-digiumphones; and Certified Asterisk 1.8.x before 1.8.15-cert4 and
  11.x before 11.2-cert3 allows remote attackers to cause a denial of service
  (daemon crash) via a 16-bit SMS message.
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2014-01-21 04:41:03 UTC
This issue was resolved and addressed in
 GLSA 201401-15 at http://security.gentoo.org/glsa/glsa-201401-15.xml
by GLSA coordinator Sergey Popov (pinkbyte).