Bug 169616 - net-misc/asterisk: SIP DoS vulnerability (CVE-2007-1306)
Bug#: 169616 Product:  Gentoo Security Version: unspecified Platform: All
OS/Version: Linux Status: RESOLVED Severity: minor Priority: P2
Resolution: FIXED Assigned To: security@gentoo.org Reported By: chainsaw@gentoo.org
Component: Vulnerabilities
URL:  http://asterisk.org/node/48319
Summary: net-misc/asterisk: SIP DoS vulnerability (CVE-2007-1306)
Keywords:  
Status Whiteboard: B3 [glsa] jaervosz
Opened: 2007-03-06 13:43 0000
Description:   Opened: 2007-03-06 13:43 0000 
"This release contains a number of bug fixes, including a fix for a recently
discovered security vulnerability. All Asterisk 1.2 users are urged to update
to this release as soon as possible."

Similar story for the asterisk 1.4 branch, please update to 1.4.1 there.

------- Comment #1 From Matthias Geerdsen 2007-03-06 14:17:22 0000 ------- 
stkn/voip-herd, please provide an updated ebuild

------- Comment #2 From Rajiv Aaron Manglani 2007-03-06 16:58:36 0000 ------- 
asterisk 1.0.12 is also vulnerable but not supported upstream. i will patch in
our cvs shortly.

------- Comment #3 From Sune Kloppenborg Jeppesen 2007-03-06 22:58:10 0000 ------- 
*** Bug 169681 has been marked as a duplicate of this bug. ***

------- Comment #4 From Rajiv Aaron Manglani 2007-03-09 20:30:03 0000 ------- 
net-misc/asterisk-1.0.12-r1 with ported patch in cvs as ~x86 and ~ppc.

x86 team: please test and mark stable (or drop me an email and i will do it).

older 1.0.12 version is ~ppc also so nothing to be done there.

fyi, vulnerability notice:
http://labs.musecurity.com/advisories/MU-200703-01.txt

------- Comment #5 From Raphael Marichez 2007-03-09 21:14:29 0000 ------- 
Just as a reminder, 1.2.* needs to be fixed too

Secunia says 1.2.16 fixes that vulnerability

Secunia: http://secunia.com/advisories/24380/

------- Comment #6 From Raúl Porcel 2007-03-10 14:13:05 0000 ------- 
rajiv, please bump 1.2.* too, so we can stabilize both.

------- Comment #7 From Gustavo Zacarias (RETIRED) 2007-03-12 19:12:34 0000 ------- 
Rajiv just handles the 1.0 branch.
I can handle 1.2 but i'm waiting for a newer upstream
(http://www.junghanns.net/downloads/) BRIstuff patch since PRE-1y isn't
1.2.16-friendly.
Otherwise we could just try to patch the offending code in asterisk and do a
revbump.

------- Comment #8 From Christian Faulhammer 2007-03-12 19:29:19 0000 ------- 
(In reply to comment #7)
> Rajiv just handles the 1.0 branch.
> I can handle 1.2 but i'm waiting for a newer upstream
> (http://www.junghanns.net/downloads/) BRIstuff patch since PRE-1y isn't
> 1.2.16-friendly.
> Otherwise we could just try to patch the offending code in asterisk and do a
> revbump.

 Maybe the best solution if you can't tell how long the newer patch may take to
be provided.

------- Comment #9 From Sune Kloppenborg Jeppesen 2007-03-12 20:34:55 0000 ------- 
Debian appears to have a BRIstuff PRE-1x patch for 1.2.16 if it's any help.
Otherwise just a simple patch similar to the one for 1.0 branch would be fine.

------- Comment #10 From Rajiv Aaron Manglani 2007-03-12 21:10:17 0000 ------- 
fyi the original patch for 1.2.x and 1.4.x is available at
http://svn.digium.com/view/asterisk?rev=57478&view=rev

------- Comment #11 From Gustavo Zacarias (RETIRED) 2007-03-13 18:41:15 0000 ------- 
Actually it's r57475 for asterisk-1.2 (r57478 is for 1.4).
Committed in asterisk-1.2.14-r1.
Will need =net-libs/libpri-1.2.4-r1 and =net-misc/zaptel-1.2.12-r1 stable with
this too to match BRIstuff.
sparc stable btw.

------- Comment #12 From Sune Kloppenborg Jeppesen 2007-03-13 19:40:59 0000 ------- 
Thanks Gustavo.

x86 please test and mark stable:
net-misc/asterisk-1.2.14-r1
net-libs/libpri-1.2.4-r1
net-misc/zaptel-1.2.12-r1

------- Comment #13 From Christian Faulhammer 2007-03-13 19:58:09 0000 ------- 
(In reply to comment #12)
> Thanks Gustavo.
> 
> x86 please test and mark stable:
> net-misc/asterisk-1.2.14-r1
> net-libs/libpri-1.2.4-r1
> net-misc/zaptel-1.2.12-r1

And 1.0.12-r1, too. Done.

------- Comment #14 From Raphael Marichez 2007-03-15 22:10:44 0000 ------- 
I vote yes for that VoIP platform for which disponibility is important.

------- Comment #15 From Sune Kloppenborg Jeppesen 2007-03-16 08:00:18 0000 ------- 
Let's have a GLSA on this one.

GLSA drafted and ready for review.

------- Comment #16 From Raphael Marichez 2007-03-17 06:51:34 0000 ------- 
GLSA 200703-14