Bug 171884 - net-misc/asterisk AEL possible security issue in switch blocks (CVE-2007-1595)
Bug#: 171884 Product:  Gentoo Security Version: unspecified Platform: All
OS/Version: Linux Status: RESOLVED Severity: minor Priority: P2
Resolution: FIXED Assigned To: security@gentoo.org Reported By: jaervosz@gentoo.org
Component: Vulnerabilities
URL:  http://bugs.digium.com/view.php?id=9316
Summary: net-misc/asterisk AEL possible security issue in switch blocks (CVE-2007-1595)
Keywords:  
Status Whiteboard: B4 [noglsa] jaervosz
Opened: 2007-03-23 07:03 0000
Description:   Opened: 2007-03-23 07:03 0000 
From the bug report:
The AEL compiler generates extensions from the "case"s in
 a switch{} block. A SIP user might guess one of the
 sw-X-.. extensions and execute dialplan code which he
 shouldn't be allowed to execute.

------- Comment #1 From Rajiv Aaron Manglani 2007-03-23 13:45:44 0000 ------- 
fyi this only affects asterisk 1.4.x which is not in portage (but in the voip
overlay).

there is a backport of AEL for asterisk 1.2.x but we do not include it in our
patch set.

------- Comment #2 From Sune Kloppenborg Jeppesen 2007-03-25 06:26:25 0000 ------- 
Rajiv, do you mean that the fix is only for 1.4? AFAIR AEL has been in Asterisk
for some time, at least since 1.2.

------- Comment #3 From Rajiv Aaron Manglani 2007-03-28 02:46:09 0000 ------- 
(In reply to comment #2)
you are correct. i originally thought this bug was only in AEL2 but it is in
AEL. from
http://bugs.digium.com/view.php?id=9316 

> I have not touched the original AEL compiler in 1.2; it was experimental, and as per
> previous statements, to resolve this bug, the user is encouraged to either
> use the AEL2 patches for 1.2, or to upgrade to 1.4 or trunk.

asterisk 1.2.x maintainers, please patch.

------- Comment #4 From Rajiv Aaron Manglani 2007-03-28 02:48:14 0000 ------- 
fyi, links to patches at http://www.securityfocus.com/bid/23155/solution

------- Comment #5 From Sune Kloppenborg Jeppesen 2007-03-28 06:18:24 0000 ------- 
Bah, sorry for the bug spam.

------- Comment #6 From Sune Kloppenborg Jeppesen 2007-04-04 06:47:59 0000 ------- 
VOIP please provide an updated ebuild.

------- Comment #7 From Gustavo Zacarias (RETIRED) 2007-04-19 20:29:54 0000 ------- 
Actually those patches are against a backported AEL2 for asterisk-1.2 which we
don't ship.
So i have to pull the backport, check that nothing breaks and only then patch
up security-wise...

------- Comment #8 From Sune Kloppenborg Jeppesen 2007-04-30 12:51:26 0000 ------- 
Gustavo, what about putting a note in the ebuild or disable compilation of AEL
perhaps?

------- Comment #9 From Sune Kloppenborg Jeppesen 2007-05-02 11:47:52 0000 ------- 
Gustavo did you decide on a course of action?

------- Comment #10 From Sune Kloppenborg Jeppesen 2007-05-20 07:23:46 0000 ------- 
Gustavo did you decide on a course of action?

------- Comment #11 From Sune Kloppenborg Jeppesen 2007-06-08 06:44:01 0000 ------- 
SUSE fixed this issue.

------- Comment #12 From Gustavo Zacarias (RETIRED) 2007-06-19 19:03:05 0000 ------- 
No they didn't, i've checked their SRPM (asterisk-1.2.13-23.src.rpm for
opensuse 10.2) and there's no CVE-2007-1595 patch or any other patch that
touches pbx_ael.c

------- Comment #13 From Sune Kloppenborg Jeppesen 2007-06-19 20:58:15 0000 ------- 
I haven't checked the source but according to their advisory the issue is
fixed.

http://www.novell.com/linux/security/advisories/2007_34_asterisk.html

------- Comment #14 From Gustavo Zacarias (RETIRED) 2007-06-19 21:00:02 0000 ------- 
That's what they say, but it's not fixed in 1.2.13-23 at least (which is the
quoted fixed versions for 10.2 and the latest on their ftp too).

------- Comment #15 From Sune Kloppenborg Jeppesen 2007-06-23 17:45:33 0000 ------- 
Gustavo did you inform SUSE about it?

------- Comment #16 From Sune Kloppenborg Jeppesen 2007-07-01 02:14:29 0000 ------- 
gustavoz ping on comment #15

------- Comment #17 From Gustavo Zacarias (RETIRED) 2007-07-02 12:15:38 0000 ------- 
NO i didn't notify them, i haven't the slightest clue of who/where to do so.

------- Comment #18 From Gustavo Zacarias (RETIRED) 2007-07-12 21:38:00 0000 ------- 
asterisk-1.2.21.1 is in, it disables pbx_ael violently (a user would have to
modify the ebuild to re-enable it), warning included in pkg_postinst.

Targets for stabilization are:
net-misc/zaptel-1.2.18
net-libs/libpri-1.2.5
net-misc/asterisk-1.2.21.1

------- Comment #19 From Pierre-Yves Rofes 2007-07-14 22:26:05 0000 ------- 
thanks Gustavo.
Arches, please test and mark stable:

net-misc/zaptel-1.2.18 (target "~amd64 ~ppc x86")
net-libs/libpri-1.2.5 (target "~amd64 ~ppc x86 sparc")
net-misc/asterisk-1.2.21.1 (target "~alpha ~amd64 ~hppa ~ppc sparc x86")

------- Comment #20 From Gustavo Zacarias (RETIRED) 2007-07-16 22:05:07 0000 ------- 
sparc stable.

------- Comment #21 From Christian Faulhammer 2007-07-17 19:56:38 0000 ------- 
x86 stable, we are last arch, changing status to glsa?

------- Comment #22 From Sune Kloppenborg Jeppesen 2007-07-17 20:04:29 0000 ------- 
Ready for GLSA vote. I tend to vote NO.

------- Comment #23 From Pierre-Yves Rofes 2007-07-17 20:50:27 0000 ------- 
voting NO as well.

------- Comment #24 From Matt Drew 2007-07-24 10:48:38 0000 ------- 
I also vote no.

------- Comment #25 From Pierre-Yves Rofes 2007-07-24 11:35:21 0000 ------- 
closing without glsa. Feel free to reopen if you disagree.