From http://seclists.org/fulldisclosure/2013/Aug/274 : Asterisk Project Security Advisory - AST-2013-004 Product Asterisk Summary Remote Crash From Late Arriving SIP ACK With SDP Nature of Advisory Remote Crash Susceptibility Remote Unauthenticated Sessions Severity Major Exploits Known None Reported On February 11, 2013 Reported By Colin Cuthbertson Posted On August 27, 2013 Last Updated On August 27, 2013 Advisory Contact Joshua Colp <jcolp AT digium DOT com> CVE Name Pending Description A remotely exploitable crash vulnerability exists in the SIP channel driver if an ACK with SDP is received after the channel has been terminated. The handling code incorrectly assumes that the channel will always be present. Resolution A check has now been added which only parses SDP and applies it if an Asterisk channel is present. Note that Walter Doekes, OSSO B.V., is responsible for diagnosing and providing the fix for this issue. Affected Versions Product Release Series Asterisk Open Source 1.8.x 1.8.17.0 and above Asterisk Open Source 11.x All versions Certified Asterisk 1.8.15 All versions Certified Asterisk 11.2 All versions Corrected In Product Release Asterisk Open Source 1.8.23.1, 11.5.1 Certified Asterisk 1.8.15-cert3, 11.2-cert2 Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2013-004-1.8.diff Asterisk 1.8 http://downloads.asterisk.org/pub/security/AST-2013-004-11.diff Asterisk 11 http://downloads.asterisk.org/pub/security/AST-2013-004-1.8.15-cert.diff Certified Asterisk 1.8.15 http://downloads.asterisk.org/pub/security/AST-2013-004-11.2-cert.diff Certified Asterisk 11.1 Links https://issues.asterisk.org/jira/browse/ASTERISK-21064 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2013-004.pdf and http://downloads.digium.com/pub/security/AST-2013-004.html Revision History Date Editor Revisions Made 2013-08-22 Joshua Colp Initial revision. Asterisk Project Security Advisory - AST-2013-004 Copyright (c) 2013 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form.
From http://seclists.org/fulldisclosure/2013/Aug/275 : Asterisk Project Security Advisory - AST-2013-005 Product Asterisk Summary Remote Crash when Invalid SDP is sent in SIP Request Nature of Advisory Remote Crash Susceptibility Remote Unauthenticated Sessions Severity Major Exploits Known None Reported On July 03, 2013 Reported By Walter Doekes, OSSO B.V. Posted On August 27, 2013 Last Updated On August 27, 2013 Advisory Contact Matthew Jordan <mjordan AT digium DOT com> CVE Name Pending Description A remotely exploitable crash vulnerability exists in the SIP channel driver if an invalid SDP is sent in a SIP request that defines media descriptions before connection information. The handling code incorrectly attempts to reference the socket address information even though that information has not yet been set. Resolution This patch adds checks when handling the various media descriptions that ensures the media descriptions are handled only if we have connection information suitable for that media. Thanks to Walter Doekes of OSSO B.V. for finding, reporting, testing, and providing the fix for this problem. Affected Versions Product Release Series Asterisk Open Source 1.8.x All Versions Asterisk Open Source 10.x All Versions Asterisk Open Source 11.x All Versions Certified Asterisk 1.8.15 All Versions Certified Asterisk 11.2 All Versions Asterisk with Digiumphones 10.x-digiumphones All Versions Corrected In Product Release Asterisk Open Source 1.8.23.1, 10.12.3, 11.5.1 Certified Asterisk 1.8.15-cert3, 11.2-cert2 Asterisk with Digiumphones 10.12.3-digiumphones Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2013-005-1.8.diff Asterisk 1.8 http://downloads.asterisk.org/pub/security/AST-2013-005-10.diff Asterisk 10 http://downloads.asterisk.org/pub/security/AST-2013-005-10-digiumphones.diff Asterisk 10-digiumphones http://downloads.asterisk.org/pub/security/AST-2013-005-11.diff Asterisk 11 http://downloads.asterisk.org/pub/security/AST-2013-005-1.8.15.diff Certified Asterisk 1.8.15 http://downloads.asterisk.org/pub/security/AST-2013-005-11.2.diff Certified Asterisk 11.2 Links https://issues.asterisk.org/jira/browse/ASTERISK-22007 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2013-005.pdf and http://downloads.digium.com/pub/security/AST-2013-005.html Revision History Date Editor Revisions Made 2013-08-27 Matt Jordan Initial Revision Asterisk Project Security Advisory - AST-2013-005 Copyright (c) 2013 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. @maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
+*asterisk-11.5.1 (28 Aug 2013) +*asterisk-1.8.23.1 (28 Aug 2013) + + 28 Aug 2013; Tony Vroon <chainsaw@gentoo.org> -asterisk-1.8.22.0.ebuild, + -asterisk-1.8.23.0.ebuild, +asterisk-1.8.23.1.ebuild, + -asterisk-11.4.0.ebuild, -asterisk-11.5.0.ebuild, +asterisk-11.5.1.ebuild, + +files/1.8.0/asterisk.initd7: + Security upgrades for AST-2013-004 & AST-2013-005 on both branches. + Behavioral improvements for G729 VAD, closes bug #480928. Add missed + ownership checks to init script, closes bug #482688. Both by Jaco Kroon. + Removed all insecure non-stable ebuilds. Arches, please test & mark stable: =net-misc/asterisk-1.8.23.1 =net-misc/asterisk-11.5.1 A compile test, followed by three stop/start cycles on the default configuration files will suffice.
amd64 stable
x86 stable
@security: please vote.
GLSA vote: yes
Added to existing GLSA draft
CVE-2013-5642 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5642): The SIP channel driver (channels/chan_sip.c) in Asterisk Open Source 1.8.x before 1.8.23.1, 10.x before 10.12.3, and 11.x before 11.5.1; Certified Asterisk 1.8.15 before 1.8.15-cert3 and 11.2 before 11.2-cert2; and Asterisk Digiumphones 10.x-digiumphones before 10.12.3-digiumphones allows remote attackers to cause a denial of service (NULL pointer dereference, segmentation fault, and daemon crash) via an invalid SDP that defines a media description before the connection description in a SIP request. CVE-2013-5641 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5641): The SIP channel driver (channels/chan_sip.c) in Asterisk Open Source 1.8.17.x through 1.8.22.x, 1.8.23.x before 1.8.23.1, and 11.x before 11.5.1 and Certified Asterisk 1.8.15 before 1.8.15-cert3 and 11.2 before 11.2-cert2 allows remote attackers to cause a denial of service (NULL pointer dereference, segmentation fault, and daemon crash) via an ACK with SDP to a previously terminated channel. NOTE: some of these details are obtained from third party information.
This issue was resolved and addressed in GLSA 201401-15 at http://security.gentoo.org/glsa/glsa-201401-15.xml by GLSA coordinator Sergey Popov (pinkbyte).