Multiple Vulnerabilities in Asterisk 1.2.10 [MU-200608-01] August 23, 2006 http://labs.musecurity.com/advisories.html Affected Product/Versions: Asterisk 1.0.0 through 1.2.10 Product Overview: http://www.asterisk.org/features "Asterisk-based telephony solutions offer a rich and flexible feature set. Asterisk offers both classical PBX functionality and advanced features, and interoperates with traditional standards-based telephony systems and Voice over IP systems. Asterisk offers the features one would expect of a large proprietary PBX system such as Voicemail, Conference Bridging, Call Queuing, and Call Detail Records." Vulnerability Details: A remote stack buffer overflow condition in Asterisk's MGCP implementation could allow for arbitrary code execution. The vulnerable code is triggered with the use of a malformed AUEP (audit endpoint) response message. A second issue exists in the handling of file names sent to the Record() application which could lead to arbitrary code execution via a format string attack or arbitrary file-overwrite via directory traversal techniques. The impact of this vulnerability is minimal, however, as it requires an administrator to use a client-controlled variable as part of the filename. Solution: Mu Security would like to thank the Asterisk security team for their timely response to these issues. A patch for the buffer overflow is available from the following link: http://ftp.digium.com/pub/asterisk/asterisk-1.2.11-patch.gz To protect against the Record() vulnerability, do not use user-controlled variables ( eg, ${CALLERIDNAME} ) as part of the the filename argument. History: 08/10/06 - First contact with vendor 08/16/06 - Vendor acknowledges vulnerability 08/23/06 - Advisory released Credit: These vulnerabilities were discovered by the Mu Security research team. http://labs.musecurity.com/pgpkkey.txt Mu Security offers a new class of security analysis system, delivering a rigorous and streamlined methodology for verifying the robustness and security readiness of any IP-based product or application. Founded by the pioneers of intrusion detection and prevention technology, Mu Security is backed by preeminent venture capital firms that include Accel Partners, Benchmark Capital and DAG Ventures. The company is headquartered in Sunnyvale, CA. For more information, visit the companys website at http://www.musecurity.com.
I have updated the ebuilds and patches for zaptel-1.2.8 and asterisk-1.2.11. However, since I am not a maintainer of these packages, I just have them local (and tested on x86 and amd64). I tried to contact stkn and rajiv today. If security would like me to bump these for the security fixes over asterisk-1.2.9, let me know. I can then commit them to cvs. Jay
As this also fixes bug #141551 I think you should go ahead.
i maintain only asterisk 1.0.x and have not heard from stkn. i suggest you bump the ebuild if you can install and test it. thanks.
hi jay, hi jay, I would like to test your ebuilds, too. Can you send or atach your ebuilds to this bug? (In reply to comment #1) > I have updated the ebuilds and patches for zaptel-1.2.8 and asterisk-1.2.11. > However, since I am not a maintainer of these packages, I just have them local > (and tested on x86 and amd64). I tried to contact stkn and rajiv today. If > security would like me to bump these for the security fixes over > asterisk-1.2.9, let me know. I can then commit them to cvs. > > Jay >
I uploaded the ebuild to my dev space. See http://dev.gentoo.org/~pfeifer/asterisk/ Just grab the 2 tbz2s or you can get the ebuilds under the net-misc dir (as well as the zaptel patch) Jay
Jay/Rajiv could you commit the updated ebuilds so we can call arch teams?
Hi Jay, your Zaptel ebuild missing zaptel-1.2.0-ukcid.patch I moved them from the official zaptel ebuild and it's compiled without errors. Your asterisk ebuild can't get asterisk-1.2.11-bristuff-0.3.0-PRE-1p.diff.gz emerge -v asterisk Calculating dependencies... done! >>> Emerging (1 of 1) net-misc/asterisk-1.2.11 to / >>> Downloading http://distfiles.gentoo.org/distfiles/asterisk-1.2.11-bristuff-0.3.0-PRE-1p.diff.gz --06:21:07-- http://distfiles.gentoo.org/distfiles/asterisk-1.2.11-bristuff-0.3.0-PRE-1p.diff.gz => `/usr/portage/distfiles/asterisk-1.2.11-bristuff-0.3.0-PRE-1p.diff.gz' Aufl
Hi Jay, your Zaptel ebuild missing zaptel-1.2.0-ukcid.patch I moved them from the official zaptel ebuild and it's compiled without errors. Your asterisk ebuild can't get asterisk-1.2.11-bristuff-0.3.0-PRE-1p.diff.gz emerge -v asterisk Calculating dependencies... done! >>> Emerging (1 of 1) net-misc/asterisk-1.2.11 to / >>> Downloading http://distfiles.gentoo.org/distfiles/asterisk-1.2.11-bristuff-0.3.0-PRE-1p.diff.gz --06:21:07-- http://distfiles.gentoo.org/distfiles/asterisk-1.2.11-bristuff-0.3.0-PRE-1p.diff.gz => `/usr/portage/distfiles/asterisk-1.2.11-bristuff-0.3.0-PRE-1p.diff.gz' Auflösen des Hostnamen »proxy«.... 172.16.172.2 Verbindungsaufbau zu proxy|172.16.172.2|:8080... verbunden. Proxy Anforderung gesendet, warte auf Antwort... 404 Not Found 06:21:07 FEHLER 404: Not Found. >>> Downloading http://distro.ibiblio.org/pub/linux/distributions/gentoo/distfiles/asterisk-1.2.11-bristuff-0.3.0-PRE-1p.diff.gz --06:21:07-- http://distro.ibiblio.org/pub/linux/distributions/gentoo/distfiles/asterisk-1.2.11-bristuff-0.3.0-PRE-1p.diff.gz => `/usr/portage/distfiles/asterisk-1.2.11-bristuff-0.3.0-PRE-1p.diff.gz' Auflösen des Hostnamen »proxy«.... 172.16.172.2 Verbindungsaufbau zu proxy|172.16.172.2|:8080... verbunden. Proxy Anforderung gesendet, warte auf Antwort... 404 Not Found 06:21:07 FEHLER 404: Not Found. >>> Downloading http://www.netdomination.org/pub/asterisk/asterisk-1.2.11-bristuff-0.3.0-PRE-1p.diff.gz --06:21:07-- http://www.netdomination.org/pub/asterisk/asterisk-1.2.11-bristuff-0.3.0-PRE-1p.diff.gz => `/usr/portage/distfiles/asterisk-1.2.11-bristuff-0.3.0-PRE-1p.diff.gz' Auflösen des Hostnamen »proxy«.... 172.16.172.2 Verbindungsaufbau zu proxy|172.16.172.2|:8080... verbunden. Proxy Anforderung gesendet, warte auf Antwort... 404 Not Found 06:21:07 FEHLER 404: Not Found. !!! Couldn't download asterisk-1.2.11-bristuff-0.3.0-PRE-1p.diff.gz. Aborting.
I play now with -bri to see, if the emerge works without the error in comment #7. I get the following Problem: I compiled with: 1.) -bri 2.) -bri -pri 3.) -bri -zaptel 4.) -bri -pri -zaptel All these results in the same error: gcc -shared -Xlinker -x -o chan_alsa.so chan_alsa.o -lasound -lm -ldl gcc -c -O2 -mcpu=i686 -pipe -pipe -Wall -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Iinclude -I../include -D_REENTRANT -D_GNU_SOURCE -O2 -mcpu=i686 -pipe -DOSP_SUPPORT -I/usr/include/osp -DZAPTEL_OPTIMIZATIONS -DLOW_MEMORY -fomit-frame-pointer -Wno-missing-prototypes -Wno-missing-declarations -DZAPATA_PRI -DIAX_TRUNKING -DCRYPTO -fPIC -o chan_zap.o chan_zap.c `-mcpu=' is deprecated. Use `-mtune=' or '-march=' instead. `-mcpu=' is deprecated. Use `-mtune=' or '-march=' instead. chan_zap.c: In function `zt_call': chan_zap.c:2094: error: too few arguments to function `pri_sr_set_bearer' chan_zap.c: In function `zt_hangup': chan_zap.c:2492: error: too few arguments to function `pri_hangup' chan_zap.c:2512: error: too few arguments to function `pri_hangup' chan_zap.c: In function `zt_handle_event': chan_zap.c:3648: error: too few arguments to function `pri_hangup' chan_zap.c: In function `pri_dchannel': chan_zap.c:8377: error: too few arguments to function `pri_hangup' chan_zap.c:8535: error: too few arguments to function `pri_hangup' chan_zap.c:8666: error: too few arguments to function `pri_hangup' chan_zap.c:8701: error: too few arguments to function `pri_hangup' chan_zap.c:8710: error: too few arguments to function `pri_hangup' chan_zap.c:8718: error: too few arguments to function `pri_hangup' chan_zap.c:8964: error: too few arguments to function `pri_hangup' chan_zap.c:9032: error: too few arguments to function `pri_hangup' chan_zap.c: In function `start_pri': chan_zap.c:9244: error: too few arguments to function `pri_new' chan_zap.c: In function `load_module': chan_zap.c:11051: warning: passing arg 1 of `pri_set_error' from incompatible pointer type chan_zap.c:11052: warning: passing arg 1 of `pri_set_message' from incompatible pointer type make[1]: *** [chan_zap.o] Error 1 make[1]: Leaving directory `/var/tmp/portage/asterisk-1.2.11/work/asterisk-1.2.11/channels' make: *** [subdirs] Error 1 !!! ERROR: net-misc/asterisk-1.2.11 failed. Call stack: ebuild.sh, line 1539: Called dyn_compile ebuild.sh, line 939: Called src_compile asterisk-1.2.11.ebuild, line 329: Called die !!! Make failed !!! If you need support, post the topmost build error, and the call stack if relevant. !!! This ebuild is from an overlay: '/usr/local/overlay' My emerge info: Portage 2.1 (default-linux/x86/2006.0, gcc-3.4.6, glibc-2.3.6-r4, 2.6.15-gentoo-r1-skas3-v8.2 i686) ================================================================= System uname: 2.6.15-gentoo-r1-skas3-v8.2 i686 unknown Gentoo Base System version 1.6.14 dev-lang/python: 2.4.2 dev-python/pycrypto: 2.0.1-r5 dev-util/ccache: [Not Present] dev-util/confcache: [Not Present] sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.59-r7 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r1 sys-devel/binutils: 2.16.1-r2 sys-devel/gcc-config: 1.3.13-r2 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.11-r2 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CBUILD="i686-pc-linux-gnu" CFLAGS="-O2 -mcpu=i686 -pipe" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/lib/X11/xkb /usr/lib/mozilla/defaults/pref /usr/share/config" CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/terminfo" CXXFLAGS="-O2 -mcpu=i686 -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig buildpkg digest distlocks metadata-transfer noinfo sandbox sfperms strict" GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/linux/distributions/gentoo" LANG="de_DE@euro" LC_ALL="de_DE@euro" LINGUAS="de" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/overlay" SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage" USE="x86 alsa apache2 apm avi berkdb bitmap-fonts bri cli crypt cups dri eds emboss encode esd foomaticdb fortran gdbm gif gnome gpm gstreamer ipv6 isdnlog jpeg kde libg++ libwww mad mikmod mmx motif mp3 mpeg ncurses nls nptl ogg pam pcre pdflib perl png pppd python quicktime readline reflection rtc sdl session spell spl sse ssl tcpd truetype truetype-fonts type1-fonts udev vorbis xml xmms xorg zlib elibc_glibc kernel_linux linguas_de userland_GNU" Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LDFLAGS, PORTAGE_RSYNC_EXTRA_OPTS
OK, Test 1: - zaptel unmerged - USE = -bri -pri -zaptel = compiled cleanly Test 2: - zaptel-1.2.6 emerged - USE = +bri +pri +zaptel = don't compile
I must have forgot to upload that. Let me find it after work and upload. I will also look at the bri compile error. Jay
*** Bug 145966 has been marked as a duplicate of this bug. ***
Jay? Have you found it? (In reply to comment #10) > I must have forgot to upload that. Let me find it after work and upload. I will > also look at the bri compile error. > > Jay >
We have a fix committed: 06 Sep 2006; Stefan Knoblich <stkn@gentoo.org> +asterisk-1.2.11.ebuild: Arches please test and mark stable. Target keywords are: asterisk-1.2.11.ebuild:KEYWORDS="~alpha ~amd64 ~hppa ~ppc sparc x86"
sparc stable. on a side note it works fine on a couple x86 servers i handle (E1/FXO/FXS mostly) and people might want to take care of bug #145783 before too.
1.) emerges on x86 with the following QA warnings QA Notice: the following files contain runtime text relocations Text relocations force the dynamic linker to perform extra work at startup, waste system resources, and may pose a security risk. On some architectures, the code may not even function properly, if at all. For more information, see http://hardened.gentoo.org/pic-fix-guide.xml Please include this file in your report: /var/tmp/portage/asterisk-1.2.11/temp/scanelf-textrel.log TEXTREL usr/lib/asterisk/modules/codec_gsm.so QA Notice: the following files contain executable stacks Files with executable stacks will not work properly (or at all!) on some architectures/operating systems. A bug should be filed at http://bugs.gentoo.org/ to make sure the file is fixed. For more information, see http://hardened.gentoo.org/gnu-stack.xml Please include this file in your report: /var/tmp/portage/asterisk-1.2.11/temp/scanelf-execstack.log RWX --- --- usr/lib/asterisk/modules/codec_gsm.so 2.) passes collision-test 3.) /etc/init.d/asterisk starts emerge --info Portage 2.1.1 (default-linux/x86/2006.1/desktop, gcc-4.1.1, glibc-2.4-r3, 2.6.17.11 i686) ================================================================= System uname: 2.6.17.11 i686 AMD Athlon(TM) XP1800+ Gentoo Base System version 1.12.5 Last Sync: Thu, 14 Sep 2006 16:50:01 +0000 ccache version 2.3 [enabled] app-admin/eselect-compiler: [Not Present] dev-lang/python: 2.3.5-r2, 2.4.3-r1 dev-python/pycrypto: 2.0.1-r5 dev-util/ccache: 2.3 dev-util/confcache: [Not Present] sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.59-r7 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2 sys-devel/binutils: 2.16.1-r3 sys-devel/gcc-config: 1.3.13-r3 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.11-r5 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CBUILD="i686-pc-linux-gnu" CFLAGS="-O2 -march=i686 -fomit-frame-pointer -pipe" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config" CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/revdep-rebuild /etc/terminfo /etc/texmf/web2c" CXXFLAGS="-O2 -march=i686 -fomit-frame-pointer -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig ccache collision-protect distlocks fixpackages metadata-transfer parallel-fetch sandbox sfperms strict test userfetch userpriv usersandbox" GENTOO_MIRRORS="http://mirror.switch.ch/mirror/gentoo/ http://gentoo.inode.at/" LANG="en_GB.utf8" LINGUAS="en de en_GB" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage/normal /usr/local/portage/testing" SYNC="rsync://192.168.2.1/gentoo-portage" USE="x86 3dnow 3dnowext X a52 aac acpi alsa apache2 bash-completion berkdb bitmap-fonts bzip2 cairo cdr cli crypt css cups dbus divx4linux dlloader dri dts dvd dvdr dvdread elibc_glibc emboss exif fam ffmpeg firefox font-server fortran gdbm gif gnome gphoto2 gpm gstreamer gtk gtk2 gtkhtml hal input_devices_keyboard input_devices_mouse ipv6 isdnlog java jpeg kde kernel_linux ldap libclamav libg++ linguas_de linguas_en linguas_en_GB logitech-mouse mad mikmod mmx mmxext mono mozcalendar mozdevelop mozsvg mp3 mpeg ncurses network nls nptl nptlonly nvidia oav ogg opengl oss pam pcre perl png ppds pppd python qt qt3 qt4 quicktime readline reflection samba sdl seamonkey session spell spl ssl tcltk tcpd test tetex tiff truetype truetype-fonts type1-fonts udev unicode usb userland_GNU vcd video_cards_none video_cards_nv vorbis win32codecs xine xinerama xml xorg xorg-x11 xprint xv xvg xvid zlib" Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, LDFLAGS, MAKEOPTS, PORTAGE_RSYNC_EXTRA_OPTS
Version 1.2.11 compiles great, but have a Bug (Pickup). 1.2.12.1 and Zaptel 1.2.9.1 are out now.
Back to ebuild to fix the regression. UnCC'ing arches.
voip any news on this one?
this is kinda annoying... no info on the bug for more than 2 weeks... any news from voip??? asterisk-1.2.12.1 has been uploaded today... i guess we can go for stable marking then?
yeah I moved it from the overlay to portage after talking with stkn. I guess marking it stable should be fine - go ahead.
btw, this has been rated C1... according to the policy that results in a target delay of 5 days sparc, x86 pls test net-misc/asterisk-1.2.12.1 and mark stable if possible
even adding arches to CC now ;)
sparc stable.
1.) emerges on x86, with the following QA Notices: A Notice: the following files contain runtime text relocations Text relocations force the dynamic linker to perform extra work at startup, waste system resources, and may pose a security risk. On some architectures, the code may not even function properly, if at all. For more information, see http://hardened.gentoo.org/pic-fix-guide.xml Please include this file in your report: /var/tmp/portage/asterisk-1.2.12.1/temp/scanelf-textrel.log TEXTREL usr/lib/asterisk/modules/codec_gsm.so QA Notice: the following files contain executable stacks Files with executable stacks will not work properly (or at all!) on some architectures/operating systems. A bug should be filed at http://bugs.gentoo.org/ to make sure the file is fixed. For more information, see http://hardened.gentoo.org/gnu-stack.xml Please include this file in your report: /var/tmp/portage/asterisk-1.2.12.1/temp/scanelf-execstack.log RWX --- --- usr/lib/asterisk/modules/codec_gsm.so 2.) passes collision test 3.) daemon still starts and stops emerge --info Portage 2.1.1 (default-linux/x86/2006.1/desktop, gcc-4.1.1, glibc-2.4-r3, 2.6.17.13 i686) ================================================================= System uname: 2.6.17.13 i686 AMD Athlon(TM) XP1800+ Gentoo Base System version 1.12.5 Last Sync: Fri, 06 Oct 2006 14:50:01 +0000 ccache version 2.3 [enabled] app-admin/eselect-compiler: [Not Present] dev-java/java-config: 1.2.11-r1 dev-lang/python: 2.3.5-r3, 2.4.3-r4 dev-python/pycrypto: 2.0.1-r5 dev-util/ccache: 2.3 dev-util/confcache: [Not Present] sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.59-r7 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2 sys-devel/binutils: 2.16.1-r3 sys-devel/gcc-config: 1.3.13-r4 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.17-r1 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CBUILD="i686-pc-linux-gnu" CFLAGS="-O2 -march=i686 -fomit-frame-pointer -pipe" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config" CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/revdep-rebuild /etc/terminfo /etc/texmf/web2c" CXXFLAGS="-O2 -march=i686 -fomit-frame-pointer -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig ccache collision-protect distlocks fixpackages metadata-transfer parallel-fetch sandbox sfperms strict test userfetch userpriv usersandbox" GENTOO_MIRRORS="http://mirror.switch.ch/mirror/gentoo/ http://gentoo.inode.at/" LANG="en_GB.utf8" LINGUAS="en de en_GB" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage/normal /usr/local/portage/testing" SYNC="rsync://192.168.2.1/gentoo-portage" USE="x86 3dnow 3dnowext X a52 aac acpi alsa apache2 bash-completion berkdb bitmap-fonts bzip2 cairo cdr cli crypt css cups dbus divx4linux dlloader dri dts dvd dvdr dvdread elibc_glibc emboss exif fam ffmpeg firefox font-server fortran gdbm gif gnome gphoto2 gpm gstreamer gtk gtk2 gtkhtml hal input_devices_keyboard input_devices_mouse ipv6 isdnlog java jpeg kde kernel_linux ldap libclamav libg++ linguas_de linguas_en linguas_en_GB logitech-mouse mad mikmod mmx mmxext mono mozcalendar mozdevelop mozsvg mp3 mpeg ncurses network nls nptl nptlonly nvidia oav ogg opengl oss pam pcre perl png ppds pppd python qt qt3 qt4 quicktime readline reflection samba sdl seamonkey session spell spl ssl tcltk tcpd test tetex tiff truetype truetype-fonts type1-fonts udev unicode usb userland_GNU vcd video_cards_none video_cards_nv vorbis win32codecs xine xinerama xml xorg xorg-x11 xprint xv xvg xvid zlib" Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, LDFLAGS, MAKEOPTS, PORTAGE_RSYNC_EXTRA_OPTS
Can you hear me now? Good. x86 done.
oops this one is late.
GLSA 200610-15