766471 – net-misc/asterisk: Crash if Tel URI contains History-Info

Bug 766471 - net-misc/asterisk: Crash if Tel URI contains History-Info

Summary: net-misc/asterisk: Crash if Tel URI contains History-Info

Status:	RESOLVED INVALID

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	B3 [ebuild]
Keywords:

Depends on:
Blocks:

Reported:	2021-01-22 02:24 UTC by John Helmert III
Modified:	2021-01-22 07:20 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description John Helmert III archtester

2021-01-22 02:24:10 UTC

According to the 16.16.0 and 18.2.0 changelogs:

 * ASTERISK-29219 - res_pjsip_diversion: Crash if Tel URI
      contains History-Info
      (Reported by Torrey Searle)

Please bump.

Comment 1 Jaco Kroon 2021-01-22 07:20:26 UTC

I'm going to close this as invalid since 16.15.1 already addressed same as interim, this is just also included here in 16.16.0 *since* 16.15.*0*.  Not 100% sure why they do it this way.  

https://bugs.gentoo.org/761313 refers:

AST-2020-003:
A crash can occur in Asterisk when a SIP message is received that has a History-Info header, which contains a tel-uri.

AST-2020-004:
A crash can occur in Asterisk when a SIP 181 response is received that has a Diversion header, which contains a tel-uri.

Fixed in 13.38.1 and 16.15.1.

Note AST-2020-003.

Also:  https://issues.asterisk.org/jira/browse/ASTERISK-29219

Specifically the "Fixed in"

As well as:  https://downloads.asterisk.org/pub/security/AST-2020-003.html