Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 250748

Summary: <net-misc/asterisk-1.2.31.1 Denial of Service (CVE-2008-5558)
Product: Gentoo Security Reporter: Bruno Buss <bruno.buss>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: chainsaw, into-the-trash-it-goes, rajiv, voip+disabled
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://downloads.digium.com/pub/security/AST-2008-012.html
Whiteboard: B3 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on: 249573    
Bug Blocks:    

Description Bruno Buss 2008-12-12 19:33:03 UTC 
Description:
"There is a possibility to remotely crash an Asterisk server if the server is configured to use realtime IAX2 users. The issue occurs if either an unknown user attempts to authenticate or if a user that uses hostname matching attempts to authenticate.

The problem was due to a broken function call to Asterisk's realtime configuration API."

Also from Secunia:
http://secunia.com/Advisories/32956/

Just 1.2.27 in portage tree is affected.
Comment 1 stupendoussteve 2008-12-18 01:07:13 UTC 
CVE-2008-5558

Asterisk Open Source 1.2.26 through 1.2.30.3 and Business Edition
B.2.3.5 through B.2.5.5, when realtime IAX2 users are enabled, allows
remote attackers to cause a denial of service (crash) via
authentication attempts involving (1) an unknown user or (2) a user
using hostname matching.
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2008-12-18 16:34:43 UTC 
CVE-2008-5558 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5558):
  Asterisk Open Source 1.2.26 through 1.2.30.3 and Business Edition
  B.2.3.5 through B.2.5.5, when realtime IAX2 users are enabled, allows
  remote attackers to cause a denial of service (crash) via
  authentication attempts involving (1) an unknown user or (2) a user
  using hostname matching.
Comment 3 Bruno Buss 2009-01-08 13:00:35 UTC 
Ping. Delay for B3 is 20 days...
Comment 4 Tony Vroon (RETIRED) gentoo-dev 2009-03-11 17:48:24 UTC 
+*asterisk-1.2.31.1 (11 Mar 2009)
+
+  11 Mar 2009; <chainsaw@gentoo.org>
+  +files/1.2.0/asterisk-1.2.31.1-bri-fixups.diff,
+  +files/1.2.0/asterisk-1.2.31.1-comma-is-not-pipe.diff,
+  +files/1.2.0/asterisk-1.2.31.1-svn89254.diff, +asterisk-1.2.31.1.ebuild:
+  Version bump, for security bugs #250748 and #254304. Took a 1.4 build fix
+  that is relevant to 1.2, Digium bug #11238. Wrote patch to fix up typo in
+  open call, a comma is not a pipe sign. Used EAPI 2 for USE-based
+  dependencies instead of calling die. Patch from Mounir Lamouri adding
+  -lspeexdsp closes bug #206463 filed by John Read.
Comment 5 Tony Vroon (RETIRED) gentoo-dev 2009-03-12 15:17:00 UTC 
Arches, please test and mark stable 1.2.31.1 in the tree. Target keywords:
~alpha amd64 ~hppa ~ppc sparc x86

Alpha, PowerPC, please feel free to mark stable even though you're not stable right now. This is the last ever release in the 1.2 branch and we'll redo keywording from scratch for the 1.6 branch.
This has been tested on a production network for AMD64 using Cisco 7960 phones (SIP firmware) and 2 Patton gateways both connected to 2 ISDN BRI lines from British Telecom.
Comment 6 Tony Vroon (RETIRED) gentoo-dev 2009-03-12 15:19:50 UTC 
Arch teams, for your echangelog entries, said keywording will also address security bug #254304
If you do not have hardware your usual compilation and QA tests will suffice.
Comment 7 Ferris McCormick (RETIRED) gentoo-dev 2009-03-12 17:03:36 UTC 
Sparc stable.
Comment 8 Tobias Klausmann (RETIRED) gentoo-dev 2009-03-12 19:38:03 UTC 
Stable on alpha, including the requisite net-libs/openh323.
Comment 9 Markus Meier gentoo-dev 2009-03-15 15:12:40 UTC 
amd64/x86 stable
Comment 10 Brent Baude (RETIRED) gentoo-dev 2009-03-19 13:07:47 UTC 
ppc done
Comment 11 Jeroen Roovers (RETIRED) gentoo-dev 2009-03-23 05:24:59 UTC 
HPPA isn't stable, and won't do now:

>>> Compiling source in /dev/shm/portage/net-misc/asterisk-1.2.31.1/work/asteris
k-1.2.31.1 ...
 * Building Asterisk...
make: *** No rule to make target `hppa2.0-unknown-linux-gnu-gcc'.  Stop.
 *
 * ERROR: net-misc/asterisk-1.2.31.1 failed.
Comment 12 Tony Vroon (RETIRED) gentoo-dev 2009-03-23 15:58:26 UTC 
+  23 Mar 2009; <chainsaw@gentoo.org> -asterisk-1.2.27.ebuild:
+  Remove vulnerable 1.2.27 version now that arch keywording is complete. For
+  security bugs #250748 & #254304.
Comment 13 Robert Buchholz (RETIRED) gentoo-dev 2009-05-02 17:57:16 UTC 
GLSA 200905-01