| Summary: | <net-misc/asterisk-{1.6.2.16.2-r2,1.8.2.4}: stack buffer overflow in SIP channel driver (CVE-2011-0495) | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Paweł Hajdan, Jr. (RETIRED) <phajdan.jr> | ||||||
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||||
| Status: | RESOLVED FIXED | ||||||||
| Severity: | major | CC: | c1pher, chainsaw, ssuominen, tomka, voip+disabled | ||||||
| Priority: | High | ||||||||
| Version: | unspecified | ||||||||
| Hardware: | All | ||||||||
| OS: | Linux | ||||||||
| URL: | http://downloads.digium.com/pub/security/AST-2011-001.html | ||||||||
| Whiteboard: | B1 [glsa] | ||||||||
| Package list: | Runtime testing required: | --- | |||||||
| Bug Depends on: | 352137, 352335 | ||||||||
| Bug Blocks: | 355967 | ||||||||
| Attachments: |
|
||||||||
+*asterisk-1.8.2.1 (19 Jan 2011) + + 19 Jan 2011; Tony Vroon <chainsaw@gentoo.org> -asterisk-1.8.1.1-r1.ebuild, + -asterisk-1.8.1.1-r2.ebuild, -asterisk-1.8.2.ebuild, + +asterisk-1.8.2.1.ebuild: + Trim down 1.8 branch by culling vulnerable ebuilds for security bug #352059. + Adding 1.8.2.1 which fixes a stack buffer overflow in SIP URI encoding. + Patchset unchanged. +*asterisk-1.6.2.16.1 (19 Jan 2011) + + 19 Jan 2011; Tony Vroon <chainsaw@gentoo.org> -asterisk-1.6.2.14.ebuild, + +asterisk-1.6.2.16.1.ebuild: + Trim down 1.6.2 branch by culling vulnerable ebuild for security bug #352059. + Adding 1.6.2.16.1 which fixes a stack buffer overflow in SIP URI encoding. + Patchset unchanged. +*asterisk-1.4.39.1 (19 Jan 2011) + + 19 Jan 2011; Tony Vroon <chainsaw@gentoo.org> + -files/1.4.0/asterisk-1.4.0-uclibc.patch, + -files/1.4.0/asterisk-1.4.0-var_rundir.patch, + -files/1.4.0/asterisk-1.4.33-gsm-pic.patch, + -files/1.4.0/asterisk-1.4.33-inband-indications.patch, + -asterisk-1.4.37.ebuild, -files/1.4.0/asterisk-1.4.37-imap-libs.patch, + +asterisk-1.4.39.1.ebuild: + Trim down 1.4 branch by culling vulnerable ebuild for security bug #352059. + Adding 1.4.39.1 which fixes a stack buffer overflow in SIP URI encoding. + Patchset repackaged but otherwise unchanged. Arches please test and stable: net-libs/libpri-1.4.11.4 net-misc/asterisk-1.4.39.1 net-misc/dahdi-2.4.0-r1 net-misc/dahdi-tools-2.4.0 any additional dependencies Permission has been granted from the other arch teams (that is alpha, hppa, ppc & sparc) to drop their keywords, see bug #318835 for confirmation. Asterisk 1.2 ebuilds & zaptel infrastructure can then be dropped from portage. Handling this upgrade in this fashion minimises the load on arch teams. Please voice any disagreements to me on IRC and keep this bug clear of chatter. Users: bug reports for Asterisk 1.4 go in a *new* report, not this one! net-misc/asterisk-core-sounds-1.4.19 ok net-misc/asterisk-extra-sounds-1.4.11 ok net-misc/asterisk-moh-opsound-2.03 ok net-libs/libpri-1.4.11.4 ok net-misc/dahdi-2.4.0-r1 ok ( fails test bug 352135 ) net-misc/dahdi-tools-2.4.0 requires: >=sys-kernel/linux-headers-2.6.35 net-misc/asterisk-1.4.39.1 requires also new headers with USE="dahdi" also pulled in with USE="misdn" net-dialup/misdn net-dialup/misdnuser Toolchain: of the three >=sys-kernel/linux-headers-2.6.35 packages which is the best candidate for stabilization? Thanks! (In reply to comment #6) > also pulled in with USE="misdn" > > net-dialup/misdn > net-dialup/misdnuser > net-dialup: we must stabilize misdn and misdnuser. net-dialup/misdn-1.1.7.2 net-dialup/misdnuser-1.1.7.2 I think, that we stabilize newer version ( chainsaw agree with me) anyone disagree? / comments ? The enew* issues should be resolved. The packages potentially blocking linux-headers-2.6.35 are masked pending removal. I'm currently waiting to hear from the net-dialup herd wrt misdn* and from toolchain@g.o wrt which linux-headers direction we want to go in. (In reply to comment #8) > (In reply to comment #6) > > also pulled in with USE="misdn" > > > > net-dialup/misdn > > net-dialup/misdnuser > > > net-dialup: > > we must stabilize misdn and misdnuser. > > net-dialup/misdn-1.1.7.2 > net-dialup/misdnuser-1.1.7.2 > > I think, that we stabilize newer version ( chainsaw agree with me) > > > anyone disagree? / comments ? > net-dialup: net-dialup/misdn-1.1.7.2 is failing looking for CONFIG_PCI_LEGACY which I don't see anywhere in the kernel. It appears to me like 1.1.9 is released. Could we get a version bump perhaps and then look into a rush stabilization of that? The same should be true for misdnuser. linux-headers-2.6.36.1 is the best choice of those three New stabilisation target: net-misc/asterisk-1.4.39.1-r1 Dropped problematic misdn target. QA fixes from AMD64 stable testing by ago. Please abandon any misdn efforts, they are no longer required. Do proceed with stabling the headers please. Per http://www.openwall.com/lists/oss-security/2011/01/19/3 this has been assigned CVE-2011-0495. (In reply to comment #12) > New stabilisation target: > net-misc/asterisk-1.4.39.1-r1 all open bugs have been fixed, ok for me. Expect instructions on linux-headers Dropped USE=misdn; @net-dialup sorry for the spam I recall Ssuominen mentioning an issue with 2.6.36 headers for gnome, so I CC'd. We should make sure were not going to break something, so i'd hold on that stabilization for just a bit. How about you file a bug to get linux-headers stable and cc him there? yeah ... if you want to get a new linux-headers stabilized, you'll need to file a sep bug for it From: Asterisk Development Team <asteriskteam@digium.com> Subject: [asterisk-announce] Asterisk 1.8.2.2 Now Available (Security Release) Date: January 20, 2011 4:19:59 PM EST To: Asterisk Development Team <asteriskteam@digium.com> The Asterisk Development Team has announced a release for the security issue described in AST-2011-001. Due to a failed merge, Asterisk 1.8.2.1 which should have included the security fix did not. Asterisk 1.8.2.2 contains the the changes which should have been included in Asterisk 1.8.2.1. This releases is available for immediate download at http://downloads.asterisk.org/pub/telephony/asterisk/releases The releases of Asterisk 1.4.38.1, 1.4.39.1, 1.6.1.21, 1.6.2.15.1, 1.6.2.16.2, 1.8.1.2, and 1.8.2.2 resolve an issue when forming an outgoing SIP request while in pedantic mode, which can cause a stack buffer to be made to overflow if supplied with carefully crafted caller ID information. The issue and resolution are described in the AST-2011-001 security advisory. For more information about the details of this vulnerability, please read the security advisory AST-2011-001, which was released at the same time as this announcement. For a full list of changes in the current release, please see the ChangeLog: http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.2.2 Security advisory AST-2011-001 is available at: http://downloads.asterisk.org/pub/security/AST-2011-001.pdf Thank you for your continued support of Asterisk! Opened toolchain bug. Arches are not yet CC'd there. We still do not have a firm decision on one to stabilize. (In reply to comment #18) > Due to a failed merge, Asterisk 1.8.2.1 which should have included the > security fix did not. Asterisk 1.8.2.2 contains the the changes which > should have been included in Asterisk 1.8.2.1. +*asterisk-1.8.2.2 (22 Jan 2011) + + 22 Jan 2011; Tony Vroon <chainsaw@gentoo.org> -asterisk-1.8.2.1.ebuild, + +asterisk-1.8.2.2.ebuild: + Upstream reports that a merging accident kept the fix out of the 1.8.2.1 + tarball. 1.8.2.2 does include the security fix. Removed insecure ebuild. I just did linux-headers for x86, so we are ready. The version to be stabled here does not have ~x86 keyword !!?? Is that an accident or do you intend us to commit directly to stable? fine for me after headers stabilization Arches please test and stable (straight stable if required): net-misc/asterisk-core-sounds-1.4.19 net-misc/asterisk-extra-sounds-1.4.11 net-misc/asterisk-moh-opsound-2.03 net-libs/libpri-1.4.11.4 net-misc/dahdi-2.4.0-r1 net-misc/dahdi-tools-2.4.0 net-misc/asterisk-1.6.2.16.2 The maintainer for the Asterisk 1.4 ebuilds appears to have evaporated and subsequent bugs were identified. I aim to remove Asterisk 1.2 & 1.4 from portage once this bug runs to completion. To confirm, this will address both AST-2011-001 & AST-2011-002. tony, can you drop use misdn like precedent version? :) Anyway, pulled in also media-libs/spandsp; can you take care to see which version stabilize? (In reply to comment #24) > tony, can you drop use misdn like precedent version? :) Certainly: +*asterisk-1.6.2.16.2-r1 (24 Feb 2011) + + 24 Feb 2011; Tony Vroon <chainsaw@gentoo.org> -asterisk-1.6.2.16.2.ebuild, + +asterisk-1.6.2.16.2-r1.ebuild: + Drop problematic misdn dependencies from the 1.6.2 branch to aid in security + stabilisation. Both the 1.2 and the 1.4 branch are slated for removal and + will be masked soon. > Anyway, pulled in also media-libs/spandsp; can you take care to see which > version stabilize? 0.0.6_pre12 please. That has the new ABI that this Asterisk version requires; I don't expect any surprises with it. (In reply to comment #25) > 0.0.6_pre12 please. That has the new ABI that this Asterisk version requires; I > don't expect any surprises with it. bug 356299 (In reply to comment #26) > bug 356299 +*spandsp-0.0.6_pre12-r1 (24 Feb 2011) + + 24 Feb 2011; Tony Vroon <chainsaw@gentoo.org> +spandsp-0.0.6_pre12-r1.ebuild: + Drop problematic sse4 & sse5 USE-flags, in GCC 4.5 no such options exist. + Closes bug #356299 by Agostino "ago" Sarubbo and hopefully provides a viable + stabilisation target for security bug #352059. Created attachment 263729 [details]
Build log
Re Comment 23 - let's not throw the baby out with the bathwater just yet, eh? Refer to bug 356367 for an updated 1.4 ebuild. (In reply to comment #29) > Refer to bug 356367 for an updated 1.4 ebuild. 1.6.2 is the new stabilisation target; 1.4 has given me far too much trouble to be a viable target here. Any further discussion in bug #356367; this is not the right forum for it. x86 done. Thanks everybody. aside: Repoman needed --force b/c variable.usedwithhelpers 2 net-misc/asterisk/asterisk-1.2.37.ebuild: Helper function is used with D, ROOT, ED, EROOT or EPREFIX on line :250 net-misc/asterisk/asterisk-1.2.40.ebuild: Helper function is used with D, ROOT, ED, EROOT or EPREFIX on line :250 (In reply to comment #31) > x86 done. Many thanks Thomas. > variable.usedwithhelpers 2 > net-misc/asterisk/asterisk-1.2.37.ebuild: > net-misc/asterisk/asterisk-1.2.40.ebuild: One of the many reasons why 1.2 should go (bitrot). Awaiting ago's okay so AMD64 can go stable, then they will be gone. (In reply to comment #28) > Created an attachment (id=263729) [details] > Build log Good catch, USE=keepsrc strikes again. It is now gone permanently. +*asterisk-1.6.2.16.2-r2 (26 Feb 2011) + + 26 Feb 2011; Tony Vroon <chainsaw@gentoo.org> -asterisk-1.6.2.16.2-r1.ebuild, + +asterisk-1.6.2.16.2-r2.ebuild, metadata.xml: + Transfer stable X86 keyword from -r1 to -r2; removing defective keepsrc + USE-flag from ebuild & metadata.xml now. Removal of 1.2 & 1.4 is immanent. Please retest for AMD64. Created attachment 264041 [details]
Build log
(In reply to comment #34) > Created an attachment (id=264041) [details] > Build log + 27 Feb 2011; Tony Vroon <chainsaw@gentoo.org> dahdi-tools-2.4.0.ebuild: + USE=ppp should DEPEND on net-dialup/ppp. As pointed out by Agostino "ago" + Sarubbo in bug #352059. ok! it works :) + 27 Feb 2011; Tony Vroon <chainsaw@gentoo.org> libpri-1.4.11.4.ebuild: + Mark stable on AMD64 for security bug #352059. Arch testing by Agostino "ago" + Sarubbo. + 27 Feb 2011; Tony Vroon <chainsaw@gentoo.org> spandsp-0.0.6_pre12-r1.ebuild: + Mark stable on AMD64 for security bug #352059. Arch testing by Agostino "ago" + Sarubbo. + 27 Feb 2011; Tony Vroon <chainsaw@gentoo.org> dahdi-2.4.0-r1.ebuild: + Mark stable on AMD64 for security bug #352059. Arch testing by Agostino "ago" + Sarubbo. + 27 Feb 2011; Tony Vroon <chainsaw@gentoo.org> dahdi-tools-2.4.0.ebuild: + Mark stable on AMD64 for security bug #352059. Arch testing by Agostino "ago" + Sarubbo. + 27 Feb 2011; Tony Vroon <chainsaw@gentoo.org> + asterisk-core-sounds-1.4.19.ebuild: + Mark stable on AMD64 for security bug #352059. Arch testing by Agostino "ago" + Sarubbo. + 27 Feb 2011; Tony Vroon <chainsaw@gentoo.org> + asterisk-extra-sounds-1.4.11.ebuild: + Mark stable on AMD64 for security bug #352059. Arch testing by Agostino "ago" + Sarubbo. + 27 Feb 2011; Tony Vroon <chainsaw@gentoo.org> + asterisk-moh-opsound-2.03.ebuild: + Mark stable on AMD64 for security bug #352059. Arch testing by Agostino "ago" + Sarubbo. + 27 Feb 2011; Tony Vroon <chainsaw@gentoo.org> asterisk-1.6.2.16.2-r2.ebuild: + Mark stable on AMD64 for security bug #352059. Arch testing by Agostino "ago" + Sarubbo. Thanks, everyone. Added to existing GLSA request (with 355967). you have forgot to remove amd64 from cc :) This issue was resolved and addressed in GLSA 201110-21 at http://security.gentoo.org/glsa/glsa-201110-21.xml by GLSA coordinator Tim Sammut (underling). |
Description When forming an outgoing SIP request while in pedantic mode, a stack buffer can be made to overflow if supplied with carefully crafted caller ID information. This vulnerability also affects the URIENCODE dialplan function and in some versions of asterisk, the AGI dialplan application as well. The ast_uri_encode function does not properly respect the size of its output buffer and can write past the end of it when encoding URIs. Affected Versions Product Release Series Asterisk Open Source 1.2.x All versions Asterisk Open Source 1.4.x All versions Asterisk Open Source 1.6.x All versions Asterisk Open Source 1.8.x All versions Asterisk Business Edition C.x.x All versions AsteriskNOW 1.5 All versions s800i (Asterisk Appliance) 1.2.x All versions Corrected In Product Release Asterisk Open Source 1.4.38.1, 1.4.39.1, 1.6.1.21, 1.6.2.15.1, 1.6.2.16.1, 1.8.1.2, 1.8.2.1 Asterisk Business Edition C.3.6.2 Patches URL Branch http://downloads.asterisk.org/pub/security/AST-2011-001-1.4.diff 1.4 http://downloads.asterisk.org/pub/security/AST-2011-001-1.6.1.diff 1.6.1 http://downloads.asterisk.org/pub/security/AST-2011-001-1.6.2.diff 1.6.2 http://downloads.asterisk.org/pub/security/AST-2011-001-1.8.diff 1.8