Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bugzilla DB migration completed. Please report issues to Infra team via email via infra@gentoo.org or IRC

Bug 425050 (CVE-2012-3812)

Summary: <net-misc/asterisk-1.8.13.1 : Two Denial of Service Vulnerabilities (CVE-2012-{3812,3863})
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: chainsaw, voip+disabled
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://secunia.com/advisories/49814/
Whiteboard: B3 [glsa]
Package list:
Runtime testing required: ---

Comment 1 Tony Vroon gentoo-dev 2012-07-06 13:26:46 UTC
+*asterisk-10.5.2 (06 Jul 2012)
+*asterisk-1.8.13.1 (06 Jul 2012)
+
+  06 Jul 2012; Tony Vroon <chainsaw@gentoo.org> -asterisk-1.8.13.0.ebuild,
+  -asterisk-1.8.13.0-r1.ebuild, +asterisk-1.8.13.1.ebuild,
+  -asterisk-10.5.1.ebuild, +asterisk-10.5.2.ebuild:
+  Upgrades on the 1.8 & 10 branches to address a potential resource leak when a
+  re-invite transaction is not completed (AST-2012-010) and on the 1.8 branch
+  only for a remote crash vulnerability in the voicemail application
+  (AST-2012-011). Both covered under CVE-2012-3812. Removed any non-stable
+  vulnerable ebuild.

Arches, please test and mark stable:
=net-misc/asterisk-1.8.13.1

Last arch, please remove:
=net-misc/asterisk-1.8.12.1
Comment 2 Agostino Sarubbo gentoo-dev 2012-07-06 15:10:02 UTC
amd64 stable
Comment 3 Jeff (JD) Horelick (RETIRED) gentoo-dev 2012-07-09 01:27:58 UTC
x86 stable
Comment 4 Sean Amoss gentoo-dev Security 2012-07-11 22:00:50 UTC
Thanks, everyone. 

GLSA vote: yes.
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2012-07-12 01:04:54 UTC
CVE-2012-3812 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3812):
  Double free vulnerability in apps/app_voicemail.c in Asterisk Open Source
  1.8.x before 1.8.13.1 and 10.x before 10.5.2, Certified Asterisk
  1.8.11-certx before 1.8.11-cert4, and Asterisk Digiumphones
  10.x.x-digiumphones before 10.5.2-digiumphones allows remote authenticated
  users to cause a denial of service (daemon crash) by establishing multiple
  voicemail sessions and accessing both the Urgent mailbox and the INBOX
  mailbox.
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2012-07-12 01:07:14 UTC
CVE-2012-3863 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3863):
  channels/chan_sip.c in Asterisk Open Source 1.8.x before 1.8.13.1 and 10.x
  before 10.5.2, Asterisk Business Edition C.3.x before C.3.7.5, Certified
  Asterisk 1.8.11-certx before 1.8.11-cert4, and Asterisk Digiumphones
  10.x.x-digiumphones before 10.5.2-digiumphones does not properly handle a
  provisional response to a SIP reINVITE request, which allows remote
  authenticated users to cause a denial of service (RTP port exhaustion) via
  sessions that lack final responses.
Comment 7 Tim Sammut (RETIRED) gentoo-dev 2012-08-14 15:47:57 UTC
Thanks, folks. GLSA Vote: yes too. Request filed.
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2012-09-26 22:02:23 UTC
This issue was resolved and addressed in
 GLSA 201209-15 at http://security.gentoo.org/glsa/glsa-201209-15.xml
by GLSA coordinator Sean Amoss (ackle).