Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 449828 (CVE-2012-5976)

Summary: <net-misc/asterisk-{1.8.19.1,10.11.1,11.1.1}: Two DoS vulnerabilities (CVE-2012-{5976,5977})
Product: Gentoo Security Reporter: Sean Amoss (RETIRED) <ackle>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: chainsaw, voip+disabled
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.asterisk.org/downloads/security-advisories
Whiteboard: B3 [glsa]
Package list:
Runtime testing required: ---

Description Sean Amoss (RETIRED) gentoo-dev Security 2013-01-02 21:40:49 UTC 
Two issues fixed in Asterisk:

CVE-2012-5976 - Crashes due to large stack allocations when using TCP
CVE-2012-5977 - Denial of Service Through Exploitation of Device State Caching

Corrected In
Product: Asterisk Open Source
Release: 1.8.19.1, 10.11.1, 11.1.1
Comment 1 Tony Vroon (RETIRED) gentoo-dev 2013-01-02 22:35:53 UTC 
+*asterisk-11.1.1 (02 Jan 2013)
+*asterisk-10.11.1 (02 Jan 2013)
+*asterisk-1.8.19.1 (02 Jan 2013)
+
+  02 Jan 2013; Tony Vroon <chainsaw@gentoo.org> -asterisk-1.8.15.1.ebuild,
+  -asterisk-1.8.18.1.ebuild, -asterisk-1.8.19.0.ebuild,
+  +asterisk-1.8.19.1.ebuild, -asterisk-10.10.1.ebuild,
+  -asterisk-10.11.0.ebuild, +asterisk-10.11.1.ebuild, -asterisk-11.0.2.ebuild,
+  -asterisk-11.1.0.ebuild, +asterisk-11.1.1.ebuild:
+  Security releases on all three branches; stop using stack allocations in TCP
+  receive paths, as multiple packets may be concatenated together and overflow
+  the stack as a result (CVE-2012-5976 / AST-2012-015). Never cache devices
+  that are not associated with a physical entity, as to do so allows a denial
+  of service through cache exhaustion (CVE-2012-5977 / AST-2012-014). Remove
+  all non-stable vulnerable ebuilds. As requested by Sean Amoss in bug #449828.

Arches, please test & mark stable =net-misc/asterisk-1.8.19.1
Target keywords: amd64 x86

Please compile on different USE-flag permutations and confirm that the daemon is able to survive at least three start/stop cycles.
Comment 2 Andreas Schürch gentoo-dev 2013-01-03 11:46:00 UTC 
x86 done.
Comment 3 Agostino Sarubbo gentoo-dev 2013-01-03 11:47:09 UTC 
amd64 stable
Comment 4 Sean Amoss (RETIRED) gentoo-dev Security 2013-01-03 11:50:28 UTC 
Thanks, everyone.

GLSA vote: yes.
Comment 5 Tony Vroon (RETIRED) gentoo-dev 2013-01-03 12:03:50 UTC 
+  03 Jan 2013; Tony Vroon <chainsaw@gentoo.org> -asterisk-1.8.18.0-r2.ebuild:
+  Clear vulnerable ebuild in 1.8 branch now that stabling has completed.
Comment 6 Tim Sammut (RETIRED) gentoo-dev 2013-01-03 17:20:30 UTC 
GLSA Vote: yes, too. GLSA request filed.
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2013-01-05 19:43:48 UTC 
CVE-2012-5977 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5977):
  Asterisk Open Source 1.8.x before 1.8.19.1, 10.x before 10.11.1, and 11.x
  before 11.1.2; Certified Asterisk 1.8.11 before 1.8.11-cert10; and Asterisk
  Digiumphones 10.x-digiumphones before 10.11.1-digiumphones, when anonymous
  calls are enabled, allow remote attackers to cause a denial of service
  (resource consumption) by making anonymous calls from multiple sources and
  consequently adding many entries to the device state cache.

CVE-2012-5976 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5976):
  Multiple stack consumption vulnerabilities in Asterisk Open Source 1.8.x
  before 1.8.19.1, 10.x before 10.11.1, and 11.x before 11.1.2; Certified
  Asterisk 1.8.11 before 1.8.11-cert10; and Asterisk Digiumphones
  10.x-digiumphones before 10.11.1-digiumphones allow remote attackers to
  cause a denial of service (daemon crash) via TCP data using the (1) SIP, (2)
  HTTP, or (3) XMPP protocol.
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2014-01-21 04:40:58 UTC 
This issue was resolved and addressed in
 GLSA 201401-15 at http://security.gentoo.org/glsa/glsa-201401-15.xml
by GLSA coordinator Sergey Popov (pinkbyte).