Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 523216 (CVE-2014-6610)

Summary: <net-misc/asterisk-11.12.1: Remote crash when handling out of call message in certain dialplan configurations [AST-2014-010] (CVE-2014-6610)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor    
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugzilla.redhat.com/show_bug.cgi?id=1144319
Whiteboard: B3 [glsa]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2014-09-19 10:53:49 UTC 
From ${URL} :

    Description  When an out of call message - delivered by either the SIP    
                 or PJSIP channel driver or the XMPP stack - is handled in    
                 Asterisk, a crash can occur if the channel servicing the     
                 message is sent into the ReceiveFax dialplan application     
                 while using the res_fax_spandsp module.                      
                                                                              
                 Note that this crash does not occur when using the           
                 res_fax_digium module.                                       
                                                                              
                 While this crash technically occurs due to a configuration   
                 issue, as attempting to receive a fax from a channel driver  
                 that only contains textual information will never succeed,   
                 the likelihood of having it occur is sufficiently high as    
                 to warrant this advisory.

Upstream patch: http://downloads.asterisk.org/pub/security/AST-2014-010-11.diff
Additional info:
https://issues.asterisk.org/jira/browse/ASTERISK-24301
http://downloads.digium.com/pub/security/AST-2014-010.html


@maintainer(s): since the fixed package is already in the tree, please let us know if it is ready for the stabilization or not.
Comment 1 Tony Vroon (RETIRED) gentoo-dev 2014-09-19 10:56:31 UTC 
Arches, please test & mark stable:
=net-misc/asterisk-11.12.1

Target keywords: amd64 x86

The Asterisk 12 branch is masked and vulnerable ebuilds have been removed there.
Comment 2 Agostino Sarubbo gentoo-dev 2014-09-20 17:55:08 UTC 
amd64 stable
Comment 3 Agostino Sarubbo gentoo-dev 2014-09-20 17:55:22 UTC 
x86 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 4 Kristian Fiskerstrand (RETIRED) gentoo-dev 2014-09-20 19:31:33 UTC 
GLSA Vote: Yes
Comment 5 Tony Vroon (RETIRED) gentoo-dev 2014-09-22 08:18:29 UTC 
+  22 Sep 2014; Tony Vroon <chainsaw@gentoo.org> -asterisk-11.10.2.ebuild:
+  Remove vulnerable ebuild for security bug #523216 as stabilisation is
+  complete. 1.8 branch not affected.
Comment 6 Yury German Gentoo Infrastructure gentoo-dev 2014-09-22 19:12:23 UTC 
Maintainer(s), Thank you for cleanup!

GLSA Vote: Yes
Created a New GLSA request.
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2014-11-23 18:20:02 UTC 
This issue was resolved and addressed in
 GLSA 201411-10 at http://security.gentoo.org/glsa/glsa-201411-10.xml
by GLSA coordinator Sean Amoss (ackle).
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2014-12-27 01:59:19 UTC 
CVE-2014-6610 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6610):
  Asterisk Open Source 11.x before 11.12.1 and 12.x before 12.5.1 and
  Certified Asterisk 11.6 before 11.6-cert6, when using the res_fax_spandsp
  module, allows remote authenticated users to cause a denial of service
  (crash) via an out of call message, which is not properly handled in the
  ReceiveFax dialplan application.