Bug 532242 (CVE-2014-9374)

Summary:	<net-misc/asterisk-{11.14.2,12.7.2}: Remote Crash Vulnerability in WebSocket Server (AST-2014-019) (CVE-2014-9374)
Product:	Gentoo Security	Reporter:	Agostino Sarubbo <ago>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	minor
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	http://downloads.asterisk.org/pub/security/AST-2014-019.html
Whiteboard:	B3 [glsa]
Package list:		Runtime testing required:	---

Description Agostino Sarubbo gentoo-dev

2014-12-11 08:55:46 UTC

http://downloads.asterisk.org/pub/security/AST-2014-019.html

Comment 1 Kristian Fiskerstrand (RETIRED) gentoo-dev

2014-12-11 12:18:47 UTC

From $[URL}:
When handling a WebSocket frame the res_http_websocket module dynamically changes the size of the memory used to allow the provided payload to fit. If a payload length of zero was received the code would incorrectly attempt to resize to zero. This operation would succeed and end up freeing the memory but be treated as a failure. When the session was subsequently torn down this memory would get freed yet again causing a crash.

Comment 2 Tony Vroon (RETIRED) gentoo-dev

2014-12-16 10:20:33 UTC

+*asterisk-12.7.2 (16 Dec 2014)
+*asterisk-11.14.2 (16 Dec 2014)
+
+  16 Dec 2014; Tony Vroon <chainsaw@gentoo.org> +asterisk-11.14.2.ebuild,
+  -asterisk-12.7.1.ebuild, +asterisk-12.7.2.ebuild:
+  Incorrect and unsafe memory handling (AST-2014-019) in res_http_websocket
+  addressed in both branches, vulnerable non-stable ebuilds removed. For
+  security bug #532242. Enable MeetMe conference support if DAHDI is enabled,
+  as requested by Kristian Fiskerstrand in bug #531486.

Arches, please test & mark stable:
=net-misc/asterisk-11.14.2

Please test with USE="samples" and take the daemon through three stop/start cycles.

Comment 3 Kristian Fiskerstrand (RETIRED) gentoo-dev

2014-12-16 11:25:40 UTC

Changing rating to B3, for some reason I didn't remember this is indeed a stable package.

Comment 4 Agostino Sarubbo gentoo-dev

2014-12-21 11:37:58 UTC

amd64 stable

Comment 5 Agostino Sarubbo gentoo-dev

2014-12-21 11:42:44 UTC

x86 stable.

Maintainer(s), please cleanup.
Security, please vote.

Comment 6 Tony Vroon (RETIRED) gentoo-dev

2014-12-22 12:32:21 UTC

+  22 Dec 2014; Tony Vroon <chainsaw@gentoo.org> -asterisk-11.14.1.ebuild,
+  +asterisk-11.15.0.ebuild, +asterisk-12.8.0.ebuild:
+  Remove vulnerable stable ebuild for security bug #532242. Add newer ebuilds
+  on both branches which contain primarily crash fixes.

Comment 7 Sean Amoss (RETIRED) gentoo-dev

2014-12-25 15:43:38 UTC

GLSA vote: yes

Comment 8 GLSAMaker/CVETool Bot gentoo-dev

2014-12-27 01:56:34 UTC

CVE-2014-9374 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9374):
  Double free vulnerability in the WebSocket Server (res_http_websocket
  module) in Asterisk Open Source 11.x before 11.14.2, 12.x before 12.7.2, and
  13.x before 13.0.2 and Certified Asterisk 11.6 before 11.6-cert9 allows
  remote attackers to cause a denial of service (crash) by sending a zero
  length frame after a non-zero length frame.

Comment 9 Kristian Fiskerstrand (RETIRED) gentoo-dev

2014-12-28 15:16:34 UTC

GLSA Vote: Yes

Created new GLSA request

Comment 10 GLSAMaker/CVETool Bot gentoo-dev

2014-12-28 19:08:40 UTC

This issue was resolved and addressed in
 GLSA 201412-51 at http://security.gentoo.org/glsa/glsa-201412-51.xml
by GLSA coordinator Kristian Fiskerstrand (K_F).