Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 633856 (CVE-2017-14603)

Summary: <net-misc/asterisk-{11.25.3,13.17.2}: insufficient RTCP packet validation could allow reading stale buffer contents
Product: Gentoo Security Reporter: Aleksandr Wagner (Kivak) <alwag>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: chainsaw
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B4 [glsa cve blocked]
Package list:
Runtime testing required: ---
Bug Depends on: 629682    
Bug Blocks:    

Description Aleksandr Wagner (Kivak) 2017-10-09 15:50:40 UTC 
CVE-2017-14603 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14603):

In Asterisk 11.x before 11.25.3, 13.x before 13.17.2, and 14.x before 14.6.2 and Certified Asterisk 11.x before 11.6-cert18 and 13.x before 13.13-cert6, insufficient RTCP packet validation could allow reading stale buffer contents and when combined with the "nat" and "symmetric_rtp" options allow redirecting where Asterisk sends the next RTCP report. 

References:

http://downloads.asterisk.org/pub/security/AST-2017-008.html
https://issues.asterisk.org/jira/browse/ASTERISK-27274
http://www.debian.org/security/2017/dsa-3990
Comment 1 Aleksandr Wagner (Kivak) 2017-10-09 15:52:53 UTC 
Stabilization for version 11.25.3 will be done in bug 629682.
Comment 2 D'juan McDonald (domhnall) 2017-10-27 15:42:13 UTC 
Added to an existing GLSA request.

Gentoo Security Padawan
(jmbailey/mbailey_j)
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2017-10-29 19:15:10 UTC 
This issue was resolved and addressed in
 GLSA 201710-29 at https://security.gentoo.org/glsa/201710-29
by GLSA coordinator Aaron Bauman (b-man).