Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 650008 (CVE-2018-7284, CVE-2018-7286)

Summary: <net-misc/asterisk-13.19.0-r1: Multiple vulnerabilities
Product: Gentoo Security Reporter: GLSAMaker/CVETool Bot <glsamaker>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: chainsaw
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B3 [noglsa cve]
Package list:
net-misc/asterisk-13.19.0-r1 net-libs/pjproject-2.7.1
 Runtime testing required: ---

Description GLSAMaker/CVETool Bot gentoo-dev 2018-03-09 15:11:08 UTC 
CVE-2018-7286 (https://nvd.nist.gov/vuln/detail/CVE-2018-7286):
  An issue was discovered in Asterisk through 13.19.1, 14.x through 14.7.5,
  and 15.x through 15.2.1, and Certified Asterisk through 13.18-cert2.
  res_pjsip allows remote authenticated users to crash Asterisk (segmentation
  fault) by sending a number of SIP INVITE messages on a TCP or TLS connection
  and then suddenly closing the connection.

CVE-2018-7284 (https://nvd.nist.gov/vuln/detail/CVE-2018-7284):
  A Buffer Overflow issue was discovered in Asterisk through 13.19.1, 14.x
  through 14.7.5, and 15.x through 15.2.1, and Certified Asterisk through
  13.18-cert2. When processing a SUBSCRIBE request, the res_pjsip_pubsub
  module stores the accepted formats present in the Accept headers of the
  request. This code did not limit the number of headers it processed, despite
  having a fixed limit of 32. If more than 32 Accept headers were present, the
  code would write outside of its memory and cause a crash.
Comment 1 Tony Vroon (RETIRED) gentoo-dev 2018-03-09 16:07:15 UTC 
This is in the tree now:
https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=458b342d0d2bbb84666f320612f6a6fc9c061903

Since these concern rs_pjsip, Asterisk 11 is not vulnerable and does not need to be cleaned up yet.

Arches, please test & mark stable:
=net-misc/asterisk-13.19.2
Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev 2018-03-10 23:15:56 UTC 
If only unstable 13.x is affected you can just cleanup. No stabilization would be required in this case from security point of view.
Comment 3 Stabilization helper bot gentoo-dev 2018-03-11 00:02:23 UTC 
An automated check of this bug failed - repoman reported dependency errors (29 lines truncated): 

> dependency.bad net-misc/asterisk/asterisk-13.19.0-r1.ebuild: DEPEND: amd64(default/linux/amd64/17.0) ['>=net-libs/pjproject-2.6']
> dependency.bad net-misc/asterisk/asterisk-13.19.0-r1.ebuild: DEPEND: amd64(default/linux/amd64/17.0/desktop) ['>=net-libs/pjproject-2.6']
> dependency.bad net-misc/asterisk/asterisk-13.19.0-r1.ebuild: DEPEND: amd64(default/linux/amd64/17.0/desktop/gnome) ['>=net-libs/pjproject-2.6']
Comment 4 Agostino Sarubbo gentoo-dev 2018-03-12 10:51:41 UTC 
amd64 stable
Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev 2018-03-13 22:27:15 UTC 
x86 stable
Comment 6 Thomas Deutschmann (RETIRED) gentoo-dev 2018-03-13 22:34:16 UTC 
GLSA Vote: no!

@ Maintainer(s): Please cleanup and drop =net-misc/asterisk-13.17.2!
Comment 7 Aaron Bauman (RETIRED) gentoo-dev 2018-03-24 00:41:16 UTC 
tree is clean.