Bug 771318 (AST-2021-001, AST-2021-002, AST-2021-003, AST-2021-004, AST-2021-005, AST-2021-006, CVE-2020-35776, CVE-2021-26712, CVE-2021-26713, CVE-2021-26714, CVE-2021-26717, CVE-2021-26906)

Summary:	<net-misc/asterisk-{13.38.2, 16.16.2}: Multiple vulnerabilities
Product:	Gentoo Security	Reporter:	Sam James <sam>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	minor	CC:	jaco, proxy-maint
Priority:	Normal	Keywords:	PullRequest
Version:	unspecified
Hardware:	All
OS:	Linux
See Also:	https://github.com/gentoo/gentoo/pull/19836 https://github.com/gentoo/gentoo/pull/20178
Whiteboard:	B3 [glsa+]
Package list:		Runtime testing required:	---

Description Sam James archtester

2021-02-18 18:07:42 UTC

* CVE-2020-35776 (AST-2021-001)

If a registered user is tricked into dialing a          
malicious number that sends lots of 181 responses to   
Asterisk, each one will cause a 181 to be sent back to  
the original caller with an increasing number of        
entries in the “Supported” header. Eventually the       
number of entries in the header exceeds the size of     
the entry array and causes a crash.         

Advisory: https://downloads.asterisk.org/pub/security/AST-2021-001.html

* CVE-2021-26717 (AST-2021-002)

When re-negotiating for T.38 if the initial remote      
response was delayed just enough Asterisk would send    
both audio and T.38 in the SDP. If this happened, and   
the remote responded with a declined T.38 stream then   
Asterisk would crash.                                   

Advisory: https://downloads.digium.com/pub/security/AST-2021-002.html

* CVE-2021-26712 (AST-2021-003)

An unauthenticated remote attacker could replay SRTP    
packets which could cause an Asterisk instance          
configured without strict RTP validation to tear down   
calls prematurely.

Advisory: https://downloads.asterisk.org/pub/security/AST-2021-003.html

* CVE-2021-26714 (AST-2021-004)

Due to a signedness comparison mismatch, an             
authenticated WebRTC client could cause a stack         
overflow and Asterisk crash by sending multiple         
hold/unhold requests in quick succession.

Advisory: https://downloads.asterisk.org/pub/security/AST-2021-004.html

* CVE-2021-26906 (AST-2021-005)

Given a scenario where an outgoing call is placed from  
Asterisk to a remote SIP server it is possible for a    
crash to occur.

Advisory: https://downloads.digium.com/pub/security/AST-2021-005.html

Comment 1 Sam James archtester

2021-02-18 18:08:39 UTC

Please bump as appropriate.

Comment 2 John Helmert III archtester

2021-02-19 22:06:19 UTC

It looks like CVE-2021-26713 is also associated with AST-2021-004, at least according to descriptions and references: 
https://nvd.nist.gov/vuln/detail/CVE-2021-26713

Comment 3 John Helmert III archtester

2021-03-05 05:23:16 UTC

AST-2021-006/CVE-2019-15297:

When Asterisk sends a re-invite initiating T.38 faxing and the endpoint responds with a m=image line and zero port, a crash will occur in Asterisk. This is a reoccurrence of AST-2019-004.


CVE-2019-15297 was also dealt with (and noglsa'd) in bug 689796.

Comment 4 Larry the Git Cow gentoo-dev

2021-03-09 09:44:47 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=643fd3a04d6bc7ef4f9e737f176516eb258f3d90

commit 643fd3a04d6bc7ef4f9e737f176516eb258f3d90
Author:     Jaco Kroon <jaco@uls.co.za>
AuthorDate: 2021-03-08 22:14:01 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-03-09 09:44:29 +0000

    net-misc/asterisk: 16.16.2 (sec bump).
    
    This drops patches applies upstream already, and does a rename because
    16 isn't currently marked stable.
    
    Bug: https://bugs.gentoo.org/771318
    Closes: https://github.com/gentoo/gentoo/pull/19836
    Signed-off-by: Jaco Kroon <jaco@uls.co.za>
    Signed-off-by: Sam James <sam@gentoo.org>

 net-misc/asterisk/Manifest                                    |  2 +-
 .../{asterisk-16.15.1-r2.ebuild => asterisk-16.16.2.ebuild}   |  4 +---
 .../asterisk/files/asterisk-16.16.2-no-var-run-install.patch  | 11 +++++++++++
 3 files changed, 13 insertions(+), 4 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=15abf8078312578b23b857e5d1cd68ef0e4e1a89

commit 15abf8078312578b23b857e5d1cd68ef0e4e1a89
Author:     Jaco Kroon <jaco@uls.co.za>
AuthorDate: 2021-03-08 22:15:37 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-03-09 09:44:28 +0000

    net-misc/asterisk: 13.38.2 (sec bump).
    
    Straight copy from 13.38.1-r1.
    
    Bug: https://bugs.gentoo.org/771318
    Signed-off-by: Jaco Kroon <jaco@uls.co.za>
    Signed-off-by: Sam James <sam@gentoo.org>

 net-misc/asterisk/Manifest                |   1 +
 net-misc/asterisk/asterisk-13.38.2.ebuild | 312 ++++++++++++++++++++++++++++++
 2 files changed, 313 insertions(+)

Comment 5 Jaco Kroon 2021-03-24 09:56:31 UTC

ping x86 & amd64

Comment 6 Sam James archtester

2021-03-25 23:16:45 UTC

x86 done

Comment 7 Sam James archtester

2021-03-26 00:07:59 UTC

amd64 done

all arches done

Comment 8 John Helmert III archtester

2021-03-26 01:14:28 UTC

Please cleanup.

Comment 9 Larry the Git Cow gentoo-dev

2021-03-29 15:29:37 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1efef6f201184e5a0f0eef99e4f781006c927060

commit 1efef6f201184e5a0f0eef99e4f781006c927060
Author:     Jaco Kroon <jaco@uls.co.za>
AuthorDate: 2021-03-29 14:41:37 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-03-29 15:19:10 +0000

    net-misc/asterisk: cleanup insecure
    
    Bug: https://bugs.gentoo.org/771318
    Package-Manager: Portage-3.0.13, Repoman-3.0.2
    Signed-off-by: Jaco Kroon <jaco@uls.co.za>
    Closes: https://github.com/gentoo/gentoo/pull/20178
    Signed-off-by: Sam James <sam@gentoo.org>

 net-misc/asterisk/Manifest                   |   1 -
 net-misc/asterisk/asterisk-13.38.1-r2.ebuild | 313 ---------------------------
 2 files changed, 314 deletions(-)

Comment 10 NATTkA bot gentoo-dev

2021-07-29 17:24:02 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 11 NATTkA bot gentoo-dev

2021-07-29 17:32:28 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 12 NATTkA bot gentoo-dev

2021-07-29 17:40:22 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 13 NATTkA bot gentoo-dev

2021-07-29 17:48:31 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 14 NATTkA bot gentoo-dev

2021-07-29 18:04:28 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 15 NATTkA bot gentoo-dev

2021-07-29 18:12:46 UTC

Package list is empty or all packages have requested keywords.

Comment 16 Larry the Git Cow gentoo-dev

2024-12-07 08:58:57 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=1b2cfc5c5940faf8ff73b87693e360a0a5ae20b5

commit 1b2cfc5c5940faf8ff73b87693e360a0a5ae20b5
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2024-12-07 08:58:41 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2024-12-07 08:58:50 +0000

    [ GLSA 202412-03 ] Asterisk: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/771318
    Bug: https://bugs.gentoo.org/803440
    Bug: https://bugs.gentoo.org/838391
    Bug: https://bugs.gentoo.org/884797
    Bug: https://bugs.gentoo.org/920026
    Bug: https://bugs.gentoo.org/937844
    Bug: https://bugs.gentoo.org/939159
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202412-03.xml | 64 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 64 insertions(+)