Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 838391 (AST-2022-001, AST-2022-002, AST-2022-003, CVE-2022-26498, CVE-2022-26499, CVE-2022-26651)

Summary: <net-misc/asterisk-{16.26.1,18.13.0}: multiple vulnerabilities
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Jaco Kroon <jaco>
Status: IN_PROGRESS ---    
Severity: minor CC: proxy-maint, security
Priority: Normal Keywords: PullRequest
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://lists.digium.com/pipermail/asterisk-announce/2022-April/000849.html
See Also: https://github.com/gentoo/gentoo/pull/26919
Whiteboard: B3 [glsa? cleanup]
Package list:
Runtime testing required: ---
Bug Depends on: 857867    
Bug Blocks:    

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-04-15 00:49:22 UTC
From URL:

"* AST-2022-001: res_stir_shaken: resource exhaustion with large files
  When using STIR/SHAKEN, it???s possible to download files that are not
  certificates. These files could be much larger than what you would expect to
  download.

* AST-2022-002: res_stir_shaken: SSRF vulnerability with Identity header
  When using STIR/SHAKEN, it???s possible to send arbitrary requests like GET to
  interfaces such as localhost using the Identity header.

* AST-2022-003: func_odbc: Possible SQL Injection
  Some databases can use backslashes to escape certain characters, such as
  backticks. If input is provided to func_odbc which includes backslashes it is
  possible for func_odbc to construct a broken SQL query and the SQL query to
  fail."
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-04-15 13:10:46 UTC
CVE-2022-26498 (https://downloads.asterisk.org/pub/security/AST-2022-001.html):

An issue was discovered in Asterisk through 19.x. When using STIR/SHAKEN, it is possible to download files that are not certificates. These files could be much larger than what one would expect to download, leading to Resource Exhaustion. This is fixed in 16.25.2, 18.11.2, and 19.3.2.

CVE-2022-26499 (https://downloads.asterisk.org/pub/security/AST-2022-002.html):

An SSRF issue was discovered in Asterisk through 19.x. When using STIR/SHAKEN, it's possible to send arbitrary requests (such as GET) to interfaces such as localhost by using the Identity header. This is fixed in 16.25.2, 18.11.2, and 19.3.2.

CVE-2022-26651 (https://downloads.asterisk.org/pub/security/AST-2022-003.html):

An issue was discovered in Asterisk through 19.x and Certified Asterisk through 16.8-cert13. The func_odbc module provides possibly inadequate escaping functionality for backslash characters in SQL queries, resulting in user-provided data creating a broken SQL query or possibly a SQL injection. This is fixed in 16.25.2, 18.11.2, and 19.3.2, and 16.8-cert14.
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-05-12 13:51:15 UTC
From the release announcements for 16.26.0, 18.12.0, 19.4.0:

"Security bugs fixed in this release:
-----------------------------------
 * ASTERISK-29476 - res_stir_shaken: Blind SSRF vulnerabilities

      (Reported by Clint Ruoho)
 * ASTERISK-29838 - ${SQL_ESC()} not correctly escaping a
      terminating \
      (Reported by Leandro Dardini)
 * ASTERISK-29872 - res_stir_shaken: Resource exhaustion with
      large files
      (Reported by Benjamin Keith Ford)"
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-06-09 19:02:40 UTC
CVE-2022-31031 (https://github.com/pjsip/pjproject/commit/450baca94f475345542c6953832650c390889202):
https://github.com/pjsip/pjproject/security/advisories/GHSA-26j7-ww69-c4qj

PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In versions prior to and including 2.12.1 a stack buffer overflow vulnerability affects PJSIP users that use STUN in their applications, either by: setting a STUN server in their account/media config in PJSUA/PJSUA2 level, or directly using `pjlib-util/stun_simple` API. A patch is available in commit 450baca which should be included in the next release. There are no known workarounds for this issue.
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-07-13 16:40:18 UTC
Please stabilize when ready.
Comment 5 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-08-18 21:31:12 UTC
Please cleanup when ready.