Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 171884 - net-misc/asterisk AEL possible security issue in switch blocks (CVE-2007-1595)
Summary: net-misc/asterisk AEL possible security issue in switch blocks (CVE-2007-1595)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: http://bugs.digium.com/view.php?id=9316
Whiteboard: B4 [noglsa] jaervosz
Keywords:
Depends on:
Blocks: 177062
  Show dependency tree
 
Reported: 2007-03-23 07:03 UTC by Sune Kloppenborg Jeppesen
Modified: 2008-01-15 18:06 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sune Kloppenborg Jeppesen gentoo-dev 2007-03-23 07:03:43 UTC
From the bug report:
The AEL compiler generates extensions from the "case"s in
 a switch{} block. A SIP user might guess one of the
 sw-X-.. extensions and execute dialplan code which he
 shouldn't be allowed to execute.
Comment 1 Rajiv Aaron Manglani (RETIRED) gentoo-dev 2007-03-23 13:45:44 UTC
fyi this only affects asterisk 1.4.x which is not in portage (but in the voip overlay).

there is a backport of AEL for asterisk 1.2.x but we do not include it in our patch set.
Comment 2 Sune Kloppenborg Jeppesen gentoo-dev 2007-03-25 06:26:25 UTC
Rajiv, do you mean that the fix is only for 1.4? AFAIR AEL has been in Asterisk for some time, at least since 1.2.
Comment 3 Rajiv Aaron Manglani (RETIRED) gentoo-dev 2007-03-28 02:46:09 UTC
(In reply to comment #2)
you are correct. i originally thought this bug was only in AEL2 but it is in AEL. from
http://bugs.digium.com/view.php?id=9316 

> I have not touched the original AEL compiler in 1.2; it was experimental, and as per
> previous statements, to resolve this bug, the user is encouraged to either
> use the AEL2 patches for 1.2, or to upgrade to 1.4 or trunk.

asterisk 1.2.x maintainers, please patch.
Comment 4 Rajiv Aaron Manglani (RETIRED) gentoo-dev 2007-03-28 02:48:14 UTC
fyi, links to patches at http://www.securityfocus.com/bid/23155/solution
Comment 5 Sune Kloppenborg Jeppesen gentoo-dev 2007-03-28 06:18:24 UTC
Bah, sorry for the bug spam.
Comment 6 Sune Kloppenborg Jeppesen gentoo-dev 2007-04-04 06:47:59 UTC
VOIP please provide an updated ebuild.
Comment 7 Gustavo Zacarias (RETIRED) gentoo-dev 2007-04-19 20:29:54 UTC
Actually those patches are against a backported AEL2 for asterisk-1.2 which we don't ship.
So i have to pull the backport, check that nothing breaks and only then patch up security-wise...
Comment 8 Sune Kloppenborg Jeppesen gentoo-dev 2007-04-30 12:51:26 UTC
Gustavo, what about putting a note in the ebuild or disable compilation of AEL perhaps?
Comment 9 Sune Kloppenborg Jeppesen gentoo-dev 2007-05-02 11:47:52 UTC
Gustavo did you decide on a course of action?
Comment 10 Sune Kloppenborg Jeppesen gentoo-dev 2007-05-20 07:23:46 UTC
Gustavo did you decide on a course of action?
Comment 11 Sune Kloppenborg Jeppesen gentoo-dev 2007-06-08 06:44:01 UTC
SUSE fixed this issue.
Comment 12 Gustavo Zacarias (RETIRED) gentoo-dev 2007-06-19 19:03:05 UTC
No they didn't, i've checked their SRPM (asterisk-1.2.13-23.src.rpm for opensuse 10.2) and there's no CVE-2007-1595 patch or any other patch that touches pbx_ael.c
Comment 13 Sune Kloppenborg Jeppesen gentoo-dev 2007-06-19 20:58:15 UTC
I haven't checked the source but according to their advisory the issue is fixed.

http://www.novell.com/linux/security/advisories/2007_34_asterisk.html
Comment 14 Gustavo Zacarias (RETIRED) gentoo-dev 2007-06-19 21:00:02 UTC
That's what they say, but it's not fixed in 1.2.13-23 at least (which is the quoted fixed versions for 10.2 and the latest on their ftp too).
Comment 15 Sune Kloppenborg Jeppesen gentoo-dev 2007-06-23 17:45:33 UTC
Gustavo did you inform SUSE about it?
Comment 16 Sune Kloppenborg Jeppesen gentoo-dev 2007-07-01 02:14:29 UTC
gustavoz ping on comment #15
Comment 17 Gustavo Zacarias (RETIRED) gentoo-dev 2007-07-02 12:15:38 UTC
NO i didn't notify them, i haven't the slightest clue of who/where to do so.
Comment 18 Gustavo Zacarias (RETIRED) gentoo-dev 2007-07-12 21:38:00 UTC
asterisk-1.2.21.1 is in, it disables pbx_ael violently (a user would have to modify the ebuild to re-enable it), warning included in pkg_postinst.

Targets for stabilization are:
net-misc/zaptel-1.2.18
net-libs/libpri-1.2.5
net-misc/asterisk-1.2.21.1
Comment 19 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-07-14 22:26:05 UTC
thanks Gustavo.
Arches, please test and mark stable:

net-misc/zaptel-1.2.18 (target "~amd64 ~ppc x86")
net-libs/libpri-1.2.5 (target "~amd64 ~ppc x86 sparc")
net-misc/asterisk-1.2.21.1 (target "~alpha ~amd64 ~hppa ~ppc sparc x86")
Comment 20 Gustavo Zacarias (RETIRED) gentoo-dev 2007-07-16 22:05:07 UTC
sparc stable.
Comment 21 Christian Faulhammer (RETIRED) gentoo-dev 2007-07-17 19:56:38 UTC
x86 stable, we are last arch, changing status to glsa?
Comment 22 Sune Kloppenborg Jeppesen gentoo-dev 2007-07-17 20:04:29 UTC
Ready for GLSA vote. I tend to vote NO.
Comment 23 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-07-17 20:50:27 UTC
voting NO as well.
Comment 24 Matt Drew (RETIRED) gentoo-dev 2007-07-24 10:48:38 UTC
I also vote no.
Comment 25 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-07-24 11:35:21 UTC
closing without glsa. Feel free to reopen if you disagree.