177062 – net-misc/asterisk IAX2 unauthorized data disclosure ASA-2007-013

Bug 177062 - net-misc/asterisk IAX2 unauthorized data disclosure ASA-2007-013

Summary: net-misc/asterisk IAX2 unauthorized data disclosure ASA-2007-013

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High normal (vote)
Assignee:	Gentoo Security

URL:	http://bugs.digium.com/view.php?id=9638
Whiteboard:	B4? [noglsa] jaervosz
Keywords:

Depends on:	171884
Blocks:
	Show dependency tree

Reported:	2007-05-04 16:56 UTC by Rajiv Aaron Manglani (RETIRED)
Modified:	2007-07-29 22:04 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Asterisk Project Security Advisory - ASA-2007-013 (ASA-2007-013.txt,14.91 KB, text/plain) 2007-05-04 16:57 UTC, Rajiv Aaron Manglani (RETIRED)	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Rajiv Aaron Manglani (RETIRED) gentoo-dev

2007-05-04 16:56:55 UTC

From: Kevin P. Fleming <kpfleming@digium.com>
To: undisclosed-recipients:  ;
Date: Fri, 04 May 2007 11:20:02 -0500
Subject: [asterisk-announce] ASA-2007-013: IAX2 users can cause unauthorized
     	data disclosure

>                     Asterisk Project Security Advisory - ASA-2007-013
>
>    +----------------------------------------------------------------------------------+
>    |       Product        | Asterisk                                                  |
>    |----------------------+-----------------------------------------------------------|
>    |       Summary        | IAX2 users can cause unauthorized data disclosure         |
>    |----------------------+-----------------------------------------------------------|
>    |  Nature of Advisory  | Unauthorized information disclosure                       |
>    |----------------------+-----------------------------------------------------------|
>    |    Susceptibility    | Remote authenticated sessions                             |
>    |----------------------+-----------------------------------------------------------|
>    |       Severity       | Low                                                       |
>    |----------------------+-----------------------------------------------------------|
>    |    Exploits Known    | No                                                        |
>    |----------------------+-----------------------------------------------------------|
>    |     Reported On      | April 27, 2007                                            |
>    |----------------------+-----------------------------------------------------------|
>    |     Reported By      | Tim Panton, Mexuar, <tim@mexuar.com>                      |
>    |                      |                                                           |
>    |                      | Birgit Arkesteijn, Westhawk, <birgit@westhawk.co.uk>      |
>    |----------------------+-----------------------------------------------------------|
>    |      Posted On       | May 4, 2007                                               |
>    |----------------------+-----------------------------------------------------------|
>    |   Last Updated On    | May 4, 2007                                               |
>    |----------------------+-----------------------------------------------------------|
>    |   Advisory Contact   | kpfleming@digium.com                                      |
>    |----------------------+-----------------------------------------------------------|
>    |       CVE Name       | CVE-2007-2488                                             |
>    +----------------------------------------------------------------------------------+
>
[truncated due to bugzilla limit]

will attach full notice...

Comment 1 Rajiv Aaron Manglani (RETIRED) gentoo-dev

2007-05-04 16:57:53 UTC

Created attachment 118159 [details]
Asterisk Project Security Advisory - ASA-2007-013

Comment 2 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2007-05-05 06:48:29 UTC

voip please advise and bump as necessary.

Comment 3 Pierre-Yves Rofes (RETIRED) gentoo-dev

2007-05-31 09:41:50 UTC

any news here?

Comment 4 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2007-06-08 06:43:56 UTC

SUSE fixed this issue.

Comment 5 Gustavo Zacarias (RETIRED) gentoo-dev

2007-07-12 21:37:31 UTC

asterisk-1.2.21.1 is in and this is supposed to be fixed in >1.2.19 according to digium (though the ChangeLog doesn't explicitly say so).
I'll dig further, in any case 1.2.21.1 should go stable for security bug #171884.

Comment 6 Pierre-Yves Rofes (RETIRED) gentoo-dev

2007-07-14 22:27:51 UTC

stabling is done on bug #171884

Comment 7 Pierre-Yves Rofes (RETIRED) gentoo-dev

2007-07-24 11:39:04 UTC

Now that it's stable, time to vote for this one. Not sure about the impact, description says it could cause segv but it seems the attacker can't control the data to create a buffer overflow so I tend to vote no.

Comment 8 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2007-07-25 05:31:20 UTC

I tend to vote NO on this one, but otoh we could just combine it with bug #185713.

Comment 9 Matt Drew (RETIRED) gentoo-dev

2007-07-25 22:55:50 UTC

I vote no.

Comment 10 Pierre-Yves Rofes (RETIRED) gentoo-dev

2007-07-29 22:04:05 UTC

Agreed with Jaervosz, we'll release a GLSA for bug 185713 anyway, so closing this one. Feel free to reopen if you disagree.