Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 218966 (CVE-2008-1897) - <net-misc/asterisk- IAX2 vulnerability (CVE-2008-1897)
Summary: <net-misc/asterisk- IAX2 vulnerability (CVE-2008-1897)
Alias: CVE-2008-1897
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: B3? [glsa]
Depends on: 249573
Blocks: CVE-2008-3264
  Show dependency tree
Reported: 2008-04-22 23:16 UTC by Rajiv Aaron Manglani (RETIRED)
Modified: 2009-05-02 17:57 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Rajiv Aaron Manglani (RETIRED) gentoo-dev 2008-04-22 23:16:30 UTC

[asterisk-announce] Asterisk 1.2.28,, and 1.6.0-beta8 Released
The Asterisk Development Team asteriskteam at
Tue Apr 22 18:05:07 CDT 2008

The Asterisk development team has released versions 1.2.28,, and

All of these releases contain a security patch for the vulnerability described
in the AST-2008-006 security advisory.  1.6.0-beta8 is also a regular update to
the 1.6.0 series with a number of bug fixes over the previous beta release.

Early last year, we made some modifications to the IAX2 channel driver to combat
potential usage of IAX2 in traffic amplification attacks.  Unfortunately, our
fix was not complete and we were not notified of this until the original
reporter of the issue decided to release information on how to exploit it to the

This issue affects all users of IAX2 that have allowed non-authenticated calls.
 For more information on the vulnerability, see the published security advisory.


All releases are available for download from the following location:


Thank you for your continued support of Asterisk!

Javantea originally reported an issue in IAX2, whereby an attacker could send a spoofed IAX2 NEW message, and Asterisk would start sending early audio to the target address, without ever receiving an initial response. That original vulnerability was addressed in June 2007, by requiring a response to the initial NEW message before starting to send any audio.

Javantea subsequently found that we were doing insufficent verification of the ACK response and that the ACK response could be spoofed, just like the initial NEW message. We have addressed this failure with two changes. First, we have started to require that the ACK response contains the unique source call number that we send in our reply to the NEW message. Any ACK response that does not contain the source call number that we have created will be silently thrown away. Second, we have made the generation of our source call number a little more difficult to predict, by randomly selecting a source call number, instead of allocating them sequentially.
Comment 1 Rambaldi 2008-04-23 07:00:41 UTC
fixed in voip overlay for versions and 1.6.0-beta8. 
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2008-04-23 22:15:03 UTC
CVE-2008-1923 was assigned to the original "NEW" issue in June 2007.
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2008-04-23 22:27:19 UTC
(In reply to comment #2)
> CVE-2008-1923 was assigned to the original "NEW" issue in June 2007.

This was released with 1.2.20.
Comment 4 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-05-11 13:20:11 UTC
voip, any news here?
Comment 5 Anton Bolshakov 2008-12-15 05:19:43 UTC
This is only first security bug report from 7 others opened.
Somebody has either mask asterisk stable packages in the portage or fix them all.

The way how it is now doesn't make sense for me.

Comment 6 Rajiv Aaron Manglani (RETIRED) gentoo-dev 2009-03-12 03:33:19 UTC
+*asterisk- (11 Mar 2009)
+  11 Mar 2009; <>
+  +files/1.2.0/asterisk-,
+  +files/1.2.0/asterisk-,
+  +files/1.2.0/asterisk-, +asterisk-
+  Version bump, for security bugs #250748 and #254304. Took a 1.4 build fix
+  that is relevant to 1.2, Digium bug #11238. Wrote patch to fix up typo in
+  open call, a comma is not a pipe sign. Used EAPI 2 for USE-based
+  dependencies instead of calling die. Patch from Mounir Lamouri adding
+  -lspeexdsp closes bug #206463 filed by John Read.
Comment 7 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-03-12 15:34:40 UTC
Stabling via bug 250748
Comment 8 Robert Buchholz (RETIRED) gentoo-dev 2009-05-02 17:57:29 UTC
GLSA 200905-01