Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 250748 - <net-misc/asterisk-1.2.31.1 Denial of Service (CVE-2008-5558)
Summary: <net-misc/asterisk-1.2.31.1 Denial of Service (CVE-2008-5558)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: http://downloads.digium.com/pub/secur...
Whiteboard: B3 [glsa]
Keywords:
Depends on: 249573
Blocks:
  Show dependency tree
 
Reported: 2008-12-12 19:33 UTC by Bruno Buss
Modified: 2009-05-02 17:57 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Bruno Buss 2008-12-12 19:33:03 UTC
Description:
"There is a possibility to remotely crash an Asterisk server if the server is configured to use realtime IAX2 users. The issue occurs if either an unknown user attempts to authenticate or if a user that uses hostname matching attempts to authenticate.

The problem was due to a broken function call to Asterisk's realtime configuration API."

Also from Secunia:
http://secunia.com/Advisories/32956/

Just 1.2.27 in portage tree is affected.
Comment 1 stupendoussteve 2008-12-18 01:07:13 UTC
CVE-2008-5558

Asterisk Open Source 1.2.26 through 1.2.30.3 and Business Edition
B.2.3.5 through B.2.5.5, when realtime IAX2 users are enabled, allows
remote attackers to cause a denial of service (crash) via
authentication attempts involving (1) an unknown user or (2) a user
using hostname matching.
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2008-12-18 16:34:43 UTC
CVE-2008-5558 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5558):
  Asterisk Open Source 1.2.26 through 1.2.30.3 and Business Edition
  B.2.3.5 through B.2.5.5, when realtime IAX2 users are enabled, allows
  remote attackers to cause a denial of service (crash) via
  authentication attempts involving (1) an unknown user or (2) a user
  using hostname matching.

Comment 3 Bruno Buss 2009-01-08 13:00:35 UTC
Ping. Delay for B3 is 20 days...
Comment 4 Tony Vroon (RETIRED) gentoo-dev 2009-03-11 17:48:24 UTC
+*asterisk-1.2.31.1 (11 Mar 2009)
+
+  11 Mar 2009; <chainsaw@gentoo.org>
+  +files/1.2.0/asterisk-1.2.31.1-bri-fixups.diff,
+  +files/1.2.0/asterisk-1.2.31.1-comma-is-not-pipe.diff,
+  +files/1.2.0/asterisk-1.2.31.1-svn89254.diff, +asterisk-1.2.31.1.ebuild:
+  Version bump, for security bugs #250748 and #254304. Took a 1.4 build fix
+  that is relevant to 1.2, Digium bug #11238. Wrote patch to fix up typo in
+  open call, a comma is not a pipe sign. Used EAPI 2 for USE-based
+  dependencies instead of calling die. Patch from Mounir Lamouri adding
+  -lspeexdsp closes bug #206463 filed by John Read.
Comment 5 Tony Vroon (RETIRED) gentoo-dev 2009-03-12 15:17:00 UTC
Arches, please test and mark stable 1.2.31.1 in the tree. Target keywords:
~alpha amd64 ~hppa ~ppc sparc x86

Alpha, PowerPC, please feel free to mark stable even though you're not stable right now. This is the last ever release in the 1.2 branch and we'll redo keywording from scratch for the 1.6 branch.
This has been tested on a production network for AMD64 using Cisco 7960 phones (SIP firmware) and 2 Patton gateways both connected to 2 ISDN BRI lines from British Telecom.
Comment 6 Tony Vroon (RETIRED) gentoo-dev 2009-03-12 15:19:50 UTC
Arch teams, for your echangelog entries, said keywording will also address security bug #254304
If you do not have hardware your usual compilation and QA tests will suffice.
Comment 7 Ferris McCormick (RETIRED) gentoo-dev 2009-03-12 17:03:36 UTC
Sparc stable.
Comment 8 Tobias Klausmann (RETIRED) gentoo-dev 2009-03-12 19:38:03 UTC
Stable on alpha, including the requisite net-libs/openh323.
Comment 9 Markus Meier gentoo-dev 2009-03-15 15:12:40 UTC
amd64/x86 stable
Comment 10 Brent Baude (RETIRED) gentoo-dev 2009-03-19 13:07:47 UTC
ppc done
Comment 11 Jeroen Roovers (RETIRED) gentoo-dev 2009-03-23 05:24:59 UTC
HPPA isn't stable, and won't do now:

>>> Compiling source in /dev/shm/portage/net-misc/asterisk-1.2.31.1/work/asteris
k-1.2.31.1 ...
 * Building Asterisk...
make: *** No rule to make target `hppa2.0-unknown-linux-gnu-gcc'.  Stop.
 *
 * ERROR: net-misc/asterisk-1.2.31.1 failed.
Comment 12 Tony Vroon (RETIRED) gentoo-dev 2009-03-23 15:58:26 UTC
+  23 Mar 2009; <chainsaw@gentoo.org> -asterisk-1.2.27.ebuild:
+  Remove vulnerable 1.2.27 version now that arch keywording is complete. For
+  security bugs #250748 & #254304.
Comment 13 Robert Buchholz (RETIRED) gentoo-dev 2009-05-02 17:57:16 UTC
GLSA 200905-01