Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 352059 (CVE-2011-0495) - <net-misc/asterisk-{1.6.2.16.2-r2,1.8.2.4}: stack buffer overflow in SIP channel driver (CVE-2011-0495)
Summary: <net-misc/asterisk-{1.6.2.16.2-r2,1.8.2.4}: stack buffer overflow in SIP chan...
Status: RESOLVED FIXED
Alias: CVE-2011-0495
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
URL: http://downloads.digium.com/pub/secur...
Whiteboard: B1 [glsa]
Keywords:
Depends on: 352137 352335
Blocks: 355967
  Show dependency tree
 
Reported: 2011-01-18 17:36 UTC by Paweł Hajdan, Jr. (RETIRED)
Modified: 2011-10-24 18:45 UTC (History)
5 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
Build log (asterisk-1.6.2.16.2-r1:20110224-223900.log,72.91 KB, text/plain)
2011-02-24 23:25 UTC, Agostino Sarubbo
no flags Details
Build log (dahdi-tools-2.4.0:20110227-124132.log,13.75 KB, text/plain)
2011-02-27 13:12 UTC, Agostino Sarubbo
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-01-18 17:36:12 UTC
Description When forming an outgoing SIP request while in pedantic mode, a 
               stack buffer can be made to overflow if supplied with          
               carefully crafted caller ID information. This vulnerability    
               also affects the URIENCODE dialplan function and in some       
               versions of asterisk, the AGI dialplan application as well.    
               The ast_uri_encode function does not properly respect the size 
               of its output buffer and can write past the end of it when     
               encoding URIs.  


                   Affected Versions
                Product              Release Series 
         Asterisk Open Source            1.2.x      All versions              
         Asterisk Open Source            1.4.x      All versions              
         Asterisk Open Source            1.6.x      All versions              
         Asterisk Open Source            1.8.x      All versions              
       Asterisk Business Edition         C.x.x      All versions              
              AsteriskNOW                 1.5       All versions              
      s800i (Asterisk Appliance)         1.2.x      All versions              

                                  Corrected In
            Product                              Release                      
     Asterisk Open Source       1.4.38.1, 1.4.39.1, 1.6.1.21, 1.6.2.15.1,     
                                       1.6.2.16.1, 1.8.1.2, 1.8.2.1           
   Asterisk Business Edition                     C.3.6.2                      

                                    Patches                            
                                   URL                                 Branch 
   http://downloads.asterisk.org/pub/security/AST-2011-001-1.4.diff    1.4    
   http://downloads.asterisk.org/pub/security/AST-2011-001-1.6.1.diff  1.6.1  
   http://downloads.asterisk.org/pub/security/AST-2011-001-1.6.2.diff  1.6.2  
   http://downloads.asterisk.org/pub/security/AST-2011-001-1.8.diff    1.8
Comment 1 Tony Vroon gentoo-dev 2011-01-19 12:49:22 UTC
+*asterisk-1.8.2.1 (19 Jan 2011)
+
+  19 Jan 2011; Tony Vroon <chainsaw@gentoo.org> -asterisk-1.8.1.1-r1.ebuild,
+  -asterisk-1.8.1.1-r2.ebuild, -asterisk-1.8.2.ebuild,
+  +asterisk-1.8.2.1.ebuild:
+  Trim down 1.8 branch by culling vulnerable ebuilds for security bug #352059.
+  Adding 1.8.2.1 which fixes a stack buffer overflow in SIP URI encoding.
+  Patchset unchanged.
Comment 2 Tony Vroon gentoo-dev 2011-01-19 13:16:34 UTC
+*asterisk-1.6.2.16.1 (19 Jan 2011)
+
+  19 Jan 2011; Tony Vroon <chainsaw@gentoo.org> -asterisk-1.6.2.14.ebuild,
+  +asterisk-1.6.2.16.1.ebuild:
+  Trim down 1.6.2 branch by culling vulnerable ebuild for security bug #352059.
+  Adding 1.6.2.16.1 which fixes a stack buffer overflow in SIP URI encoding.
+  Patchset unchanged.
Comment 3 Tony Vroon gentoo-dev 2011-01-19 13:55:22 UTC
+*asterisk-1.4.39.1 (19 Jan 2011)
+
+  19 Jan 2011; Tony Vroon <chainsaw@gentoo.org>
+  -files/1.4.0/asterisk-1.4.0-uclibc.patch,
+  -files/1.4.0/asterisk-1.4.0-var_rundir.patch,
+  -files/1.4.0/asterisk-1.4.33-gsm-pic.patch,
+  -files/1.4.0/asterisk-1.4.33-inband-indications.patch,
+  -asterisk-1.4.37.ebuild, -files/1.4.0/asterisk-1.4.37-imap-libs.patch,
+  +asterisk-1.4.39.1.ebuild:
+  Trim down 1.4 branch by culling vulnerable ebuild for security bug #352059.
+  Adding 1.4.39.1 which fixes a stack buffer overflow in SIP URI encoding.
+  Patchset repackaged but otherwise unchanged.
Comment 4 Tony Vroon gentoo-dev 2011-01-19 14:04:00 UTC
Arches please test and stable:
net-libs/libpri-1.4.11.4
net-misc/asterisk-1.4.39.1
net-misc/dahdi-2.4.0-r1
net-misc/dahdi-tools-2.4.0
any additional dependencies

Permission has been granted from the other arch teams (that is alpha, hppa, ppc & sparc) to drop their keywords, see bug #318835 for confirmation. Asterisk 1.2 ebuilds & zaptel infrastructure can then be dropped from portage.
Handling this upgrade in this fashion minimises the load on arch teams. Please voice any disagreements to me on IRC and keep this bug clear of chatter.
Users: bug reports for Asterisk 1.4 go in a *new* report, not this one!
Comment 5 Agostino Sarubbo gentoo-dev 2011-01-19 15:16:42 UTC
net-misc/asterisk-core-sounds-1.4.19 ok
net-misc/asterisk-extra-sounds-1.4.11 ok
net-misc/asterisk-moh-opsound-2.03 ok
net-libs/libpri-1.4.11.4 ok
net-misc/dahdi-2.4.0-r1 ok ( fails test bug 352135 )
net-misc/dahdi-tools-2.4.0 requires: >=sys-kernel/linux-headers-2.6.35
net-misc/asterisk-1.4.39.1 requires also new headers with USE="dahdi"
Comment 6 Agostino Sarubbo gentoo-dev 2011-01-19 15:38:07 UTC
also pulled in with USE="misdn"

net-dialup/misdn
net-dialup/misdnuser
Comment 7 Dane Smith (RETIRED) gentoo-dev 2011-01-19 15:41:34 UTC
Toolchain: of the three >=sys-kernel/linux-headers-2.6.35 packages which is the best candidate for stabilization?

Thanks!
Comment 8 Agostino Sarubbo gentoo-dev 2011-01-19 17:11:24 UTC
(In reply to comment #6)
> also pulled in with USE="misdn"
> 
> net-dialup/misdn
> net-dialup/misdnuser
> 
net-dialup:

we must stabilize misdn and misdnuser.

net-dialup/misdn-1.1.7.2
net-dialup/misdnuser-1.1.7.2

I think, that we stabilize newer version ( chainsaw agree with me)


anyone disagree? / comments ?
Comment 9 Dane Smith (RETIRED) gentoo-dev 2011-01-19 18:01:41 UTC
The enew* issues should be resolved.
The packages potentially blocking linux-headers-2.6.35 are masked pending removal.

I'm currently waiting to hear from the net-dialup herd wrt misdn* and from toolchain@g.o wrt which linux-headers direction we want to go in.
Comment 10 Dane Smith (RETIRED) gentoo-dev 2011-01-19 18:09:14 UTC
(In reply to comment #8)
> (In reply to comment #6)
> > also pulled in with USE="misdn"
> > 
> > net-dialup/misdn
> > net-dialup/misdnuser
> > 
> net-dialup:
> 
> we must stabilize misdn and misdnuser.
> 
> net-dialup/misdn-1.1.7.2
> net-dialup/misdnuser-1.1.7.2
> 
> I think, that we stabilize newer version ( chainsaw agree with me)
> 
> 
> anyone disagree? / comments ?
> 

net-dialup:
net-dialup/misdn-1.1.7.2 is failing looking for CONFIG_PCI_LEGACY which I don't see anywhere in the kernel.

It appears to me like 1.1.9 is released. Could we get a version bump perhaps and then look into a rush stabilization of that? The same should be true for misdnuser.
Comment 11 SpanKY gentoo-dev 2011-01-19 21:27:10 UTC
linux-headers-2.6.36.1 is the best choice of those three
Comment 12 Tony Vroon gentoo-dev 2011-01-19 23:02:52 UTC
New stabilisation target:
net-misc/asterisk-1.4.39.1-r1

Dropped problematic misdn target. QA fixes from AMD64 stable testing by ago. Please abandon any misdn efforts, they are no longer required. Do proceed with stabling the headers please.
Comment 13 Tim Sammut (RETIRED) gentoo-dev 2011-01-20 07:56:18 UTC
Per http://www.openwall.com/lists/oss-security/2011/01/19/3 this has been assigned CVE-2011-0495.
Comment 14 Agostino Sarubbo gentoo-dev 2011-01-20 10:29:50 UTC
(In reply to comment #12)
> New stabilisation target:
> net-misc/asterisk-1.4.39.1-r1

all open bugs have been fixed, ok for me. Expect instructions on linux-headers

Dropped USE=misdn; @net-dialup sorry for the spam
Comment 15 Dane Smith (RETIRED) gentoo-dev 2011-01-20 13:23:13 UTC
I recall Ssuominen mentioning an issue with 2.6.36 headers for gnome, so I CC'd. We should make sure were not going to break something, so i'd hold on that stabilization for just a bit.
Comment 16 Ryan Hill (RETIRED) gentoo-dev 2011-01-20 19:26:29 UTC
How about you file a bug to get linux-headers stable and cc him there?
Comment 17 SpanKY gentoo-dev 2011-01-20 19:40:53 UTC
yeah ... if you want to get a new linux-headers stabilized, you'll need to file a sep bug for it
Comment 18 Rajiv Aaron Manglani (RETIRED) gentoo-dev 2011-01-21 05:54:13 UTC
	From: 	Asterisk Development Team <asteriskteam@digium.com>
	Subject: 	[asterisk-announce] Asterisk 1.8.2.2 Now Available (Security Release)
	Date: 	January 20, 2011 4:19:59 PM EST
	To: 	Asterisk Development Team <asteriskteam@digium.com>

The Asterisk Development Team has announced a release for the security issue
described in AST-2011-001.

Due to a failed merge, Asterisk 1.8.2.1 which should have included the security
fix did not. Asterisk 1.8.2.2 contains the the changes which should have been
included in Asterisk 1.8.2.1.

This releases is available for immediate download at
http://downloads.asterisk.org/pub/telephony/asterisk/releases

The releases of Asterisk 1.4.38.1, 1.4.39.1, 1.6.1.21, 1.6.2.15.1, 1.6.2.16.2,
1.8.1.2, and 1.8.2.2 resolve an issue when forming an outgoing SIP request while
in pedantic mode, which can cause a stack buffer to be made to overflow if
supplied with carefully crafted caller ID information. The issue and resolution
are described in the AST-2011-001 security advisory.

For more information about the details of this vulnerability, please read the
security advisory AST-2011-001, which was released at the same time as this
announcement.

For a full list of changes in the current release, please see the ChangeLog:

http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.2.2

Security advisory AST-2011-001 is available at:

http://downloads.asterisk.org/pub/security/AST-2011-001.pdf

Thank you for your continued support of Asterisk!
Comment 19 Dane Smith (RETIRED) gentoo-dev 2011-01-21 12:51:51 UTC
Opened toolchain bug. Arches are not yet CC'd there. We still do not have a
firm decision on one to stabilize.
Comment 20 Tony Vroon gentoo-dev 2011-01-22 02:35:37 UTC
(In reply to comment #18)
> Due to a failed merge, Asterisk 1.8.2.1 which should have included the 
> security fix did not. Asterisk 1.8.2.2 contains the the changes which 
> should have been included in Asterisk 1.8.2.1.

+*asterisk-1.8.2.2 (22 Jan 2011)
+
+  22 Jan 2011; Tony Vroon <chainsaw@gentoo.org> -asterisk-1.8.2.1.ebuild,
+  +asterisk-1.8.2.2.ebuild:
+  Upstream reports that a merging accident kept the fix out of the 1.8.2.1
+  tarball. 1.8.2.2 does include the security fix. Removed insecure ebuild.
Comment 21 Thomas Kahle (RETIRED) gentoo-dev 2011-02-15 17:01:20 UTC
I just did linux-headers for x86, so we are ready.  The version to be stabled here does not have ~x86 keyword !!?? Is that an accident or do you intend us to commit directly to stable?
Comment 22 Agostino Sarubbo gentoo-dev 2011-02-22 13:43:21 UTC
fine for me after headers stabilization
Comment 23 Tony Vroon gentoo-dev 2011-02-23 17:59:44 UTC
Arches please test and stable (straight stable if required):
net-misc/asterisk-core-sounds-1.4.19
net-misc/asterisk-extra-sounds-1.4.11
net-misc/asterisk-moh-opsound-2.03
net-libs/libpri-1.4.11.4
net-misc/dahdi-2.4.0-r1
net-misc/dahdi-tools-2.4.0
net-misc/asterisk-1.6.2.16.2

The maintainer for the Asterisk 1.4 ebuilds appears to have evaporated and subsequent bugs were identified. I aim to remove Asterisk 1.2 & 1.4 from portage once this bug runs to completion.
To confirm, this will address both AST-2011-001 & AST-2011-002.
Comment 24 Agostino Sarubbo gentoo-dev 2011-02-23 19:51:56 UTC
tony, can you drop use misdn like precedent version? :)

Anyway, pulled in also media-libs/spandsp; can you take care to see which version stabilize?
Comment 25 Tony Vroon gentoo-dev 2011-02-24 09:34:07 UTC
(In reply to comment #24)
> tony, can you drop use misdn like precedent version? :)

Certainly:
+*asterisk-1.6.2.16.2-r1 (24 Feb 2011)
+
+  24 Feb 2011; Tony Vroon <chainsaw@gentoo.org> -asterisk-1.6.2.16.2.ebuild,
+  +asterisk-1.6.2.16.2-r1.ebuild:
+  Drop problematic misdn dependencies from the 1.6.2 branch to aid in security
+  stabilisation. Both the 1.2 and the 1.4 branch are slated for removal and
+  will be masked soon.

> Anyway, pulled in also media-libs/spandsp; can you take care to see which
> version stabilize?

0.0.6_pre12 please. That has the new ABI that this Asterisk version requires; I don't expect any surprises with it.
Comment 26 Agostino Sarubbo gentoo-dev 2011-02-24 12:26:53 UTC
(In reply to comment #25)
> 0.0.6_pre12 please. That has the new ABI that this Asterisk version requires; I
> don't expect any surprises with it.

bug 356299
Comment 27 Tony Vroon gentoo-dev 2011-02-24 13:45:56 UTC
(In reply to comment #26)
> bug 356299
 
+*spandsp-0.0.6_pre12-r1 (24 Feb 2011)
+
+  24 Feb 2011; Tony Vroon <chainsaw@gentoo.org> +spandsp-0.0.6_pre12-r1.ebuild:
+  Drop problematic sse4 & sse5 USE-flags, in GCC 4.5 no such options exist.
+  Closes bug #356299 by Agostino "ago" Sarubbo and hopefully provides a viable
+  stabilisation target for security bug #352059.

Comment 28 Agostino Sarubbo gentoo-dev 2011-02-24 23:25:39 UTC
Created attachment 263729 [details]
Build log
Comment 29 Kerin Millar 2011-02-25 04:23:43 UTC
Re Comment 23 - let's not throw the baby out with the bathwater just yet, eh? Refer to bug 356367 for an updated 1.4 ebuild.
Comment 30 Tony Vroon gentoo-dev 2011-02-25 09:07:33 UTC
(In reply to comment #29)
> Refer to bug 356367 for an updated 1.4 ebuild.

1.6.2 is the new stabilisation target; 1.4 has given me far too much trouble to be a viable target here. Any further discussion in bug #356367; this is not the right forum for it.

Comment 31 Thomas Kahle (RETIRED) gentoo-dev 2011-02-26 17:25:49 UTC
x86 done. Thanks everybody.

aside: Repoman needed --force b/c

variable.usedwithhelpers      2
   net-misc/asterisk/asterisk-1.2.37.ebuild: Helper function is used with D, ROOT, ED, EROOT or EPREFIX on line :250
   net-misc/asterisk/asterisk-1.2.40.ebuild: Helper function is used with D, ROOT, ED, EROOT or EPREFIX on line :250

Comment 32 Tony Vroon gentoo-dev 2011-02-26 18:16:49 UTC
(In reply to comment #31)
> x86 done.

Many thanks Thomas.

> variable.usedwithhelpers      2
>    net-misc/asterisk/asterisk-1.2.37.ebuild:
>    net-misc/asterisk/asterisk-1.2.40.ebuild:

One of the many reasons why 1.2 should go (bitrot). Awaiting ago's okay so AMD64 can go stable, then they will be gone.
Comment 33 Tony Vroon gentoo-dev 2011-02-26 18:32:08 UTC
(In reply to comment #28)
> Created an attachment (id=263729) [details]
> Build log

Good catch, USE=keepsrc strikes again. It is now gone permanently.

+*asterisk-1.6.2.16.2-r2 (26 Feb 2011)
+
+  26 Feb 2011; Tony Vroon <chainsaw@gentoo.org> -asterisk-1.6.2.16.2-r1.ebuild,
+  +asterisk-1.6.2.16.2-r2.ebuild, metadata.xml:
+  Transfer stable X86 keyword from -r1 to -r2; removing defective keepsrc
+  USE-flag from ebuild & metadata.xml now. Removal of 1.2 & 1.4 is immanent.

Please retest for AMD64. 

Comment 34 Agostino Sarubbo gentoo-dev 2011-02-27 13:12:24 UTC
Created attachment 264041 [details]
Build log
Comment 35 Tony Vroon gentoo-dev 2011-02-27 16:07:20 UTC
(In reply to comment #34)
> Created an attachment (id=264041) [details]
> Build log

+  27 Feb 2011; Tony Vroon <chainsaw@gentoo.org> dahdi-tools-2.4.0.ebuild:
+  USE=ppp should DEPEND on net-dialup/ppp. As pointed out by Agostino "ago"
+  Sarubbo in bug #352059.
Comment 36 Agostino Sarubbo gentoo-dev 2011-02-27 17:22:45 UTC
ok! it works :)
Comment 37 Tony Vroon gentoo-dev 2011-02-27 19:05:33 UTC
+  27 Feb 2011; Tony Vroon <chainsaw@gentoo.org> libpri-1.4.11.4.ebuild:
+  Mark stable on AMD64 for security bug #352059. Arch testing by Agostino "ago"
+  Sarubbo.

+  27 Feb 2011; Tony Vroon <chainsaw@gentoo.org> spandsp-0.0.6_pre12-r1.ebuild:
+  Mark stable on AMD64 for security bug #352059. Arch testing by Agostino "ago"
+  Sarubbo.

+  27 Feb 2011; Tony Vroon <chainsaw@gentoo.org> dahdi-2.4.0-r1.ebuild:
+  Mark stable on AMD64 for security bug #352059. Arch testing by Agostino "ago"
+  Sarubbo.

+  27 Feb 2011; Tony Vroon <chainsaw@gentoo.org> dahdi-tools-2.4.0.ebuild:
+  Mark stable on AMD64 for security bug #352059. Arch testing by Agostino "ago"
+  Sarubbo.


+  27 Feb 2011; Tony Vroon <chainsaw@gentoo.org>
+  asterisk-core-sounds-1.4.19.ebuild:
+  Mark stable on AMD64 for security bug #352059. Arch testing by Agostino "ago"
+  Sarubbo.


+  27 Feb 2011; Tony Vroon <chainsaw@gentoo.org>
+  asterisk-extra-sounds-1.4.11.ebuild:
+  Mark stable on AMD64 for security bug #352059. Arch testing by Agostino "ago"
+  Sarubbo.

+  27 Feb 2011; Tony Vroon <chainsaw@gentoo.org>
+  asterisk-moh-opsound-2.03.ebuild:
+  Mark stable on AMD64 for security bug #352059. Arch testing by Agostino "ago"
+  Sarubbo.

+  27 Feb 2011; Tony Vroon <chainsaw@gentoo.org> asterisk-1.6.2.16.2-r2.ebuild:
+  Mark stable on AMD64 for security bug #352059. Arch testing by Agostino "ago"
+  Sarubbo.
Comment 38 Tim Sammut (RETIRED) gentoo-dev 2011-02-27 19:51:20 UTC
Thanks, everyone. Added to existing GLSA request (with 355967).
Comment 39 Agostino Sarubbo gentoo-dev 2011-03-04 10:02:48 UTC
you have forgot to remove amd64 from cc :)
Comment 40 GLSAMaker/CVETool Bot gentoo-dev 2011-10-24 18:45:32 UTC
This issue was resolved and addressed in
 GLSA 201110-21 at http://security.gentoo.org/glsa/glsa-201110-21.xml
by GLSA coordinator Tim Sammut (underling).