Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 399507 (CVE-2012-0885) - <net-misc/asterisk-1.8.8.2 : SRTP Video Stream Negotiation DoS Vulnerability (CVE-2012-0885)
Summary: <net-misc/asterisk-1.8.8.2 : SRTP Video Stream Negotiation DoS Vulnerability ...
Status: RESOLVED FIXED
Alias: CVE-2012-0885
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://secunia.com/advisories/47630/
Whiteboard: B3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2012-01-20 13:37 UTC by Agostino Sarubbo
Modified: 2012-02-22 20:50 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2012-01-20 13:37:38 UTC
From secunia security advisory at $URL:

Description:
The vulnerability is caused due to an error within the handling of encrypted streams when negotiating a SRTP video stream and can be exploited to cause a crash.

Successful exploitation requires that video support is not been enabled and the res_srtp module is loaded.

The vulnerability is reported in versions prior to 10.0.1 and 1.8.8.2


Solution:
Update to version 10.0.1 or 1.8.8.2.
Comment 1 Tony Vroon (RETIRED) gentoo-dev 2012-01-20 18:06:01 UTC
+*asterisk-10.0.1 (20 Jan 2012)
+*asterisk-1.8.8.2 (20 Jan 2012)
+
+  20 Jan 2012; Tony Vroon <chainsaw@gentoo.org> -asterisk-1.8.7.1.ebuild,
+  -asterisk-1.8.8.0.ebuild, +asterisk-1.8.8.2.ebuild,
+  -asterisk-10.0.0_rc3.ebuild, -asterisk-10.0.0.ebuild,
+  +asterisk-10.0.1.ebuild:
+  New releases on the 1.8 & 10 branches that address AST-2012-001 /
+  CVE-2012-0885 SRTP video remote crash vulnerability. Culled vulnerable
+  non-stable ebuilds.

Arches, please test & mark stable 1.8.8.2; if the daemon is able to stop & start repeatedly on the default configuration it is functional.
Comment 2 Agostino Sarubbo gentoo-dev 2012-01-20 21:47:38 UTC
amd64 stable
Comment 3 Thomas Kahle (RETIRED) gentoo-dev 2012-01-23 15:01:27 UTC
x86 stable
Comment 4 Agostino Sarubbo gentoo-dev 2012-01-23 15:11:57 UTC
@security: please vote
Comment 5 Tim Sammut (RETIRED) gentoo-dev 2012-01-26 05:38:31 UTC
Thanks, everyone. GLSA Vote: yes.
Comment 6 Sean Amoss (RETIRED) gentoo-dev Security 2012-01-27 14:59:01 UTC
Upstream advisory: http://downloads.asterisk.org/pub/security/AST-2012-001.html

YES, too. New request filed.
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2012-02-08 17:46:53 UTC
CVE-2012-0885 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0885):
  chan_sip.c in Asterisk Open Source 1.8.x before 1.8.8.2 and 10.x before
  10.0.1, when the res_srtp module is used and media support is improperly
  configured, allows remote attackers to cause a denial of service (NULL
  pointer dereference and daemon crash) via a crafted SDP message with a
  crypto attribute and a (1) video or (2) text media type, as demonstrated by
  CSipSimple.
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2012-02-22 20:50:09 UTC
This issue was resolved and addressed in
 GLSA 201202-06 at http://security.gentoo.org/glsa/glsa-201202-06.xml
by GLSA coordinator Sean Amoss (ackle).