Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 408431 (CVE-2012-1183) - <net-misc/asterisk-1.8.10.1: Multiple Vulnerabilities (CVE-2012-{1183,1184})
Summary: <net-misc/asterisk-1.8.10.1: Multiple Vulnerabilities (CVE-2012-{1183,1184})
Status: RESOLVED FIXED
Alias: CVE-2012-1183
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: http://downloads.asterisk.org/pub/sec...
Whiteboard: B1 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2012-03-16 02:27 UTC by Tim Sammut (RETIRED)
Modified: 2012-09-19 01:52 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Tim Sammut (RETIRED) gentoo-dev 2012-03-16 02:27:28 UTC
Asterisk has released two advisories:

http://downloads.asterisk.org/pub/security/AST-2012-002.txt
         Product        Asterisk                                              
         Summary        Remote Crash Vulnerability in Milliwatt Application   
    Nature of Advisory  Exploitable Stack Buffer Overflow with locally        
                        defined data                                          
      Susceptibility    Remote Unauthenticated Sessions                       
         Severity       Minor 

http://downloads.asterisk.org/pub/security/AST-2012-003.txt
          Product         Asterisk                                            
          Summary         Stack Buffer Overflow in HTTP Manager               
     Nature of Advisory   Exploitable Stack Buffer Overflow                   
       Susceptibility     Remote Unauthenticated Sessions                     
          Severity        Critical
Comment 1 Tony Vroon gentoo-dev 2012-03-16 10:39:27 UTC
+*asterisk-10.2.1 (16 Mar 2012)
+
+  16 Mar 2012; Tony Vroon <chainsaw@gentoo.org> -asterisk-10.0.1.ebuild,
+  -asterisk-10.1.0.ebuild, -asterisk-10.1.2.ebuild, -asterisk-10.1.3.ebuild,
+  -asterisk-10.2.0.ebuild, +asterisk-10.2.1.ebuild:
+  Security update, fixing a remote DoS (no code execution, AST-2012-002) in
+  app_milliwatt and a stack buffer overflow in the HTTP manager interface
+  (remote code injection, AST-2012-003). As per bug #408431 by Tim Sammut.
+  Actually honour the IAX2 trunk frequency, as per Jaco Kroon in bug #408033.
+  Remove vulnerable ebuilds from tree.
Comment 2 Tony Vroon gentoo-dev 2012-03-16 10:45:36 UTC
+*asterisk-1.8.10.1 (16 Mar 2012)
+
+  16 Mar 2012; Tony Vroon <chainsaw@gentoo.org> -asterisk-1.8.9.2.ebuild,
+  -asterisk-1.8.9.3.ebuild, -asterisk-1.8.10.0.ebuild,
+  +asterisk-1.8.10.1.ebuild:
+  Security update, fixing a remote DoS (no code execution, AST-2012-002) in
+  app_milliwatt and a stack buffer overflow in the HTTP manager interface
+  (remote code injection, AST-2012-003). As per bug #408431 by Tim Sammut.
+  Actually honour the IAX2 trunk frequency, as per Jaco Kroon in bug #408033.
+  Remove vulnerable ebuilds up to last stable from tree.

Arches, please test & mark stable =net-misc/asterisk-1.8.10.1; the repeated stopping & starting of the daemon on the supplied default configuration files is sufficient testing.
Comment 3 Maurizio Camisaschi (amd64 AT) 2012-03-16 13:07:23 UTC
scanelf shows some rdepend missing in the ebuild:

sys-libs/ncurses-5.9
sys-libs/zlib-1.2.5-r2

for everything else amd64 is ok
Comment 4 Tony Vroon gentoo-dev 2012-03-16 19:20:48 UTC
+  16 Mar 2012; Tony Vroon <chainsaw@gentoo.org> asterisk-1.8.10.1.ebuild,
+  asterisk-10.2.1.ebuild:
+  Add missed RDEPENDs, as pointed out by Maurizio "k01" Camisaschi in security
+  bug #408431. Only touching stable candidate and 10 branch.
Comment 5 Elijah "Armageddon" El Lazkani (amd64 AT) 2012-03-16 20:55:09 UTC
amd64: go ahead Mr Tony, stabilize
Comment 6 Tony Vroon gentoo-dev 2012-03-16 21:00:50 UTC
+  16 Mar 2012; Tony Vroon <chainsaw@gentoo.org> asterisk-1.8.10.1.ebuild:
+  Marked stable on AMD64 based on arch testing by Maurizio "k01" Camisaschi &
+  Elijah "Armageddon" El Lazkani in security bug #408431.
Comment 7 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2012-03-24 17:39:45 UTC
x86 stable
Comment 8 Tim Sammut (RETIRED) gentoo-dev 2012-03-25 14:52:10 UTC
Thanks, everyone. Already in GLSA draft.
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2012-03-28 10:57:48 UTC
This issue was resolved and addressed in
 GLSA 201203-21 at http://security.gentoo.org/glsa/glsa-201203-21.xml
by GLSA coordinator Sean Amoss (ackle).
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2012-09-19 01:52:36 UTC
CVE-2012-1184 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1184):
  Stack-based buffer overflow in the ast_parse_digest function in main/utils.c
  in Asterisk 1.8.x before 1.8.10.1 and 10.x before 10.2.1 allows remote
  attackers to cause a denial of service (crash) or possibly execute arbitrary
  code via a long string in an HTTP Digest Authentication header.

CVE-2012-1183 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1183):
  Stack-based buffer overflow in the milliwatt_generate function in the
  Miliwatt application in Asterisk 1.4.x before 1.4.44, 1.6.x before 1.6.2.23,
  1.8.x before 1.8.10.1, and 10.x before 10.2.1, when the o option is used and
  the internal_timing option is off, allows remote attackers to cause a denial
  of service (application crash) via a large number of samples in an audio
  packet.