Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 482776 (CVE-2013-5641) - <net-misc/asterisk-{1.8.23.1,11.5.1} : two remote crashes (CVE-2013-{5641,5642})
Summary: <net-misc/asterisk-{1.8.23.1,11.5.1} : two remote crashes (CVE-2013-{5641,5642})
Status: RESOLVED FIXED
Alias: CVE-2013-5641
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2013-08-28 08:24 UTC by Agostino Sarubbo
Modified: 2014-01-21 04:41 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-08-28 08:24:36 UTC
From http://seclists.org/fulldisclosure/2013/Aug/274 :

              Asterisk Project Security Advisory - AST-2013-004

          Product         Asterisk                                            
          Summary         Remote Crash From Late Arriving SIP ACK With SDP    
     Nature of Advisory   Remote Crash                                        
       Susceptibility     Remote Unauthenticated Sessions                     
          Severity        Major                                               
       Exploits Known     None                                                
        Reported On       February 11, 2013                                   
        Reported By       Colin Cuthbertson                                   
         Posted On        August 27, 2013                                     
      Last Updated On     August 27, 2013                                     
      Advisory Contact    Joshua Colp <jcolp AT digium DOT com>               
          CVE Name        Pending                                             

    Description  A remotely exploitable crash vulnerability exists in the     
                 SIP channel driver if an ACK with SDP is received after the  
                 channel has been terminated. The handling code incorrectly   
                 assumes that the channel will always be present.             

    Resolution  A check has now been added which only parses SDP and applies  
                it if an Asterisk channel is present.                         
                                                                              
                Note that Walter Doekes, OSSO B.V., is responsible for        
                diagnosing and providing the fix for this issue.              

                               Affected Versions
              Product             Release Series  
        Asterisk Open Source          1.8.x       1.8.17.0 and above          
        Asterisk Open Source           11.x       All versions                
         Certified Asterisk           1.8.15      All versions                
         Certified Asterisk            11.2       All versions                

                                  Corrected In
                 Product                              Release                 
          Asterisk Open Source                   1.8.23.1, 11.5.1             
           Certified Asterisk                1.8.15-cert3, 11.2-cert2         

                                     Patches                             
                                SVN URL                                  Revision  
http://downloads.asterisk.org/pub/security/AST-2013-004-1.8.diff         Asterisk  
                                                                         1.8       
http://downloads.asterisk.org/pub/security/AST-2013-004-11.diff          Asterisk  
                                                                         11        
http://downloads.asterisk.org/pub/security/AST-2013-004-1.8.15-cert.diff Certified 
                                                                         Asterisk  
                                                                         1.8.15    
http://downloads.asterisk.org/pub/security/AST-2013-004-11.2-cert.diff   Certified 
                                                                         Asterisk  
                                                                         11.1      

       Links     https://issues.asterisk.org/jira/browse/ASTERISK-21064       

    Asterisk Project Security Advisories are posted at                        
    http://www.asterisk.org/security                                          
                                                                              
    This document may be superseded by later versions; if so, the latest      
    version will be posted at                                                 
    http://downloads.digium.com/pub/security/AST-2013-004.pdf and             
    http://downloads.digium.com/pub/security/AST-2013-004.html                

                                Revision History
          Date                 Editor                  Revisions Made         
    2013-08-22         Joshua Colp              Initial revision.             

               Asterisk Project Security Advisory - AST-2013-004
              Copyright (c) 2013 Digium, Inc. All Rights Reserved.
  Permission is hereby granted to distribute and publish this advisory in its
                           original, unaltered form.
Comment 1 Agostino Sarubbo gentoo-dev 2013-08-28 08:24:43 UTC
From http://seclists.org/fulldisclosure/2013/Aug/275 :

              Asterisk Project Security Advisory - AST-2013-005

         Product        Asterisk                                              
         Summary        Remote Crash when Invalid SDP is sent in SIP Request  
    Nature of Advisory  Remote Crash                                          
      Susceptibility    Remote Unauthenticated Sessions                       
         Severity       Major                                                 
      Exploits Known    None                                                  
       Reported On      July 03, 2013                                         
       Reported By      Walter Doekes, OSSO B.V.                              
        Posted On       August 27, 2013                                       
     Last Updated On    August 27, 2013                                       
     Advisory Contact   Matthew Jordan <mjordan AT digium DOT com>            
         CVE Name       Pending                                               

    Description  A remotely exploitable crash vulnerability exists in the     
                 SIP channel driver if an invalid SDP is sent in a SIP        
                 request that defines media descriptions before connection    
                 information. The handling code incorrectly attempts to       
                 reference the socket address information even though that    
                 information has not yet been set.                            

    Resolution  This patch adds checks when handling the various media        
                descriptions that ensures the media descriptions are handled  
                only if we have connection information suitable for that      
                media.                                                        
                                                                              
                Thanks to Walter Doekes of OSSO B.V. for finding, reporting,  
                testing, and providing the fix for this problem.              

                               Affected Versions
                 Product                Release Series    
          Asterisk Open Source               1.8.x        All Versions        
          Asterisk Open Source               10.x         All Versions        
          Asterisk Open Source               11.x         All Versions        
           Certified Asterisk               1.8.15        All Versions        
           Certified Asterisk                11.2         All Versions        
       Asterisk with Digiumphones      10.x-digiumphones  All Versions        

                                  Corrected In
                  Product                              Release                
            Asterisk Open Source              1.8.23.1, 10.12.3, 11.5.1       
             Certified Asterisk                1.8.15-cert3, 11.2-cert2       
         Asterisk with Digiumphones              10.12.3-digiumphones         

                                          Patches                            
                                  SVN URL                                       Revision     
http://downloads.asterisk.org/pub/security/AST-2013-005-1.8.diff             Asterisk 1.8    
http://downloads.asterisk.org/pub/security/AST-2013-005-10.diff              Asterisk 10     
http://downloads.asterisk.org/pub/security/AST-2013-005-10-digiumphones.diff Asterisk        
                                                                             10-digiumphones 
http://downloads.asterisk.org/pub/security/AST-2013-005-11.diff              Asterisk 11     
http://downloads.asterisk.org/pub/security/AST-2013-005-1.8.15.diff          Certified       
                                                                             Asterisk 1.8.15 
http://downloads.asterisk.org/pub/security/AST-2013-005-11.2.diff            Certified       
                                                                             Asterisk 11.2   

       Links     https://issues.asterisk.org/jira/browse/ASTERISK-22007       

    Asterisk Project Security Advisories are posted at                        
    http://www.asterisk.org/security                                          
                                                                              
    This document may be superseded by later versions; if so, the latest      
    version will be posted at                                                 
    http://downloads.digium.com/pub/security/AST-2013-005.pdf and             
    http://downloads.digium.com/pub/security/AST-2013-005.html                

                                Revision History
          Date                 Editor                  Revisions Made         
    2013-08-27         Matt Jordan              Initial Revision              

               Asterisk Project Security Advisory - AST-2013-005
              Copyright (c) 2013 Digium, Inc. All Rights Reserved.
  Permission is hereby granted to distribute and publish this advisory in its
                           original, unaltered form.


@maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
Comment 2 Tony Vroon gentoo-dev 2013-08-28 10:14:46 UTC
+*asterisk-11.5.1 (28 Aug 2013)
+*asterisk-1.8.23.1 (28 Aug 2013)
+
+  28 Aug 2013; Tony Vroon <chainsaw@gentoo.org> -asterisk-1.8.22.0.ebuild,
+  -asterisk-1.8.23.0.ebuild, +asterisk-1.8.23.1.ebuild,
+  -asterisk-11.4.0.ebuild, -asterisk-11.5.0.ebuild, +asterisk-11.5.1.ebuild,
+  +files/1.8.0/asterisk.initd7:
+  Security upgrades for AST-2013-004 & AST-2013-005 on both branches.
+  Behavioral improvements for G729 VAD, closes bug #480928. Add missed
+  ownership checks to init script, closes bug #482688. Both by Jaco Kroon.
+  Removed all insecure non-stable ebuilds.

Arches, please test & mark stable:
=net-misc/asterisk-1.8.23.1
=net-misc/asterisk-11.5.1

A compile test, followed by three stop/start cycles on the default configuration files will suffice.
Comment 3 Agostino Sarubbo gentoo-dev 2013-08-28 13:46:06 UTC
amd64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2013-08-28 13:46:16 UTC
x86 stable
Comment 5 Agostino Sarubbo gentoo-dev 2013-08-28 20:55:44 UTC
@security: please vote.
Comment 6 Sergey Popov gentoo-dev 2013-08-29 10:47:37 UTC
GLSA vote: yes
Comment 7 Sergey Popov gentoo-dev 2014-01-21 04:13:19 UTC
Added to existing GLSA draft
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2014-01-21 04:15:30 UTC
CVE-2013-5642 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5642):
  The SIP channel driver (channels/chan_sip.c) in Asterisk Open Source 1.8.x
  before 1.8.23.1, 10.x before 10.12.3, and 11.x before 11.5.1; Certified
  Asterisk 1.8.15 before 1.8.15-cert3 and 11.2 before 11.2-cert2; and Asterisk
  Digiumphones 10.x-digiumphones before 10.12.3-digiumphones allows remote
  attackers to cause a denial of service (NULL pointer dereference,
  segmentation fault, and daemon crash) via an invalid SDP that defines a
  media description before the connection description in a SIP request.

CVE-2013-5641 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5641):
  The SIP channel driver (channels/chan_sip.c) in Asterisk Open Source
  1.8.17.x through 1.8.22.x, 1.8.23.x before 1.8.23.1, and 11.x before 11.5.1
  and Certified Asterisk 1.8.15 before 1.8.15-cert3 and 11.2 before 11.2-cert2
  allows remote attackers to cause a denial of service (NULL pointer
  dereference, segmentation fault, and daemon crash) via an ACK with SDP to a
  previously terminated channel.  NOTE: some of these details are obtained
  from third party information.
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2014-01-21 04:41:01 UTC
This issue was resolved and addressed in
 GLSA 201401-15 at http://security.gentoo.org/glsa/glsa-201401-15.xml
by GLSA coordinator Sergey Popov (pinkbyte).