Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 532242 (CVE-2014-9374) - <net-misc/asterisk-{11.14.2,12.7.2}: Remote Crash Vulnerability in WebSocket Server (AST-2014-019) (CVE-2014-9374)
Summary: <net-misc/asterisk-{11.14.2,12.7.2}: Remote Crash Vulnerability in WebSocket ...
Status: RESOLVED FIXED
Alias: CVE-2014-9374
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor
Assignee: Gentoo Security
URL: http://downloads.asterisk.org/pub/sec...
Whiteboard: B3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2014-12-11 08:55 UTC by Agostino Sarubbo
Modified: 2014-12-28 19:08 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Kristian Fiskerstrand (RETIRED) gentoo-dev 2014-12-11 12:18:47 UTC 
From $[URL}:
When handling a WebSocket frame the res_http_websocket module dynamically changes the size of the memory used to allow the provided payload to fit. If a payload length of zero was received the code would incorrectly attempt to resize to zero. This operation would succeed and end up freeing the memory but be treated as a failure. When the session was subsequently torn down this memory would get freed yet again causing a crash.
Comment 2 Tony Vroon (RETIRED) gentoo-dev 2014-12-16 10:20:33 UTC 
+*asterisk-12.7.2 (16 Dec 2014)
+*asterisk-11.14.2 (16 Dec 2014)
+
+  16 Dec 2014; Tony Vroon <chainsaw@gentoo.org> +asterisk-11.14.2.ebuild,
+  -asterisk-12.7.1.ebuild, +asterisk-12.7.2.ebuild:
+  Incorrect and unsafe memory handling (AST-2014-019) in res_http_websocket
+  addressed in both branches, vulnerable non-stable ebuilds removed. For
+  security bug #532242. Enable MeetMe conference support if DAHDI is enabled,
+  as requested by Kristian Fiskerstrand in bug #531486.

Arches, please test & mark stable:
=net-misc/asterisk-11.14.2

Please test with USE="samples" and take the daemon through three stop/start cycles.
Comment 3 Kristian Fiskerstrand (RETIRED) gentoo-dev 2014-12-16 11:25:40 UTC 
Changing rating to B3, for some reason I didn't remember this is indeed a stable package.
Comment 4 Agostino Sarubbo gentoo-dev 2014-12-21 11:37:58 UTC 
amd64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2014-12-21 11:42:44 UTC 
x86 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 6 Tony Vroon (RETIRED) gentoo-dev 2014-12-22 12:32:21 UTC 
+  22 Dec 2014; Tony Vroon <chainsaw@gentoo.org> -asterisk-11.14.1.ebuild,
+  +asterisk-11.15.0.ebuild, +asterisk-12.8.0.ebuild:
+  Remove vulnerable stable ebuild for security bug #532242. Add newer ebuilds
+  on both branches which contain primarily crash fixes.
Comment 7 Sean Amoss (RETIRED) gentoo-dev Security 2014-12-25 15:43:38 UTC 
GLSA vote: yes
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2014-12-27 01:56:34 UTC 
CVE-2014-9374 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9374):
  Double free vulnerability in the WebSocket Server (res_http_websocket
  module) in Asterisk Open Source 11.x before 11.14.2, 12.x before 12.7.2, and
  13.x before 13.0.2 and Certified Asterisk 11.6 before 11.6-cert9 allows
  remote attackers to cause a denial of service (crash) by sending a zero
  length frame after a non-zero length frame.
Comment 9 Kristian Fiskerstrand (RETIRED) gentoo-dev 2014-12-28 15:16:34 UTC 
GLSA Vote: Yes

Created new GLSA request
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2014-12-28 19:08:40 UTC 
This issue was resolved and addressed in
 GLSA 201412-51 at http://security.gentoo.org/glsa/glsa-201412-51.xml
by GLSA coordinator Kristian Fiskerstrand (K_F).