Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 720184 - <net-misc/asterisk-{13.33.0,16.10.0}: Multiple vulnerabilities
Summary: <net-misc/asterisk-{13.33.0,16.10.0}: Multiple vulnerabilities
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [noglsa]
Keywords: PullRequest
Depends on:
Blocks:
 
Reported: 2020-04-30 20:18 UTC by Sam James
Modified: 2020-07-26 05:22 UTC (History)
2 users (show)

See Also:
Package list:
=net-misc/asterisk-13.33.0
Runtime testing required: ---
nattka: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester gentoo-dev Security 2020-04-30 20:18:25 UTC
Fixed in Asterisk 13.33.0:
[ASTERISK-28813] -
func_volume: Allow decimal numbers as parameter to improve granularity
(Reported by Jean Aunis - Prescom)
[ASTERISK-27946] -
dial (API): Storage of dialed target uses AST_MAX_EXTENSION when it shouldn't
(Reported by Joshua Elson)
[ASTERISK-28782] -
Add support for Content-Disposition header in multi-part INVITES
(Reported by Torrey Searle)
Comment 1 Sam James archtester gentoo-dev Security 2020-04-30 20:18:53 UTC
@maintainer(s), please bump
Comment 2 Larry the Git Cow gentoo-dev 2020-05-04 17:26:25 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9bba8866c2494ca62273be220a18aee165e60aea

commit 9bba8866c2494ca62273be220a18aee165e60aea
Author:     Jaco Kroon <jaco@uls.co.za>
AuthorDate: 2020-05-03 11:30:10 +0000
Commit:     Joonas Niilola <juippis@gentoo.org>
CommitDate: 2020-05-04 17:26:08 +0000

    net-misc/asterisk: version bumps
    
    Switch to media-libs/libilbc for iLBC support.
    Stop installing various scripts I provided a long time ago which are no
    longer needed (tools exist that supercedes these now).
    Drop samples IUSE.
    Remove patches that's now upstreamed.
    
    Package-Manager: Portage-2.3.89, Repoman-2.3.20
    Signed-off-by: Jaco Kroon <jaco@uls.co.za>
    Bug: https://bugs.gentoo.org/720184
    Closes: https://github.com/gentoo/gentoo/pull/15622
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

 net-misc/asterisk/Manifest                |   2 +
 net-misc/asterisk/asterisk-13.33.0.ebuild | 296 +++++++++++++++++++++++++++++
 net-misc/asterisk/asterisk-16.10.0.ebuild | 301 ++++++++++++++++++++++++++++++
 3 files changed, 599 insertions(+)
Comment 3 Sam James archtester gentoo-dev Security 2020-05-04 17:38:57 UTC
@maintainer(s), please advise if ready for stabilisation, or call yourself.
Comment 4 Jaco Kroon 2020-05-06 08:03:27 UTC
(In reply to Sam James (sec padawan) from comment #3)
> @maintainer(s), please advise if ready for stabilisation, or call yourself.

I'm happy!  RTP engine didn't blow up on ICE so that covers the portion I was worried about.
Comment 5 Sam James archtester gentoo-dev Security 2020-05-06 13:51:17 UTC
(In reply to Jaco Kroon from comment #4)
> (In reply to Sam James (sec padawan) from comment #3)
> > @maintainer(s), please advise if ready for stabilisation, or call yourself.
> 
> I'm happy!  RTP engine didn't blow up on ICE so that covers the portion I
> was worried about.

Great :)
Comment 6 NATTkA bot gentoo-dev 2020-05-06 13:52:32 UTC
Unable to check for sanity:

> no match for package: =net-misc/asterisk-13.33
Comment 7 Agostino Sarubbo gentoo-dev 2020-05-07 15:59:47 UTC
amd64 stable
Comment 8 Agostino Sarubbo gentoo-dev 2020-05-08 10:46:33 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 9 Larry the Git Cow gentoo-dev 2020-05-14 22:12:24 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a66a68bc50f569a9f199820e6a826d3ca9865df3

commit a66a68bc50f569a9f199820e6a826d3ca9865df3
Author:     Jaco Kroon <jaco@uls.co.za>
AuthorDate: 2020-05-13 17:49:52 +0000
Commit:     Aaron Bauman <bman@gentoo.org>
CommitDate: 2020-05-14 22:12:13 +0000

    net-misc/asterisk: cleanup
    
    Package-Manager: Portage-2.3.99, Repoman-2.3.22
    Signed-off-by: Jaco Kroon <jaco@uls.co.za>
    Bug: https://bugs.gentoo.org/720184
    Closes: https://github.com/gentoo/gentoo/pull/15779
    Signed-off-by: Aaron Bauman <bman@gentoo.org>

 net-misc/asterisk/Manifest                         |   2 -
 net-misc/asterisk/asterisk-13.32.0-r1.ebuild       | 323 ------------------
 net-misc/asterisk/asterisk-16.9.0.ebuild           | 315 -----------------
 .../files/asterisk-13.32.0-binutils-2.34.patch     |  18 -
 .../asterisk-historic-dahdiras-without-root.patch  |  23 --
 .../asterisk-historic-dundi-null-dereference.patch |  40 ---
 ...terisk-historic-invert-gmine-search-order.patch |  12 -
 .../asterisk/files/asterisk-historic-uclibc.patch  |  23 --
 net-misc/asterisk/files/initd-13.32.0              | 380 ---------------------
 9 files changed, 1136 deletions(-)
Comment 10 Sam James archtester gentoo-dev Security 2020-06-19 12:53:06 UTC
So, jkroon pointed out the original comment is wrong here (clearly!)

In the 16.8-cert1 release announcement, we had:
"Security bugs fixed in this release:
-----------------------------------
[ASTERISK-28589] -
chan_sip: Depending on configuration an INVITE can alter Addr of a peer
(Reported by Andrey V. T.)
[ASTERISK-28580] -
Bypass SYSTEM write permission in manager action allows system commands execution
(Reported by Eliel Sardañons)
[ASTERISK-28495] -
res_pjsip_t38: 200 OK with SDP answer with declined stream causes crash
(Reported by Alexei Gradinari)
[ASTERISK-28447] -
res_pjsip_messaging: In-dialog MESSAGE with no body causes crash
(Reported by Gil Richard)
[ASTERISK-28465] -
Broken SDP can cause a segfault in a T.38 reINVITE
(Reported by Francesco Castellano)"

And these seem to all be definitely fixed already by now, in previous releases(?).
Comment 11 Sam James archtester gentoo-dev Security 2020-07-26 05:22:27 UTC
GLSA vote: no!

Closing.