From URL: * AST-2021-007: Remote Crash Vulnerability in PJSIP channel driver When Asterisk receives a re-INVITE without SDP after having sent a BYE request a crash will occur. This occurs due to the Asterisk channel no longer being present while code assumes it is. * AST-2021-008: Remote crash when using IAX2 channel driver If the IAX2 channel driver receives a packet that contains an * AST-2021-009: pjproject/pjsip: crash when SSL socket destroyed during handshake Depending on the timing, itβs possible for Asterisk to crash when using a TLS connection if the underlying socket parent/listener gets destroyed during the handshake. Fixes in 13.38.3, 16.9.1, and 18.5.1, please bump.
For GLSA purposes: Only affected if you're using PJSIP and/or IAX/2, so if you're not using these channel drivers you're all clear. IAX/2 scenario can in most cases only be exploited in a trusted environment *I think* (call needs to first be accepted, ie, authenticated from the looks of it, but I'll need to confirm this in code). PJSIP similar situation for AST-2021-007 at least, in that obviously you need to accept the call before the scenario can occur. For AST-2021-009, if you're not using PJSIP with TLS, then you can also not be affected.
The affected code for the IAX/2 scenario is all in the __get_from_jb(), which is used for media frames only, thus, needs to be in-call to action this crash, and as such I would consider this to require a trusted peer. Alternatively you need to accept anonymous IAX/2 - which is a bad idea to begin with in my opinion.
Unable to check for sanity: > no match for package: =net-misc/asterisk-13.38.3
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=93f6d97e4bd66daa168e1790f8cb3b8086854bd1 commit 93f6d97e4bd66daa168e1790f8cb3b8086854bd1 Author: Jaco Kroon <jaco@uls.co.za> AuthorDate: 2021-07-23 05:10:18 +0000 Commit: Joonas Niilola <juippis@gentoo.org> CommitDate: 2021-07-23 07:24:58 +0000 net-libs/pjproject: sec bump Upstream not releasing new version, so just bring in the patch to -r2. This addresses AST-2021-009 for Closes: https://bugs.gentoo.org/803440 Package-Manager: Portage-3.0.20, Repoman-3.0.2 Signed-off-by: Jaco Kroon <jaco@uls.co.za> Closes: https://github.com/gentoo/gentoo/pull/21752 Signed-off-by: Joonas Niilola <juippis@gentoo.org> ...21-32686-AST-2021-009-GHSA-cv8x-p47p-99wr.patch | 289 +++++++++++++++++++++ net-libs/pjproject/pjproject-2.10-r2.ebuild | 125 +++++++++ 2 files changed, 414 insertions(+) Additionally, it has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=55cd1de3d0127ce7086897e2948e6a829ac7042a commit 55cd1de3d0127ce7086897e2948e6a829ac7042a Author: Jaco Kroon <jaco@uls.co.za> AuthorDate: 2021-07-23 05:03:06 +0000 Commit: Joonas Niilola <juippis@gentoo.org> CommitDate: 2021-07-23 07:24:58 +0000 net-misc/asterisk: Security bumps New versions: - 13.38.3 - 16.19.1 - 18.5.1 This addresses AST-2021-007 and AST-2021-008 from Bug: https://bugs.gentoo.org/803440 Both issues here are only "exploitable" by "trusted" peers that have managed to go to in-call status (meaning, we accepted the call). AST-2021-009 will be addressed momentarily in net-libs/pjproject. Package-Manager: Portage-3.0.20, Repoman-3.0.2 Signed-off-by: Jaco Kroon <jaco@uls.co.za> Signed-off-by: Joonas Niilola <juippis@gentoo.org> net-misc/asterisk/Manifest | 3 + net-misc/asterisk/asterisk-13.38.3.ebuild | 349 ++++++++++++++++++++++++++++ net-misc/asterisk/asterisk-16.19.1.ebuild | 363 ++++++++++++++++++++++++++++++ net-misc/asterisk/asterisk-18.5.1.ebuild | 362 +++++++++++++++++++++++++++++ 4 files changed, 1077 insertions(+)
amd64 stable
x86 stable. Maintainer(s), please cleanup. Security, please vote.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=949a32eef6a11fbb27ca155dbb9f86cba3bed8f7 commit 949a32eef6a11fbb27ca155dbb9f86cba3bed8f7 Author: Jaco Kroon <jaco@uls.co.za> AuthorDate: 2021-07-24 09:23:11 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2021-07-25 03:59:55 +0000 net-misc/asterisk: Cleanup Bug: https://bugs.gentoo.org/803440 Package-Manager: Portage-3.0.20, Repoman-3.0.2 Signed-off-by: Jaco Kroon <jaco@uls.co.za> Closes: https://github.com/gentoo/gentoo/pull/21762 Signed-off-by: Sam James <sam@gentoo.org> net-misc/asterisk/Manifest | 5 - net-misc/asterisk/asterisk-13.38.2-r1.ebuild | 313 ------------------ net-misc/asterisk/asterisk-13.38.2-r4.ebuild | 349 -------------------- net-misc/asterisk/asterisk-13.38.2-r5.ebuild | 349 -------------------- net-misc/asterisk/asterisk-16.18.0-r2.ebuild | 320 ------------------ net-misc/asterisk/asterisk-16.19.0-r1.ebuild | 363 --------------------- net-misc/asterisk/asterisk-18.4.0-r2.ebuild | 363 --------------------- net-misc/asterisk/asterisk-18.5.0-r1.ebuild | 362 -------------------- .../asterisk-13.38.1-r1-func_lock-fix-races.patch | 291 ----------------- .../asterisk-16.18.0-r1-func_lock-fix-races.patch | 177 ---------- 10 files changed, 2892 deletions(-)
*** Bug 808921 has been marked as a duplicate of this bug. ***
