Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 838391 (AST-2022-001, AST-2022-002, AST-2022-003, CVE-2022-26498, CVE-2022-26499, CVE-2022-26651) - <net-misc/asterisk-{16.26.1,18.13.0}: multiple vulnerabilities
Summary: <net-misc/asterisk-{16.26.1,18.13.0}: multiple vulnerabilities
Status: IN_PROGRESS
Alias: AST-2022-001, AST-2022-002, AST-2022-003, CVE-2022-26498, CVE-2022-26499, CVE-2022-26651
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Jaco Kroon
URL: http://lists.digium.com/pipermail/ast...
Whiteboard: B3 [stable]
Keywords:
Depends on: 857867
Blocks:
  Show dependency tree
 
Reported: 2022-04-15 00:49 UTC by John Helmert III
Modified: 2022-07-14 14:53 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-04-15 00:49:22 UTC
From URL:

"* AST-2022-001: res_stir_shaken: resource exhaustion with large files
  When using STIR/SHAKEN, it???s possible to download files that are not
  certificates. These files could be much larger than what you would expect to
  download.

* AST-2022-002: res_stir_shaken: SSRF vulnerability with Identity header
  When using STIR/SHAKEN, it???s possible to send arbitrary requests like GET to
  interfaces such as localhost using the Identity header.

* AST-2022-003: func_odbc: Possible SQL Injection
  Some databases can use backslashes to escape certain characters, such as
  backticks. If input is provided to func_odbc which includes backslashes it is
  possible for func_odbc to construct a broken SQL query and the SQL query to
  fail."
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-04-15 13:10:46 UTC
CVE-2022-26498 (https://downloads.asterisk.org/pub/security/AST-2022-001.html):

An issue was discovered in Asterisk through 19.x. When using STIR/SHAKEN, it is possible to download files that are not certificates. These files could be much larger than what one would expect to download, leading to Resource Exhaustion. This is fixed in 16.25.2, 18.11.2, and 19.3.2.

CVE-2022-26499 (https://downloads.asterisk.org/pub/security/AST-2022-002.html):

An SSRF issue was discovered in Asterisk through 19.x. When using STIR/SHAKEN, it's possible to send arbitrary requests (such as GET) to interfaces such as localhost by using the Identity header. This is fixed in 16.25.2, 18.11.2, and 19.3.2.

CVE-2022-26651 (https://downloads.asterisk.org/pub/security/AST-2022-003.html):

An issue was discovered in Asterisk through 19.x and Certified Asterisk through 16.8-cert13. The func_odbc module provides possibly inadequate escaping functionality for backslash characters in SQL queries, resulting in user-provided data creating a broken SQL query or possibly a SQL injection. This is fixed in 16.25.2, 18.11.2, and 19.3.2, and 16.8-cert14.
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-05-12 13:51:15 UTC
From the release announcements for 16.26.0, 18.12.0, 19.4.0:

"Security bugs fixed in this release:
-----------------------------------
 * ASTERISK-29476 - res_stir_shaken: Blind SSRF vulnerabilities

      (Reported by Clint Ruoho)
 * ASTERISK-29838 - ${SQL_ESC()} not correctly escaping a
      terminating \
      (Reported by Leandro Dardini)
 * ASTERISK-29872 - res_stir_shaken: Resource exhaustion with
      large files
      (Reported by Benjamin Keith Ford)"
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-06-09 19:02:40 UTC
CVE-2022-31031 (https://github.com/pjsip/pjproject/commit/450baca94f475345542c6953832650c390889202):
https://github.com/pjsip/pjproject/security/advisories/GHSA-26j7-ww69-c4qj

PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In versions prior to and including 2.12.1 a stack buffer overflow vulnerability affects PJSIP users that use STUN in their applications, either by: setting a STUN server in their account/media config in PJSUA/PJSUA2 level, or directly using `pjlib-util/stun_simple` API. A patch is available in commit 450baca which should be included in the next release. There are no known workarounds for this issue.
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-07-13 16:40:18 UTC
Please stabilize when ready.