Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 771318 (AST-2021-001, AST-2021-002, AST-2021-003, AST-2021-004, AST-2021-005, AST-2021-006, CVE-2020-35776, CVE-2021-26712, CVE-2021-26713, CVE-2021-26714, CVE-2021-26717, CVE-2021-26906) - <net-misc/asterisk-{13.38.2, 16.16.2}: Multiple vulnerabilities
Summary: <net-misc/asterisk-{13.38.2, 16.16.2}: Multiple vulnerabilities
Status: IN_PROGRESS
Alias: AST-2021-001, AST-2021-002, AST-2021-003, AST-2021-004, AST-2021-005, AST-2021-006, CVE-2020-35776, CVE-2021-26712, CVE-2021-26713, CVE-2021-26714, CVE-2021-26717, CVE-2021-26906
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor
Assignee: Gentoo Security
URL:
Whiteboard: B3 [glsa]
Keywords: PullRequest
Depends on:
Blocks:
 
Reported: 2021-02-18 18:07 UTC by Sam James
Modified: 2024-09-29 07:00 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-02-18 18:07:42 UTC
* CVE-2020-35776 (AST-2021-001)

If a registered user is tricked into dialing a          
malicious number that sends lots of 181 responses to   
Asterisk, each one will cause a 181 to be sent back to  
the original caller with an increasing number of        
entries in the “Supported” header. Eventually the       
number of entries in the header exceeds the size of     
the entry array and causes a crash.         

Advisory: https://downloads.asterisk.org/pub/security/AST-2021-001.html

* CVE-2021-26717 (AST-2021-002)

When re-negotiating for T.38 if the initial remote      
response was delayed just enough Asterisk would send    
both audio and T.38 in the SDP. If this happened, and   
the remote responded with a declined T.38 stream then   
Asterisk would crash.                                   

Advisory: https://downloads.digium.com/pub/security/AST-2021-002.html

* CVE-2021-26712 (AST-2021-003)

An unauthenticated remote attacker could replay SRTP    
packets which could cause an Asterisk instance          
configured without strict RTP validation to tear down   
calls prematurely.

Advisory: https://downloads.asterisk.org/pub/security/AST-2021-003.html

* CVE-2021-26714 (AST-2021-004)

Due to a signedness comparison mismatch, an             
authenticated WebRTC client could cause a stack         
overflow and Asterisk crash by sending multiple         
hold/unhold requests in quick succession.

Advisory: https://downloads.asterisk.org/pub/security/AST-2021-004.html

* CVE-2021-26906 (AST-2021-005)

Given a scenario where an outgoing call is placed from  
Asterisk to a remote SIP server it is possible for a    
crash to occur.

Advisory: https://downloads.digium.com/pub/security/AST-2021-005.html
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-02-18 18:08:39 UTC
Please bump as appropriate.
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-02-19 22:06:19 UTC
It looks like CVE-2021-26713 is also associated with AST-2021-004, at least according to descriptions and references: 
https://nvd.nist.gov/vuln/detail/CVE-2021-26713
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-03-05 05:23:16 UTC
AST-2021-006/CVE-2019-15297:

When Asterisk sends a re-invite initiating T.38 faxing and the endpoint responds with a m=image line and zero port, a crash will occur in Asterisk. This is a reoccurrence of AST-2019-004.


CVE-2019-15297 was also dealt with (and noglsa'd) in bug 689796.
Comment 4 Larry the Git Cow gentoo-dev 2021-03-09 09:44:47 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=643fd3a04d6bc7ef4f9e737f176516eb258f3d90

commit 643fd3a04d6bc7ef4f9e737f176516eb258f3d90
Author:     Jaco Kroon <jaco@uls.co.za>
AuthorDate: 2021-03-08 22:14:01 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-03-09 09:44:29 +0000

    net-misc/asterisk: 16.16.2 (sec bump).
    
    This drops patches applies upstream already, and does a rename because
    16 isn't currently marked stable.
    
    Bug: https://bugs.gentoo.org/771318
    Closes: https://github.com/gentoo/gentoo/pull/19836
    Signed-off-by: Jaco Kroon <jaco@uls.co.za>
    Signed-off-by: Sam James <sam@gentoo.org>

 net-misc/asterisk/Manifest                                    |  2 +-
 .../{asterisk-16.15.1-r2.ebuild => asterisk-16.16.2.ebuild}   |  4 +---
 .../asterisk/files/asterisk-16.16.2-no-var-run-install.patch  | 11 +++++++++++
 3 files changed, 13 insertions(+), 4 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=15abf8078312578b23b857e5d1cd68ef0e4e1a89

commit 15abf8078312578b23b857e5d1cd68ef0e4e1a89
Author:     Jaco Kroon <jaco@uls.co.za>
AuthorDate: 2021-03-08 22:15:37 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-03-09 09:44:28 +0000

    net-misc/asterisk: 13.38.2 (sec bump).
    
    Straight copy from 13.38.1-r1.
    
    Bug: https://bugs.gentoo.org/771318
    Signed-off-by: Jaco Kroon <jaco@uls.co.za>
    Signed-off-by: Sam James <sam@gentoo.org>

 net-misc/asterisk/Manifest                |   1 +
 net-misc/asterisk/asterisk-13.38.2.ebuild | 312 ++++++++++++++++++++++++++++++
 2 files changed, 313 insertions(+)
Comment 5 Jaco Kroon 2021-03-24 09:56:31 UTC
ping x86 & amd64
Comment 6 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-03-25 23:16:45 UTC
x86 done
Comment 7 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-03-26 00:07:59 UTC
amd64 done

all arches done
Comment 8 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-03-26 01:14:28 UTC
Please cleanup.
Comment 9 Larry the Git Cow gentoo-dev 2021-03-29 15:29:37 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1efef6f201184e5a0f0eef99e4f781006c927060

commit 1efef6f201184e5a0f0eef99e4f781006c927060
Author:     Jaco Kroon <jaco@uls.co.za>
AuthorDate: 2021-03-29 14:41:37 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-03-29 15:19:10 +0000

    net-misc/asterisk: cleanup insecure
    
    Bug: https://bugs.gentoo.org/771318
    Package-Manager: Portage-3.0.13, Repoman-3.0.2
    Signed-off-by: Jaco Kroon <jaco@uls.co.za>
    Closes: https://github.com/gentoo/gentoo/pull/20178
    Signed-off-by: Sam James <sam@gentoo.org>

 net-misc/asterisk/Manifest                   |   1 -
 net-misc/asterisk/asterisk-13.38.1-r2.ebuild | 313 ---------------------------
 2 files changed, 314 deletions(-)
Comment 10 NATTkA bot gentoo-dev 2021-07-29 17:24:02 UTC Comment hidden (obsolete)
Comment 11 NATTkA bot gentoo-dev 2021-07-29 17:32:28 UTC Comment hidden (obsolete)
Comment 12 NATTkA bot gentoo-dev 2021-07-29 17:40:22 UTC Comment hidden (obsolete)
Comment 13 NATTkA bot gentoo-dev 2021-07-29 17:48:31 UTC Comment hidden (obsolete)
Comment 14 NATTkA bot gentoo-dev 2021-07-29 18:04:28 UTC Comment hidden (obsolete)
Comment 15 NATTkA bot gentoo-dev 2021-07-29 18:12:46 UTC
Package list is empty or all packages have requested keywords.