Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 884797 (AST-2022-007, AST-2022-008, AST-2022-009, CVE-2022-37325, CVE-2022-42705, CVE-2022-42706) - <net-misc/asterisk-{16.29.1,18.15.1}: multiple vulnerabilities
Summary: <net-misc/asterisk-{16.29.1,18.15.1}: multiple vulnerabilities
Status: IN_PROGRESS
Alias: AST-2022-007, AST-2022-008, AST-2022-009, CVE-2022-37325, CVE-2022-42705, CVE-2022-42706
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [glsa? cleanup]
Keywords:
Depends on: 885831
Blocks:
  Show dependency tree
 
Reported: 2022-12-08 01:48 UTC by John Helmert III
Modified: 2023-04-30 23:58 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-12-08 01:48:54 UTC
CVE-2022-37325 (https://downloads.asterisk.org/pub/security/AST-2022-007.html):

In Sangoma Asterisk through 16.28.0, 17.x and 18.x through 18.14.0, and 19.x through 19.6.0, an incoming Setup message to addons/ooh323c/src/ooq931.c with a malformed Calling or Called Party IE can cause a crash.

CVE-2022-42705 (https://downloads.asterisk.org/pub/security/AST-2022-008.html):

A use-after-free in res_pjsip_pubsub.c in Sangoma Asterisk 16.28, 18.14, 19.6, and certified/18.9-cert2 may allow a remote authenticated attacker to crash Asterisk (denial of service) by performing activity on a subscription via a reliable transport at the same time that Asterisk is also performing activity on that subscription.

CVE-2022-42706 (https://downloads.asterisk.org/pub/security/AST-2022-009.html):

An issue was discovered in Sangoma Asterisk through 16.28, 17 and 18 through 18.14, 19 through 19.6, and certified through 18.9-cert1. GetConfig, via Asterisk Manager Interface, allows a connected application to access files outside of the asterisk configuration directory, aka Directory Traversal.

Please bump to 16.29.1, 18.15.1.

Also, if anybody knows anybody from upstream, it looks like the HTML
<title> for the AST-2022-007 page is wrong:

<title ...>AST-YYYY-NNN</title>
Comment 1 Larry the Git Cow gentoo-dev 2022-12-13 05:27:45 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3aff73d53bb063556a8339f32c6af447a430d660

commit 3aff73d53bb063556a8339f32c6af447a430d660
Author:     Jaco Kroon <jaco@uls.co.za>
AuthorDate: 2022-12-04 22:00:23 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-12-13 05:24:40 +0000

    net-libs/pjproject: add 2.13
    
    Bug: https://bugs.gentoo.org/884797
    Closes: https://bugs.gentoo.org/882785
    Signed-off-by: Jaco Kroon <jaco@uls.co.za>
    Signed-off-by: Sam James <sam@gentoo.org>

 net-libs/pjproject/Manifest              |   1 +
 net-libs/pjproject/pjproject-2.13.ebuild | 139 +++++++++++++++++++++++++++++++
 2 files changed, 140 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6365009d6b2dad0945e875cde7f1592ffa7f4275

commit 6365009d6b2dad0945e875cde7f1592ffa7f4275
Author:     Jaco Kroon <jaco@uls.co.za>
AuthorDate: 2022-12-04 21:58:29 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-12-13 05:24:40 +0000

    net-misc/asterisk: add 20.0.1, drop 20.0.0
    
    Bug: https://bugs.gentoo.org/884797
    Closes: https://bugs.gentoo.org/880003
    Signed-off-by: Jaco Kroon <jaco@uls.co.za>
    Signed-off-by: Sam James <sam@gentoo.org>

 net-misc/asterisk/Manifest                                           | 2 +-
 net-misc/asterisk/{asterisk-20.0.0.ebuild => asterisk-20.0.1.ebuild} | 3 ++-
 2 files changed, 3 insertions(+), 2 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=838265303fe808653fe86bf8e9da6bebc765a4bf

commit 838265303fe808653fe86bf8e9da6bebc765a4bf
Author:     Jaco Kroon <jaco@uls.co.za>
AuthorDate: 2022-12-04 21:57:55 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-12-13 05:24:39 +0000

    net-misc/asterisk: add 18.15.1
    
    Bug: https://bugs.gentoo.org/884797
    Bug: https://bugs.gentoo.org/880003
    Signed-off-by: Jaco Kroon <jaco@uls.co.za>
    Signed-off-by: Sam James <sam@gentoo.org>

 net-misc/asterisk/Manifest                |   1 +
 net-misc/asterisk/asterisk-18.15.1.ebuild | 376 ++++++++++++++++++++++++++++++
 2 files changed, 377 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a5715660f692bb8e4e8b171193bd761ae32497c3

commit a5715660f692bb8e4e8b171193bd761ae32497c3
Author:     Jaco Kroon <jaco@uls.co.za>
AuthorDate: 2022-12-04 20:48:57 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-12-13 05:24:39 +0000

    net-misc/asterisk: add 16.29.1
    
    Bug: https://bugs.gentoo.org/884797
    Bug: https://bugs.gentoo.org/880003
    Signed-off-by: Jaco Kroon <jaco@uls.co.za>
    Signed-off-by: Sam James <sam@gentoo.org>

 net-misc/asterisk/Manifest                         |   1 +
 net-misc/asterisk/asterisk-16.29.1.ebuild          | 378 +++++++++++++++++++++
 ...erisk-16.29.1_18.15.1_20.0.1-noexec_stack.patch |  39 +++
 3 files changed, 418 insertions(+)
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-12-13 21:54:41 UTC
Thanks! Please stabilize when ready