Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 280159 (CVE-2009-2651) - net-misc/asterisk >1.2.33 < Remote Crash Vulnerability in RTP stack (CVE-2009-2651)
Summary: net-misc/asterisk >1.2.33 < Remote Crash Vulnerability in RTP stack (...
Alias: CVE-2009-2651
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High trivial
Assignee: Gentoo Security
Whiteboard: ~3 [noglsa]
Depends on:
Reported: 2009-08-03 10:23 UTC by Doron Fediuck
Modified: 2009-11-07 01:09 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Doron Fediuck 2009-08-03 10:23:04 UTC
   | Description | An attacker can cause Asterisk to crash remotely by      |
   |             | sending malformed RTP text frames. While the attacker    |
   |             | can cause Asterisk to crash, he cannot execute arbitrary |
   |             | remote code with this exploit.                           |

   |                           Affected Versions                            |
   |            Product            | Release Series |                       |
   |     Asterisk Open Source      |     1.2.x      | Unaffected            |
   |     Asterisk Open Source      |     1.4.x      | Unaffected            |
   |     Asterisk Open Source      |     1.6.x      | All 1.6.1 versions    |
   |        Asterisk Addons        |     1.2.x      | Unaffected            |
   |        Asterisk Addons        |     1.4.x      | Unaffected            |
   |        Asterisk Addons        |     1.6.x      | Unaffected            |
   |   Asterisk Business Edition   |     A.x.x      | Unaffected            |
   |   Asterisk Business Edition   |     B.x.x      | Unaffected            |
   |   Asterisk Business Edition   |     C.x.x      | Unaffected            |
   |          AsteriskNOW          |      1.5       | Unaffected            |
   |  s800i (Asterisk Appliance)   |     1.2.x      | Unaffected            |

   |                              Corrected In                              |
   |                   Product                   |         Release          |
   |         Open Source Asterisk 1.6.1          |          |
Comment 1 Doron Fediuck 2009-08-03 11:41:14 UTC
Since masked, changed to ~3 (Trivial).
Comment 2 Thomas Stein 2009-08-07 12:53:14 UTC
Version bump is easy. The patches apply to just fine. Just rename asterisk- and the ebuild.
Comment 3 Stefan Behte (RETIRED) gentoo-dev Security 2009-11-07 01:08:18 UTC appeared in portage. Closing noglsa as there were never a stable
Comment 4 Stefan Behte (RETIRED) gentoo-dev Security 2009-11-07 01:09:21 UTC
1.6.x, of course.