Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 308061 (CVE-2010-0441) - net-misc/asterisk: multiple vulnerabilites (CVE-2010-{0441,0685})
Summary: net-misc/asterisk: multiple vulnerabilites (CVE-2010-{0441,0685})
Status: RESOLVED DUPLICATE of bug 303265
Alias: CVE-2010-0441
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: http://downloads.asterisk.org/pub/sec...
Whiteboard: B3 [ebuild]
Keywords:
Depends on:
Blocks:
 
Reported: 2010-03-06 15:50 UTC by Stefan Behte (RETIRED)
Modified: 2010-03-06 17:37 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Behte (RETIRED) gentoo-dev Security 2010-03-06 15:50:04 UTC 
CVE-2010-0441 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0441):
  Asterisk Open Source 1.6.0.x before 1.6.0.22, 1.6.1.x before
  1.6.1.14, and 1.6.2.x before 1.6.2.2, and Business Edition C.3 before
  C.3.3.2, allows remote attackers to cause a denial of service (daemon
  crash) via an SIP T.38 negotiation with an SDP FaxMaxDatagram field
  that is (1) missing, (2) modified to contain a negative number, or
  (3) modified to contain a large number.
Comment 1 Stefan Behte (RETIRED) gentoo-dev Security 2010-03-06 15:59:27 UTC 
CVE-2010-0685 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0685):
  The design of the dialplan functionality in Asterisk Open Source
  1.2.x, 1.4.x, and 1.6.x; and Asterisk Business Edition B.x.x and
  C.x.x, when using the ${EXTEN} channel variable and wildcard pattern
  matches, allows context-dependent attackers to inject strings into
  the dialplan using metacharacters that are injected when the variable
  is expanded, as demonstrated using the Dial application to process a
  crafted SIP INVITE message that adds an unintended outgoing channel
  leg.  NOTE: it could be argued that this is not a vulnerability in
  Asterisk, but a class of vulnerabilities that can occur in any
  program that uses this feature without the associated filtering
  functionality that is already available.
Comment 2 Tony Vroon (RETIRED) gentoo-dev 2010-03-06 16:18:25 UTC 
To confirm, sufficiently new ebuilds are in the tree, vulnerable ebuilds have been purged. This happened two weeks ago:
*asterisk-1.6.2.4 (21 Feb 2010)
*asterisk-1.6.1.16 (21 Feb 2010)

  21 Feb 2010; <chainsaw@gentoo.org> +asterisk-1.6.1.16.ebuild,
  -asterisk-1.6.2.2.ebuild, -asterisk-1.6.2.2-r1.ebuild,
  +asterisk-1.6.2.4.ebuild:
  Security fix for AST-2010-002 (dial plan wildcard injection vulnerability)
  on the 1.6.1 & 1.6.2 branches. Please read up immediately on the use of
  the Filter command. Deleted vulnerable old ebuilds.

If there is anything for me to do, please clarify.
Comment 3 Tony Vroon (RETIRED) gentoo-dev 2010-03-06 16:19:53 UTC 
The other vulnerability that you mention is older and was dealt with even earlier:
*asterisk-1.6.1.14 (02 Feb 2010)

  02 Feb 2010; <chainsaw@gentoo.org> -asterisk-1.6.1.12-r1.ebuild,
  -asterisk-1.6.1.13.ebuild, +asterisk-1.6.1.14.ebuild:
  Security update for AST-2010-001; remote T.38 over SIP crash by setting
  FaxMaxDatagram to a negative or exceptionally large value. Init script
  update by Jaco Kroon closes bug #303265. Remove vulnerable 1.6.1 branch
  ebuilds.

*asterisk-1.6.2.2 (02 Feb 2010)

  02 Feb 2010; <chainsaw@gentoo.org> +files/1.6.1/asterisk.initd3,
  -asterisk-1.6.2.0.ebuild, -asterisk-1.6.2.1.ebuild,
  +asterisk-1.6.2.2.ebuild:
  Security update for AST-2010-001; remote T.38 over SIP crash by setting
  FaxMaxDatagram to a negative or exceptionally large value. Init script
  update by Jaco Kroon closes bug #303265. Remove vulnerable 1.6.2 branch
  ebuilds.
Comment 4 Stefan Behte (RETIRED) gentoo-dev Security 2010-03-06 17:37:46 UTC 
Sorry!

*** This bug has been marked as a duplicate of bug 303265 ***