Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 359767 (CVE-2011-1174) - <net-misc/asterisk-{1.6.2.17.2,1.8.3.2}: multiple vulnerabilities (CVE-2011-{1174,1175})
Summary: <net-misc/asterisk-{1.6.2.17.2,1.8.3.2}: multiple vulnerabilities (CVE-2011-{...
Status: RESOLVED FIXED
Alias: CVE-2011-1174
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B1 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2011-03-21 13:58 UTC by Paweł Hajdan, Jr. (RETIRED)
Modified: 2011-10-24 18:45 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-03-21 13:58:22 UTC
Upstream advisories:
http://downloads.asterisk.org/pub/security/AST-2011-003.html
http://downloads.asterisk.org/pub/security/AST-2011-004.html

Rapidly opening manager connections, sending invalid data, and closing the connection can cause Asterisk to exhaust available CPU and memory resources. The manager interface is disabled by default.

Rapidly opening and closing TCP connections to services using the ast_tcptls_* API (primarily chan_sip, manager, and res_phoneprov) can cause Asterisk to crash after dereferencing a NULL pointer.
Comment 1 Tim Sammut (RETIRED) gentoo-dev 2011-03-22 22:15:34 UTC
Adding CVE assignment per http://www.openwall.com/lists/oss-security/2011/03/21/12.

> > AST-2011-003:
> > http://downloads.asterisk.org/pub/security/AST-2011-003.pdf
> > - resource exhaustion DoS in Asterisk Manager Interface
http://downloads.asterisk.org/pub/security/AST-2011-003.html

Use CVE-2011-1174

> > 
> > AST-2011-004:
> > http://downloads.asterisk.org/pub/security/AST-2011-003.pdf
> > - DoS in TCP/TLS server due to NULL ptr deref
http://downloads.asterisk.org/pub/security/AST-2011-004.html

Use CVE-2011-1175
Comment 2 Tony Vroon gentoo-dev 2011-03-23 11:07:50 UTC
+*asterisk-1.8.3.2 (23 Mar 2011)
+
+  23 Mar 2011; Tony Vroon <chainsaw@gentoo.org> -asterisk-1.8.2.4.ebuild,
+  -asterisk-1.8.3.ebuild, +asterisk-1.8.3.2.ebuild:
+  Secure ebuild for the 1.8 branch; robustness fixes for the manager interface.
+  As per advisory AST-2011-003, a denial of service is possible through
+  resource exhaustion in previous versions. As per advisory AST-2011-004, it is
+  possible to cause a NULL pointer dereference by rapidly opening & closing
+  TCP/TLS connections. Removed insecure ebuilds.
Comment 3 Tony Vroon gentoo-dev 2011-03-23 11:21:15 UTC
+*asterisk-1.6.2.17.2 (23 Mar 2011)
+
+  23 Mar 2011; Tony Vroon <chainsaw@gentoo.org> -asterisk-1.6.2.17.ebuild,
+  +asterisk-1.6.2.17.2.ebuild:
+  Secure ebuild for the 1.6.2 branch; robustness fixes for the manager
+  interface. As per advisory AST-2011-003, a denial of service is possible
+  through resource exhaustion in previous versions. As per advisory
+  AST-2011-004, it is possible to cause a NULL pointer dereference by rapidly
+  opening & closing TCP/TLS connections. Removed all but the last stable
+  ebuild. For security bug #359767 filed by Pawel Hajdan, Jr.
Comment 4 Tony Vroon gentoo-dev 2011-03-23 11:24:31 UTC
Arches, please test & mark stable (on the default configuration, you should be able to repeatedly start & stop the daemon) net-misc/asterisk-1.6.2.17.2 which obsoletes the insecure net-misc/asterisk-1.6.2.16.2-r2 ebuild.
I do not expect this request to have any dependencies, but if it does, please proceed where possible.
Comment 5 Agostino Sarubbo gentoo-dev 2011-03-23 12:29:54 UTC
amd64 ok
Comment 6 Christoph Mende (RETIRED) gentoo-dev 2011-03-23 12:33:35 UTC
amd64 done, thanks Agostino
Comment 7 Andreas Schürch gentoo-dev 2011-03-23 14:28:30 UTC
Looks good on x86. 
The two revdeps (net-misc/asterisk-chan_sccp & net-misc/asterisk-app_conference) do not compile, but that was already the case with the current stable asterisk...
Comment 8 Thomas Kahle (RETIRED) gentoo-dev 2011-03-23 16:28:16 UTC
x86 stable. Thanks Andreas
Comment 9 Tim Sammut (RETIRED) gentoo-dev 2011-03-23 16:32:10 UTC
Thanks, folks. Added to existing GLSA request.
Comment 10 Tony Vroon gentoo-dev 2011-03-23 16:35:33 UTC
+  23 Mar 2011; Tony Vroon <chainsaw@gentoo.org> -asterisk-1.6.2.16.2-r2.ebuild:
+  Remove vulnerable ebuild for CVE-2011-1174 & CVE-2011-1175 now that a secure
+  ebuild has been stabled.
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2011-06-13 18:17:53 UTC
CVE-2011-1175 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1175):
  tcptls.c in the TCP/TLS server in Asterisk Open Source 1.6.1.x before
  1.6.1.23, 1.6.2.x before 1.6.2.17.1, and 1.8.x before 1.8.3.1 allows remote
  attackers to cause a denial of service (NULL pointer dereference and daemon
  crash) by establishing many short TCP sessions to services that use a
  certain TLS API.

CVE-2011-1174 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1174):
  manager.c in Asterisk Open Source 1.6.1.x before 1.6.1.24, 1.6.2.x before
  1.6.2.17.2, and 1.8.x before 1.8.3.2 allows remote attackers to cause a
  denial of service (CPU and memory consumption) via a series of manager
  sessions involving invalid data.
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2011-10-24 18:45:45 UTC
This issue was resolved and addressed in
 GLSA 201110-21 at http://security.gentoo.org/glsa/glsa-201110-21.xml
by GLSA coordinator Tim Sammut (underling).