Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 399507 (CVE-2012-0885) - <net-misc/asterisk- : SRTP Video Stream Negotiation DoS Vulnerability (CVE-2012-0885)
Summary: <net-misc/asterisk- : SRTP Video Stream Negotiation DoS Vulnerability ...
Alias: CVE-2012-0885
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B3 [glsa]
Depends on:
Reported: 2012-01-20 13:37 UTC by Agostino Sarubbo
Modified: 2012-02-22 20:50 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2012-01-20 13:37:38 UTC
From secunia security advisory at $URL:

The vulnerability is caused due to an error within the handling of encrypted streams when negotiating a SRTP video stream and can be exploited to cause a crash.

Successful exploitation requires that video support is not been enabled and the res_srtp module is loaded.

The vulnerability is reported in versions prior to 10.0.1 and

Update to version 10.0.1 or
Comment 1 Tony Vroon (RETIRED) gentoo-dev 2012-01-20 18:06:01 UTC
+*asterisk-10.0.1 (20 Jan 2012)
+*asterisk- (20 Jan 2012)
+  20 Jan 2012; Tony Vroon <> -asterisk-,
+  -asterisk-, +asterisk-,
+  -asterisk-10.0.0_rc3.ebuild, -asterisk-10.0.0.ebuild,
+  +asterisk-10.0.1.ebuild:
+  New releases on the 1.8 & 10 branches that address AST-2012-001 /
+  CVE-2012-0885 SRTP video remote crash vulnerability. Culled vulnerable
+  non-stable ebuilds.

Arches, please test & mark stable; if the daemon is able to stop & start repeatedly on the default configuration it is functional.
Comment 2 Agostino Sarubbo gentoo-dev 2012-01-20 21:47:38 UTC
amd64 stable
Comment 3 Thomas Kahle (RETIRED) gentoo-dev 2012-01-23 15:01:27 UTC
x86 stable
Comment 4 Agostino Sarubbo gentoo-dev 2012-01-23 15:11:57 UTC
@security: please vote
Comment 5 Tim Sammut (RETIRED) gentoo-dev 2012-01-26 05:38:31 UTC
Thanks, everyone. GLSA Vote: yes.
Comment 6 Sean Amoss (RETIRED) gentoo-dev Security 2012-01-27 14:59:01 UTC
Upstream advisory:

YES, too. New request filed.
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2012-02-08 17:46:53 UTC
CVE-2012-0885 (
  chan_sip.c in Asterisk Open Source 1.8.x before and 10.x before
  10.0.1, when the res_srtp module is used and media support is improperly
  configured, allows remote attackers to cause a denial of service (NULL
  pointer dereference and daemon crash) via a crafted SDP message with a
  crypto attribute and a (1) video or (2) text media type, as demonstrated by
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2012-02-22 20:50:09 UTC
This issue was resolved and addressed in
 GLSA 201202-06 at
by GLSA coordinator Sean Amoss (ackle).