Asterisk has released two advisories: http://downloads.asterisk.org/pub/security/AST-2012-002.txt Product Asterisk Summary Remote Crash Vulnerability in Milliwatt Application Nature of Advisory Exploitable Stack Buffer Overflow with locally defined data Susceptibility Remote Unauthenticated Sessions Severity Minor http://downloads.asterisk.org/pub/security/AST-2012-003.txt Product Asterisk Summary Stack Buffer Overflow in HTTP Manager Nature of Advisory Exploitable Stack Buffer Overflow Susceptibility Remote Unauthenticated Sessions Severity Critical
+*asterisk-10.2.1 (16 Mar 2012) + + 16 Mar 2012; Tony Vroon <chainsaw@gentoo.org> -asterisk-10.0.1.ebuild, + -asterisk-10.1.0.ebuild, -asterisk-10.1.2.ebuild, -asterisk-10.1.3.ebuild, + -asterisk-10.2.0.ebuild, +asterisk-10.2.1.ebuild: + Security update, fixing a remote DoS (no code execution, AST-2012-002) in + app_milliwatt and a stack buffer overflow in the HTTP manager interface + (remote code injection, AST-2012-003). As per bug #408431 by Tim Sammut. + Actually honour the IAX2 trunk frequency, as per Jaco Kroon in bug #408033. + Remove vulnerable ebuilds from tree.
+*asterisk-1.8.10.1 (16 Mar 2012) + + 16 Mar 2012; Tony Vroon <chainsaw@gentoo.org> -asterisk-1.8.9.2.ebuild, + -asterisk-1.8.9.3.ebuild, -asterisk-1.8.10.0.ebuild, + +asterisk-1.8.10.1.ebuild: + Security update, fixing a remote DoS (no code execution, AST-2012-002) in + app_milliwatt and a stack buffer overflow in the HTTP manager interface + (remote code injection, AST-2012-003). As per bug #408431 by Tim Sammut. + Actually honour the IAX2 trunk frequency, as per Jaco Kroon in bug #408033. + Remove vulnerable ebuilds up to last stable from tree. Arches, please test & mark stable =net-misc/asterisk-1.8.10.1; the repeated stopping & starting of the daemon on the supplied default configuration files is sufficient testing.
scanelf shows some rdepend missing in the ebuild: sys-libs/ncurses-5.9 sys-libs/zlib-1.2.5-r2 for everything else amd64 is ok
+ 16 Mar 2012; Tony Vroon <chainsaw@gentoo.org> asterisk-1.8.10.1.ebuild, + asterisk-10.2.1.ebuild: + Add missed RDEPENDs, as pointed out by Maurizio "k01" Camisaschi in security + bug #408431. Only touching stable candidate and 10 branch.
amd64: go ahead Mr Tony, stabilize
+ 16 Mar 2012; Tony Vroon <chainsaw@gentoo.org> asterisk-1.8.10.1.ebuild: + Marked stable on AMD64 based on arch testing by Maurizio "k01" Camisaschi & + Elijah "Armageddon" El Lazkani in security bug #408431.
x86 stable
Thanks, everyone. Already in GLSA draft.
This issue was resolved and addressed in GLSA 201203-21 at http://security.gentoo.org/glsa/glsa-201203-21.xml by GLSA coordinator Sean Amoss (ackle).
CVE-2012-1184 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1184): Stack-based buffer overflow in the ast_parse_digest function in main/utils.c in Asterisk 1.8.x before 1.8.10.1 and 10.x before 10.2.1 allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a long string in an HTTP Digest Authentication header. CVE-2012-1183 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1183): Stack-based buffer overflow in the milliwatt_generate function in the Miliwatt application in Asterisk 1.4.x before 1.4.44, 1.6.x before 1.6.2.23, 1.8.x before 1.8.10.1, and 10.x before 10.2.1, when the o option is used and the internal_timing option is off, allows remote attackers to cause a denial of service (application crash) via a large number of samples in an audio packet.
