Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 418189 (CVE-2012-2947) - <net-misc/asterisk-{1.8.12.1,10.4.1} : IAX2 Remote crash vulnerability (CVE-2012-2947)
Summary: <net-misc/asterisk-{1.8.12.1,10.4.1} : IAX2 Remote crash vulnerability (CVE-2...
Status: RESOLVED FIXED
Alias: CVE-2012-2947
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://downloads.digium.com/pub/secur...
Whiteboard: B2 [glsa]
Keywords:
Depends on:
Blocks: CVE-2012-2948
  Show dependency tree
 
Reported: 2012-05-29 22:17 UTC by Rajiv Aaron Manglani (RETIRED)
Modified: 2012-06-21 00:50 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Rajiv Aaron Manglani (RETIRED) gentoo-dev 2012-05-29 22:17:03 UTC
Asterisk Project Security Advisory - AST-2012-007

         Product        Asterisk                                             
         Summary        Remote crash vulnerability in IAX2 channel driver.   
   Nature of Advisory   Remote crash                                         
     Susceptibility     Established calls                                    
        Severity        Moderate                                             
     Exploits Known     No                                                   
       Reported On      March 21, 2012                                       
       Reported By      mgrobecker                                           
        Posted On       May 29, 2012                                         
     Last Updated On    May 29, 2012                                         
    Advisory Contact    Richard Mudgett < rmudgett AT digium DOT com >       
        CVE Name        CVE-2012-2947                                        

   Description  A remotely exploitable crash vulnerability exists in the     
                IAX2 channel driver if an established call is placed on      
                hold without a suggested music class. For this to occur,     
                the following must take place:                               

                1. The setting mohinterpret=passthrough must be set on the   
                end placing the call on hold.                                

                2. A call must be established.                               

                3. The call is placed on hold without a suggested            
                music-on-hold class name.                                    

                When these conditions are true, Asterisk will attempt to     
                use an invalid pointer to a music-on-hold class name. Use    
                of the invalid pointer will either cause a crash or the      
                music-on-hold class name will be garbage.                    

   Resolution  Asterisk now sets the extra data parameter to null if the     
               received control frame does not have any extra data.          

                              Affected Versions
               Product              Release Series  
         Certified Asterisk          1.8.11-cert    All versions             
        Asterisk Open Source            1.8.x       All versions             
        Asterisk Open Source             10.x       All versions             

                                 Corrected In
                  Product                              Release               
            Certified Asterisk                      1.8.11-cert2             
           Asterisk Open Source                   1.8.12.1, 10.4.1           

                                      Patches                           
                               SVN URL                                    Revision   
http://downloads.asterisk.org/pub/security/AST-2012-007-1.8.11-cert.diff v1.8.11-cert 
http://downloads.asterisk.org/pub/security/AST-2012-007-1.8.diff         v1.8         
http://downloads.asterisk.org/pub/security/AST-2012-007-10.diff          v10          

      Links     https://issues.asterisk.org/jira/browse/ASTERISK-19597       

   Asterisk Project Security Advisories are posted at                        
   http://www.asterisk.org/security                                          

   This document may be superseded by later versions; if so, the latest      
   version will be posted at                                                 
   http://downloads.digium.com/pub/security/AST-2012-007.pdf and             
   http://downloads.digium.com/pub/security/AST-2012-007.html                

                               Revision History
         Date                  Editor                 Revisions Made         
   05/29/2012         Richard Mudgett           Initial release.             

              Asterisk Project Security Advisory - AST-2012-007
             Copyright (c) 2012 Digium, Inc. All Rights Reserved.
 Permission is hereby granted to distribute and publish this advisory in its
                          original, unaltered form.
Comment 1 Tony Vroon gentoo-dev 2012-05-29 22:37:45 UTC
+*asterisk-10.4.1 (29 May 2012)
+*asterisk-1.8.12.1 (29 May 2012)
+
+  29 May 2012; Tony Vroon <chainsaw@gentoo.org> -asterisk-1.8.12.0.ebuild,
+  +asterisk-1.8.12.1.ebuild, -asterisk-10.3.1.ebuild, -asterisk-10.4.0.ebuild,
+  +asterisk-10.4.1.ebuild:
+  Security updates in the 1.8 & 10 branches for an IAX2 remote crash, bug
+  #418189 (AST-2012-007/CVE-2012-2947) and an SCCP channel driver remote crash,
+  bug #418191 (AST-2012-008/CVE-2012-2948). Both filed by Rajiv Aaron Manglani.
+  Removed vulnerable ebuilds up to last stable.

Arches, please test & mark stable =net-misc/asterisk-1.8.12.1; compile test followed by a repeated stop/start cycle on the default config files will suffice. Could the last arch please remove the vulnerable 1.8.11.1 which is the current stable.
Comment 2 Tony Vroon gentoo-dev 2012-05-29 22:38:17 UTC
+*asterisk-10.4.1 (29 May 2012)
+*asterisk-1.8.12.1 (29 May 2012)
+
+  29 May 2012; Tony Vroon <chainsaw@gentoo.org> -asterisk-1.8.12.0.ebuild,
+  +asterisk-1.8.12.1.ebuild, -asterisk-10.3.1.ebuild, -asterisk-10.4.0.ebuild,
+  +asterisk-10.4.1.ebuild:
+  Security updates in the 1.8 & 10 branches for an IAX2 remote crash, bug
+  #418189 (AST-2012-007/CVE-2012-2947) and an SCCP channel driver remote crash,
+  bug #418191 (AST-2012-008/CVE-2012-2948). Both filed by Rajiv Aaron Manglani.
+  Removed vulnerable ebuilds up to last stable.

Stabilisation being handled in bug #418191.
Comment 3 Jeff (JD) Horelick (RETIRED) gentoo-dev 2012-05-30 07:11:34 UTC
x86 stable
Comment 4 Maurizio Camisaschi (amd64 AT) 2012-05-30 09:01:09 UTC
amd64 ok
Comment 5 Agostino Sarubbo gentoo-dev 2012-05-30 10:41:21 UTC
amd64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2012-05-30 10:43:02 UTC
removed old. @security, go ahead with glsa.
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2012-06-15 19:32:43 UTC
CVE-2012-2947 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2947):
  chan_iax2.c in the IAX2 channel driver in Certified Asterisk 1.8.11-cert
  before 1.8.11-cert2 and Asterisk Open Source 1.8.x before 1.8.12.1 and 10.x
  before 10.4.1, when a certain mohinterpret setting is enabled, allows remote
  attackers to cause a denial of service (daemon crash) by placing a call on
  hold.
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2012-06-21 00:50:03 UTC
This issue was resolved and addressed in
 GLSA 201206-05 at http://security.gentoo.org/glsa/glsa-201206-05.xml
by GLSA coordinator Sean Amoss (ackle).