Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 633856 (CVE-2017-14603) - <net-misc/asterisk-{11.25.3,13.17.2}: insufficient RTCP packet validation could allow reading stale buffer contents
Summary: <net-misc/asterisk-{11.25.3,13.17.2}: insufficient RTCP packet validation cou...
Status: RESOLVED FIXED
Alias: CVE-2017-14603
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B4 [glsa cve blocked]
Keywords:
Depends on: CVE-2017-14099, CVE-2017-14100
Blocks:
  Show dependency tree
 
Reported: 2017-10-09 15:50 UTC by Aleksandr Wagner (Kivak)
Modified: 2017-10-29 19:15 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Aleksandr Wagner (Kivak) 2017-10-09 15:50:40 UTC
CVE-2017-14603 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14603):

In Asterisk 11.x before 11.25.3, 13.x before 13.17.2, and 14.x before 14.6.2 and Certified Asterisk 11.x before 11.6-cert18 and 13.x before 13.13-cert6, insufficient RTCP packet validation could allow reading stale buffer contents and when combined with the "nat" and "symmetric_rtp" options allow redirecting where Asterisk sends the next RTCP report. 

References:

http://downloads.asterisk.org/pub/security/AST-2017-008.html
https://issues.asterisk.org/jira/browse/ASTERISK-27274
http://www.debian.org/security/2017/dsa-3990
Comment 1 Aleksandr Wagner (Kivak) 2017-10-09 15:52:53 UTC
Stabilization for version 11.25.3 will be done in bug 629682.
Comment 2 D'juan McDonald (domhnall) 2017-10-27 15:42:13 UTC
Added to an existing GLSA request.

Gentoo Security Padawan
(jmbailey/mbailey_j)
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2017-10-29 19:15:10 UTC
This issue was resolved and addressed in
 GLSA 201710-29 at https://security.gentoo.org/glsa/201710-29
by GLSA coordinator Aaron Bauman (b-man).