Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 619556 (CVE-2017-9358, CVE-2017-9359, CVE-2017-9372) - <net-misc/asterisk-13.15.1: multiple vulnerabilities (CVE-2017-{9358,9359,9372})
Summary: <net-misc/asterisk-13.15.1: multiple vulnerabilities (CVE-2017-{9358,9359,9372})
Status: RESOLVED FIXED
Alias: CVE-2017-9358, CVE-2017-9359, CVE-2017-9372
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-05-24 13:51 UTC by Agostino Sarubbo
Modified: 2017-06-15 20:11 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2017-05-24 13:51:02 UTC
From ${URL} :

Multiple vulnerabilities were fixed in the latest version of asterisk.

AST-2017-002: Buffer Overrun in PJSIP transaction layer

A remote crash can be triggered by sending a SIP packet to Asterisk with a specially crafted CSeq header and a Via header with no branch parameter. The issue is that the PJSIP RFC 2543 transaction key 
generation algorithm does not allocate a large enough buffer. By overrunning the buffer, the memory allocation table becomes corrupted, leading to an eventual crash.

http://downloads.asterisk.org/pub/security/AST-2017-002.html

AST-2017-003: Crash in PJSIP multi-part body parser

The multi-part body parser in PJSIP contains a logical error that can make certain multi-part body parts attempt to read memory from outside the allowed boundaries. A specially-crafted packet can 
trigger these invalid reads and potentially induce a crash.

http://downloads.asterisk.org/pub/security/AST-2017-003.html

AST-2017-004: Memory exhaustion on short SCCP packets

A remote memory exhaustion can be triggered by sending an SCCP packet to Asterisk system with “chan_skinny” enabled that is larger than the length of the SCCP header but smaller than the packet length 
specified in the header. The loop that reads the rest of the packet doesn’t detect that the call to read() returned end-of-file before the expected number of bytes and continues infinitely. The “partial 
data” message logging in that tight loop causes Asterisk to exhaust all available memory.

http://downloads.asterisk.org/pub/security/AST-2017-004.html


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Volkan 2017-06-14 19:45:30 UTC
CVE Numbers

AST-2017-002: Buffer Overrun in PJSIP transaction layer is now CVE-2017-9372
AST-2017-003: Crash in PJSIP multi-part body parser is now CVE-2017-9359
AST-2017-004: Memory exhaustion on short SCCP packets is now CVE-2017-9358
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2017-06-15 20:10:20 UTC
CVE-2017-9358 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9358):
  A memory exhaustion vulnerability exists in Asterisk Open Source 13.x before
  13.15.1 and 14.x before 14.4.1 and Certified Asterisk 13.13 before
  13.13-cert4, which can be triggered by sending specially crafted SCCP
  packets causing a infinite loop and leading to memory exhaustion (by message
  logging in that loop).

CVE-2017-9359 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9359):
  The multi-part body parser in PJSIP, as used in Asterisk Open Source 13.x
  before 13.15.1 and 14.x before 14.4.1, Certified Asterisk 13.13 before
  13.13-cert4, and other products, allows remote attackers to cause a denial
  of service (out-of-bounds read and application crash) via a crafted packet.

CVE-2017-9372 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9372):
  PJSIP, as used in Asterisk Open Source 13.x before 13.15.1 and 14.x before
  14.4.1, Certified Asterisk 13.13 before 13.13-cert4, and other products,
  allows remote attackers to cause a denial of service (buffer overflow and
  application crash) via a SIP packet with a crafted CSeq header in
  conjunction with a Via header that lacks a branch parameter.
Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev 2017-06-15 20:11:26 UTC
The reported vulnerabilities don't affect our stable v11.x version.

v13.x was addressed in bug 614738, see https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ddf1da777ba1363c0c0aea3729a9a519d7da2ddc

Repository is clean, all done.