Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 650008 (CVE-2018-7284, CVE-2018-7286) - <net-misc/asterisk-13.19.0-r1: Multiple vulnerabilities
Summary: <net-misc/asterisk-13.19.0-r1: Multiple vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2018-7284, CVE-2018-7286
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor
Assignee: Gentoo Security
URL:
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2018-03-09 15:11 UTC by GLSAMaker/CVETool Bot
Modified: 2018-03-24 00:41 UTC (History)
1 user (show)

See Also:
Package list:
net-misc/asterisk-13.19.0-r1 net-libs/pjproject-2.7.1
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2018-03-09 15:11:08 UTC
CVE-2018-7286 (https://nvd.nist.gov/vuln/detail/CVE-2018-7286):
  An issue was discovered in Asterisk through 13.19.1, 14.x through 14.7.5,
  and 15.x through 15.2.1, and Certified Asterisk through 13.18-cert2.
  res_pjsip allows remote authenticated users to crash Asterisk (segmentation
  fault) by sending a number of SIP INVITE messages on a TCP or TLS connection
  and then suddenly closing the connection.

CVE-2018-7284 (https://nvd.nist.gov/vuln/detail/CVE-2018-7284):
  A Buffer Overflow issue was discovered in Asterisk through 13.19.1, 14.x
  through 14.7.5, and 15.x through 15.2.1, and Certified Asterisk through
  13.18-cert2. When processing a SUBSCRIBE request, the res_pjsip_pubsub
  module stores the accepted formats present in the Accept headers of the
  request. This code did not limit the number of headers it processed, despite
  having a fixed limit of 32. If more than 32 Accept headers were present, the
  code would write outside of its memory and cause a crash.
Comment 1 Tony Vroon (RETIRED) gentoo-dev 2018-03-09 16:07:15 UTC
This is in the tree now:
https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=458b342d0d2bbb84666f320612f6a6fc9c061903

Since these concern rs_pjsip, Asterisk 11 is not vulnerable and does not need to be cleaned up yet.

Arches, please test & mark stable:
=net-misc/asterisk-13.19.2
Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev 2018-03-10 23:15:56 UTC
If only unstable 13.x is affected you can just cleanup. No stabilization would be required in this case from security point of view.
Comment 3 Stabilization helper bot gentoo-dev 2018-03-11 00:02:23 UTC
An automated check of this bug failed - repoman reported dependency errors (29 lines truncated): 

> dependency.bad net-misc/asterisk/asterisk-13.19.0-r1.ebuild: DEPEND: amd64(default/linux/amd64/17.0) ['>=net-libs/pjproject-2.6']
> dependency.bad net-misc/asterisk/asterisk-13.19.0-r1.ebuild: DEPEND: amd64(default/linux/amd64/17.0/desktop) ['>=net-libs/pjproject-2.6']
> dependency.bad net-misc/asterisk/asterisk-13.19.0-r1.ebuild: DEPEND: amd64(default/linux/amd64/17.0/desktop/gnome) ['>=net-libs/pjproject-2.6']
Comment 4 Agostino Sarubbo gentoo-dev 2018-03-12 10:51:41 UTC
amd64 stable
Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev 2018-03-13 22:27:15 UTC
x86 stable
Comment 6 Thomas Deutschmann (RETIRED) gentoo-dev 2018-03-13 22:34:16 UTC
GLSA Vote: no!

@ Maintainer(s): Please cleanup and drop =net-misc/asterisk-13.17.2!
Comment 7 Aaron Bauman (RETIRED) gentoo-dev 2018-03-24 00:41:16 UTC
tree is clean.