Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 689796 (CVE-2019-12827, CVE-2019-13161, CVE-2019-15297, CVE-2019-15639) - <net-misc/asterisk-13.29.1: Multiple vulnerabilities (CVE-2019-{12827,13161,15297,15639})
Summary: <net-misc/asterisk-13.29.1: Multiple vulnerabilities (CVE-2019-{12827,13161,1...
Status: RESOLVED FIXED
Alias: CVE-2019-12827, CVE-2019-13161, CVE-2019-15297, CVE-2019-15639
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://downloads.asterisk.org/pub/sec...
Whiteboard: B3 [noglsa cve]
Keywords: PullRequest
Depends on: 705754
Blocks:
  Show dependency tree
 
Reported: 2019-07-13 19:24 UTC by D'juan McDonald (domhnall)
Modified: 2020-04-26 03:18 UTC (History)
2 users (show)

See Also:
Package list:
net-libs/pjproject-2.7.2-r1 net-misc/asterisk-13.32.0-r1
Runtime testing required: No
nattka: sanity-check-


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description D'juan McDonald (domhnall) 2019-07-13 19:24:07 UTC
(https://nvd.nist.gov/vuln/detail/CVE-2019-13161):

An issue was discovered in Asterisk Open Source through 13.27.0, 14.x and 15.x through 15.7.2, and 16.x through 16.4.0, and Certified Asterisk through 13.21-cert3. A pointer dereference in chan_sip while handling SDP negotiation allows an attacker to crash Asterisk when handling an SDP answer to an outgoing T.38 re-invite. To exploit this vulnerability an attacker must cause the chan_sip module to send a T.38 re-invite request to them. Upon receipt, the attacker must send an SDP answer containing both a T.38 UDPTL stream and another media stream containing only a codec (which is not permitted according to the chan_sip configuration).


Gentoo Security Padawan
(domhnall)
Comment 1 D'juan McDonald (domhnall) 2019-07-14 16:00:45 UTC
See Also: http://downloads.asterisk.org/pub/security/AST-2019-002.html
Comment 3 Jaco Kroon 2019-12-04 08:26:59 UTC
asterisk 13.29.1 has been committed to tree.  It does however need stabilization.

Note that http://downloads.asterisk.org/pub/security/AST-2019-004.html is not relevant since asterisk 13 isn't affected by that particular CVE.
Comment 4 Jaco Kroon 2020-01-06 07:25:39 UTC
It's been a month.  Please advise on process.
Comment 5 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-03-28 17:53:28 UTC
(In reply to Jaco Kroon from comment #4)
> It's been a month.  Please advise on process.

You're doing the right thing so far, don't worry.
Comment 6 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2020-03-31 08:24:57 UTC
amd64 stable
Comment 7 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-04-09 14:00:14 UTC
@x86: ping
Comment 8 Agostino Sarubbo gentoo-dev 2020-04-14 12:32:48 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 9 NATTkA bot gentoo-dev 2020-04-14 12:37:06 UTC
Resetting sanity check; keywords are not fully specified and arches are not CC-ed.
Comment 10 Jaco Kroon 2020-04-14 13:27:00 UTC
I'll clean up once https://bugs.gentoo.org/602722 is handled as well.  Perhaps these two should be merged.
Comment 11 Larry the Git Cow gentoo-dev 2020-04-17 07:36:32 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a11218e8b8cebddcca01bf3d4198dd08497bcbc8

commit a11218e8b8cebddcca01bf3d4198dd08497bcbc8
Author:     Jaco Kroon <jaco@uls.co.za>
AuthorDate: 2020-04-15 07:33:27 +0000
Commit:     Joonas Niilola <juippis@gentoo.org>
CommitDate: 2020-04-17 07:35:54 +0000

    net-misc/asterisk: cleanup.
    
    Bug:  https://bugs.gentoo.org/602722
    Bug:  https://bugs.gentoo.org/689796
    Package-Manager: Portage-2.3.89, Repoman-2.3.20
    Signed-off-by: Jaco Kroon <jaco@uls.co.za>
    Closes: https://github.com/gentoo/gentoo/pull/15350
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

 net-misc/asterisk/Manifest                |   4 -
 net-misc/asterisk/asterisk-13.23.1.ebuild | 327 -----------------------------
 net-misc/asterisk/asterisk-13.29.1.ebuild | 325 -----------------------------
 net-misc/asterisk/asterisk-13.31.0.ebuild | 325 -----------------------------
 net-misc/asterisk/asterisk-13.32.0.ebuild | 332 ------------------------------
 5 files changed, 1313 deletions(-)
Comment 12 NATTkA bot gentoo-dev 2020-04-17 07:40:58 UTC
Unable to check for sanity:

> no match for package: net-misc/asterisk-13.31.0
Comment 13 NATTkA bot gentoo-dev 2020-04-17 12:20:53 UTC
Unable to check for sanity:

> no match for package: net-misc/asterisk-13.31.0-r1
Comment 14 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-04-17 16:11:32 UTC
Thanks!
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2020-04-20 00:09:18 UTC
CVE-2019-15639 (https://nvd.nist.gov/vuln/detail/CVE-2019-15639):
  main/translate.c in Sangoma Asterisk 13.28.0 and 16.5.0 allows a remote
  attacker to send a specific RTP packet during a call and cause a crash in a
  specific scenario.
Comment 16 GLSAMaker/CVETool Bot gentoo-dev 2020-04-20 00:16:08 UTC
CVE-2019-15297 (https://nvd.nist.gov/vuln/detail/CVE-2019-15297):
  res_pjsip_t38 in Sangoma Asterisk 13.21-cert4, 15.7.3, and 16.5.0 allows an
  attacker to trigger a crash by sending a declined stream in a response to a
  T.38 re-invite initiated by Asterisk.
Comment 17 Yury German Gentoo Infrastructure gentoo-dev 2020-04-26 03:18:00 UTC
GLSA Vote: No

Thank you all for you work. 
Closing as [noglsa].