Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 803440 (AST-2021-007, AST-2021-008, AST-2021-009, CVE-2021-31878, CVE-2021-32558) - <net-misc/asterisk-{13.38.3,16.9.1,18.5.1}: multiple vulnerabilities (CVE-2021-{31878,32558,32686})
Summary: <net-misc/asterisk-{13.38.3,16.9.1,18.5.1}: multiple vulnerabilities (CVE-202...
Status: CONFIRMED
Alias: AST-2021-007, AST-2021-008, AST-2021-009, CVE-2021-31878, CVE-2021-32558
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://lists.digium.com/pipermail/ast...
Whiteboard: B3 [glsa?]
Keywords: PullRequest
: ASTERISK-29381, ASTERISK-29415 (view as bug list)
Depends on:
Blocks:
 
Reported: 2021-07-23 01:09 UTC by John Helmert III
Modified: 2021-09-25 19:12 UTC (History)
3 users (show)

See Also:
Package list:
=net-misc/asterisk-13.38.3 =net-misc/asterisk-16.19.1 =net-libs/pjproject-2.10-r2
Runtime testing required: No
nattka: sanity-check-


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III gentoo-dev Security 2021-07-23 01:09:34 UTC
From URL:

* AST-2021-007: Remote Crash Vulnerability in PJSIP channel driver
  When Asterisk receives a re-INVITE without SDP after having sent a BYE request
  a crash will occur. This occurs due to the Asterisk channel no longer being
  present while code assumes it is.

* AST-2021-008: Remote crash when using IAX2 channel driver
  If the IAX2 channel driver receives a packet that contains an

* AST-2021-009: pjproject/pjsip: crash when SSL socket destroyed during
                handshake
  Depending on the timing, it’s possible for Asterisk to crash when using a
  TLS connection if the underlying socket parent/listener gets destroyed during
  the handshake.

Fixes in 13.38.3, 16.9.1, and 18.5.1, please bump.
Comment 1 Jaco Kroon 2021-07-23 04:18:33 UTC
For GLSA purposes:

Only affected if you're using PJSIP and/or IAX/2, so if you're not using these channel drivers you're all clear.

IAX/2 scenario can in most cases only be exploited in a trusted environment *I think* (call needs to first be accepted, ie, authenticated from the looks of it, but I'll need to confirm this in code).

PJSIP similar situation for AST-2021-007 at least, in that obviously you need to accept the call before the scenario can occur.

For AST-2021-009, if you're not using PJSIP with TLS, then you can also not be affected.
Comment 2 Jaco Kroon 2021-07-23 04:38:45 UTC
The affected code for the IAX/2 scenario is all in the __get_from_jb(), which is used for media frames only, thus, needs to be in-call to action this crash, and as such I would consider this to require a trusted peer.

Alternatively you need to accept anonymous IAX/2 - which is a bad idea to begin with in my opinion.
Comment 3 NATTkA bot gentoo-dev 2021-07-23 05:16:19 UTC Comment hidden (obsolete)
Comment 4 Larry the Git Cow gentoo-dev 2021-07-23 07:25:05 UTC
The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=93f6d97e4bd66daa168e1790f8cb3b8086854bd1

commit 93f6d97e4bd66daa168e1790f8cb3b8086854bd1
Author:     Jaco Kroon <jaco@uls.co.za>
AuthorDate: 2021-07-23 05:10:18 +0000
Commit:     Joonas Niilola <juippis@gentoo.org>
CommitDate: 2021-07-23 07:24:58 +0000

    net-libs/pjproject: sec bump
    
    Upstream not releasing new version, so just bring in the patch to -r2.
    
    This addresses AST-2021-009 for
    
    Closes: https://bugs.gentoo.org/803440
    Package-Manager: Portage-3.0.20, Repoman-3.0.2
    Signed-off-by: Jaco Kroon <jaco@uls.co.za>
    Closes: https://github.com/gentoo/gentoo/pull/21752
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

 ...21-32686-AST-2021-009-GHSA-cv8x-p47p-99wr.patch | 289 +++++++++++++++++++++
 net-libs/pjproject/pjproject-2.10-r2.ebuild        | 125 +++++++++
 2 files changed, 414 insertions(+)

Additionally, it has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=55cd1de3d0127ce7086897e2948e6a829ac7042a

commit 55cd1de3d0127ce7086897e2948e6a829ac7042a
Author:     Jaco Kroon <jaco@uls.co.za>
AuthorDate: 2021-07-23 05:03:06 +0000
Commit:     Joonas Niilola <juippis@gentoo.org>
CommitDate: 2021-07-23 07:24:58 +0000

    net-misc/asterisk: Security bumps
    
    New versions:
    - 13.38.3
    - 16.19.1
    - 18.5.1
    
    This addresses AST-2021-007 and AST-2021-008 from
    
    Bug: https://bugs.gentoo.org/803440
    
    Both issues here are only "exploitable" by "trusted" peers that have
    managed to go to in-call status (meaning, we accepted the call).
    
    AST-2021-009 will be addressed momentarily in net-libs/pjproject.
    
    Package-Manager: Portage-3.0.20, Repoman-3.0.2
    Signed-off-by: Jaco Kroon <jaco@uls.co.za>
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

 net-misc/asterisk/Manifest                |   3 +
 net-misc/asterisk/asterisk-13.38.3.ebuild | 349 ++++++++++++++++++++++++++++
 net-misc/asterisk/asterisk-16.19.1.ebuild | 363 ++++++++++++++++++++++++++++++
 net-misc/asterisk/asterisk-18.5.1.ebuild  | 362 +++++++++++++++++++++++++++++
 4 files changed, 1077 insertions(+)
Comment 5 Agostino Sarubbo gentoo-dev 2021-07-24 07:57:31 UTC
amd64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2021-07-24 07:58:57 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 7 Larry the Git Cow gentoo-dev 2021-07-25 04:00:08 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=949a32eef6a11fbb27ca155dbb9f86cba3bed8f7

commit 949a32eef6a11fbb27ca155dbb9f86cba3bed8f7
Author:     Jaco Kroon <jaco@uls.co.za>
AuthorDate: 2021-07-24 09:23:11 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-07-25 03:59:55 +0000

    net-misc/asterisk: Cleanup
    
    Bug: https://bugs.gentoo.org/803440
    Package-Manager: Portage-3.0.20, Repoman-3.0.2
    Signed-off-by: Jaco Kroon <jaco@uls.co.za>
    Closes: https://github.com/gentoo/gentoo/pull/21762
    Signed-off-by: Sam James <sam@gentoo.org>

 net-misc/asterisk/Manifest                         |   5 -
 net-misc/asterisk/asterisk-13.38.2-r1.ebuild       | 313 ------------------
 net-misc/asterisk/asterisk-13.38.2-r4.ebuild       | 349 --------------------
 net-misc/asterisk/asterisk-13.38.2-r5.ebuild       | 349 --------------------
 net-misc/asterisk/asterisk-16.18.0-r2.ebuild       | 320 ------------------
 net-misc/asterisk/asterisk-16.19.0-r1.ebuild       | 363 ---------------------
 net-misc/asterisk/asterisk-18.4.0-r2.ebuild        | 363 ---------------------
 net-misc/asterisk/asterisk-18.5.0-r1.ebuild        | 362 --------------------
 .../asterisk-13.38.1-r1-func_lock-fix-races.patch  | 291 -----------------
 .../asterisk-16.18.0-r1-func_lock-fix-races.patch  | 177 ----------
 10 files changed, 2892 deletions(-)
Comment 8 Sam James archtester gentoo-dev Security 2021-08-18 19:40:58 UTC
*** Bug 808921 has been marked as a duplicate of this bug. ***
Comment 9 NATTkA bot gentoo-dev 2021-09-25 19:12:38 UTC
Unable to check for sanity:

> no match for package: =net-misc/asterisk-13.38.3