Bug 11094 - asterisk new security issues fixed in 11.5.1 (CVE-2013-5641 and CVE-2013-5642)
: asterisk new security issues fixed in 11.5.1 (CVE-2013-5641 and CVE-2013-5642)
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 3
: i586 Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/565377/
: MGA3-32-OK has_procedure MGA3-64-OK
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2013-08-28 08:35 CEST by Oden Eriksson
Modified: 2016-03-01 00:05 CET (History)
4 users (show)

See Also:
Source RPM: asterisk
CVE:
Status comment:


Attachments

Description Oden Eriksson 2013-08-28 08:35:54 CEST
http://downloads.asterisk.org/pub/security/AST-2013-004.html

AST-2013-004 - A remotely exploitable crash vulnerability exists in the SIP channel driver if an ACK with SDP is received after the channel has been terminated. The handling code incorrectly assumes that the channel will always be present.

http://downloads.asterisk.org/pub/security/AST-2013-005.html

AST-2013-005 - A remotely exploitable crash vulnerability exists in the SIP channel driver if an invalid SDP is sent in a SIP request that defines media descriptions before connection information. The handling code incorrectly attempts to reference the socket address information even though that information has not yet been set.


Reproducible: 

Steps to Reproduce:
Comment 1 Oden Eriksson 2013-08-28 08:36:43 CEST
asterisk-11.5.1-1.mga3 and asterisk-11.5.1-1.mga4 has been submitted where this is fixed.
Comment 2 David Walser 2013-08-28 14:13:41 CEST
CVE requests pending.  Will update advisory once they become available.

Advisory:
========================

Updated asterisk packages fix security vulnerabilities:

A remotely exploitable crash vulnerability exists in the SIP channel driver if
an ACK with SDP is received after the channel has been terminated. The handling
code incorrectly assumes that the channel will always be present (AST-2013-004).

A remotely exploitable crash vulnerability exists in the SIP channel driver if
an invalid SDP is sent in a SIP request that defines media descriptions before
connection information. The handling code incorrectly attempts to reference the
socket address information even though that information has not yet been set
(AST-2013-005).

References:
http://downloads.asterisk.org/pub/security/AST-2013-004.html
http://downloads.asterisk.org/pub/security/AST-2013-005.html
========================

Updated packages in core/updates_testing:
========================
asterisk-11.5.1-1.mga3
libasteriskssl1-11.5.1-1.mga3
asterisk-addons-11.5.1-1.mga3
asterisk-firmware-11.5.1-1.mga3
asterisk-devel-11.5.1-1.mga3
asterisk-plugins-corosync-11.5.1-1.mga3
asterisk-plugins-alsa-11.5.1-1.mga3
asterisk-plugins-calendar-11.5.1-1.mga3
asterisk-plugins-cel-11.5.1-1.mga3
asterisk-plugins-curl-11.5.1-1.mga3
asterisk-plugins-dahdi-11.5.1-1.mga3
asterisk-plugins-fax-11.5.1-1.mga3
asterisk-plugins-festival-11.5.1-1.mga3
asterisk-plugins-ices-11.5.1-1.mga3
asterisk-plugins-jabber-11.5.1-1.mga3
asterisk-plugins-jack-11.5.1-1.mga3
asterisk-plugins-lua-11.5.1-1.mga3
asterisk-plugins-ldap-11.5.1-1.mga3
asterisk-plugins-minivm-11.5.1-1.mga3
asterisk-plugins-mobile-11.5.1-1.mga3
asterisk-plugins-mp3-11.5.1-1.mga3
asterisk-plugins-mysql-11.5.1-1.mga3
asterisk-plugins-ooh323-11.5.1-1.mga3
asterisk-plugins-oss-11.5.1-1.mga3
asterisk-plugins-pktccops-11.5.1-1.mga3
asterisk-plugins-portaudio-11.5.1-1.mga3
asterisk-plugins-pgsql-11.5.1-1.mga3
asterisk-plugins-radius-11.5.1-1.mga3
asterisk-plugins-saycountpl-11.5.1-1.mga3
asterisk-plugins-skinny-11.5.1-1.mga3
asterisk-plugins-snmp-11.5.1-1.mga3
asterisk-plugins-speex-11.5.1-1.mga3
asterisk-plugins-sqlite-11.5.1-1.mga3
asterisk-plugins-tds-11.5.1-1.mga3
asterisk-plugins-osp-11.5.1-1.mga3
asterisk-plugins-unistim-11.5.1-1.mga3
asterisk-plugins-voicemail-11.5.1-1.mga3
asterisk-plugins-voicemail-imap-11.5.1-1.mga3
asterisk-plugins-voicemail-plain-11.5.1-1.mga3
asterisk-gui-11.5.1-1.mga3

from asterisk-11.5.1-1.mga3.src.rpm
Comment 3 David Walser 2013-08-28 19:24:46 CEST
CVEs assigned:
http://openwall.com/lists/oss-security/2013/08/28/5

Advisory:
========================

Updated asterisk packages fix security vulnerabilities:

A remotely exploitable crash vulnerability exists in the SIP channel driver
if an ACK with SDP is received after the channel has been terminated. The
handling code incorrectly assumes that the channel will always be present
(CVE-2013-5641).

A remotely exploitable crash vulnerability exists in the SIP channel driver
if an invalid SDP is sent in a SIP request that defines media descriptions
before connection information. The handling code incorrectly attempts to
reference the socket address information even though that information has
not yet been set (CVE-2013-5642).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5641
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5642
http://downloads.asterisk.org/pub/security/AST-2013-004.html
http://downloads.asterisk.org/pub/security/AST-2013-005.html
========================

Updated packages in core/updates_testing:
========================
asterisk-11.5.1-1.mga3
libasteriskssl1-11.5.1-1.mga3
asterisk-addons-11.5.1-1.mga3
asterisk-firmware-11.5.1-1.mga3
asterisk-devel-11.5.1-1.mga3
asterisk-plugins-corosync-11.5.1-1.mga3
asterisk-plugins-alsa-11.5.1-1.mga3
asterisk-plugins-calendar-11.5.1-1.mga3
asterisk-plugins-cel-11.5.1-1.mga3
asterisk-plugins-curl-11.5.1-1.mga3
asterisk-plugins-dahdi-11.5.1-1.mga3
asterisk-plugins-fax-11.5.1-1.mga3
asterisk-plugins-festival-11.5.1-1.mga3
asterisk-plugins-ices-11.5.1-1.mga3
asterisk-plugins-jabber-11.5.1-1.mga3
asterisk-plugins-jack-11.5.1-1.mga3
asterisk-plugins-lua-11.5.1-1.mga3
asterisk-plugins-ldap-11.5.1-1.mga3
asterisk-plugins-minivm-11.5.1-1.mga3
asterisk-plugins-mobile-11.5.1-1.mga3
asterisk-plugins-mp3-11.5.1-1.mga3
asterisk-plugins-mysql-11.5.1-1.mga3
asterisk-plugins-ooh323-11.5.1-1.mga3
asterisk-plugins-oss-11.5.1-1.mga3
asterisk-plugins-pktccops-11.5.1-1.mga3
asterisk-plugins-portaudio-11.5.1-1.mga3
asterisk-plugins-pgsql-11.5.1-1.mga3
asterisk-plugins-radius-11.5.1-1.mga3
asterisk-plugins-saycountpl-11.5.1-1.mga3
asterisk-plugins-skinny-11.5.1-1.mga3
asterisk-plugins-snmp-11.5.1-1.mga3
asterisk-plugins-speex-11.5.1-1.mga3
asterisk-plugins-sqlite-11.5.1-1.mga3
asterisk-plugins-tds-11.5.1-1.mga3
asterisk-plugins-osp-11.5.1-1.mga3
asterisk-plugins-unistim-11.5.1-1.mga3
asterisk-plugins-voicemail-11.5.1-1.mga3
asterisk-plugins-voicemail-imap-11.5.1-1.mga3
asterisk-plugins-voicemail-plain-11.5.1-1.mga3
asterisk-gui-11.5.1-1.mga3

from asterisk-11.5.1-1.mga3.src.rpm
Comment 4 Dave Hodgins 2013-08-29 23:30:29 CEST
No poc. I doubt we'll be able to do much other ensure the packages install
cleanly. I'm doing that now, and will see if there's anything further that
can be tested.
Comment 5 Dave Hodgins 2013-08-29 23:44:52 CEST
Testing complete on Mageia 3 i586.

Just ensuring that all of the packages install cleanly, then (as root)
running "asterisk -vvvc", then at the *CLI> prompt, running the
command "core show help", then using ctrl+c to exit.

I'll test x86_64 shortly.
Comment 6 Dave Hodgins 2013-08-30 00:14:32 CEST
Advisory 11094.adv uploaded to svn, and testing complete on Mageia 3 x86_64.

Could someone from the sysadmin team push 11094.adv to updates.
Comment 7 Thomas Backlund 2013-08-30 19:38:07 CEST
Update pushed:
http://advisories.mageia.org/MGASA-2013-0266.html
Comment 8 Len Lawrence 2016-03-01 00:04:41 CET
mga5  i586 virtualbox  Mate

Installed all the asterisk packages then updated them from updates/testing.  All installed cleanly.
Invoked asterisk under root and ran the simple tests.  Checked that the -B option worked and accessed the asterix server from another root terminal.  After exiting the original session could get back to the server using 'asterisk -r'.

Validating this update.  Could someone from sysadmin please push it to updates.
Comment 9 Len Lawrence 2016-03-01 00:05:37 CET
Oh boy.  Wrong bug again!

Note You need to log in before you can comment on or make changes to this bug.