http://downloads.asterisk.org/pub/security/AST-2013-004.html AST-2013-004 - A remotely exploitable crash vulnerability exists in the SIP channel driver if an ACK with SDP is received after the channel has been terminated. The handling code incorrectly assumes that the channel will always be present. http://downloads.asterisk.org/pub/security/AST-2013-005.html AST-2013-005 - A remotely exploitable crash vulnerability exists in the SIP channel driver if an invalid SDP is sent in a SIP request that defines media descriptions before connection information. The handling code incorrectly attempts to reference the socket address information even though that information has not yet been set. Reproducible: Steps to Reproduce:
asterisk-11.5.1-1.mga3 and asterisk-11.5.1-1.mga4 has been submitted where this is fixed.
CVE requests pending. Will update advisory once they become available. Advisory: ======================== Updated asterisk packages fix security vulnerabilities: A remotely exploitable crash vulnerability exists in the SIP channel driver if an ACK with SDP is received after the channel has been terminated. The handling code incorrectly assumes that the channel will always be present (AST-2013-004). A remotely exploitable crash vulnerability exists in the SIP channel driver if an invalid SDP is sent in a SIP request that defines media descriptions before connection information. The handling code incorrectly attempts to reference the socket address information even though that information has not yet been set (AST-2013-005). References: http://downloads.asterisk.org/pub/security/AST-2013-004.html http://downloads.asterisk.org/pub/security/AST-2013-005.html ======================== Updated packages in core/updates_testing: ======================== asterisk-11.5.1-1.mga3 libasteriskssl1-11.5.1-1.mga3 asterisk-addons-11.5.1-1.mga3 asterisk-firmware-11.5.1-1.mga3 asterisk-devel-11.5.1-1.mga3 asterisk-plugins-corosync-11.5.1-1.mga3 asterisk-plugins-alsa-11.5.1-1.mga3 asterisk-plugins-calendar-11.5.1-1.mga3 asterisk-plugins-cel-11.5.1-1.mga3 asterisk-plugins-curl-11.5.1-1.mga3 asterisk-plugins-dahdi-11.5.1-1.mga3 asterisk-plugins-fax-11.5.1-1.mga3 asterisk-plugins-festival-11.5.1-1.mga3 asterisk-plugins-ices-11.5.1-1.mga3 asterisk-plugins-jabber-11.5.1-1.mga3 asterisk-plugins-jack-11.5.1-1.mga3 asterisk-plugins-lua-11.5.1-1.mga3 asterisk-plugins-ldap-11.5.1-1.mga3 asterisk-plugins-minivm-11.5.1-1.mga3 asterisk-plugins-mobile-11.5.1-1.mga3 asterisk-plugins-mp3-11.5.1-1.mga3 asterisk-plugins-mysql-11.5.1-1.mga3 asterisk-plugins-ooh323-11.5.1-1.mga3 asterisk-plugins-oss-11.5.1-1.mga3 asterisk-plugins-pktccops-11.5.1-1.mga3 asterisk-plugins-portaudio-11.5.1-1.mga3 asterisk-plugins-pgsql-11.5.1-1.mga3 asterisk-plugins-radius-11.5.1-1.mga3 asterisk-plugins-saycountpl-11.5.1-1.mga3 asterisk-plugins-skinny-11.5.1-1.mga3 asterisk-plugins-snmp-11.5.1-1.mga3 asterisk-plugins-speex-11.5.1-1.mga3 asterisk-plugins-sqlite-11.5.1-1.mga3 asterisk-plugins-tds-11.5.1-1.mga3 asterisk-plugins-osp-11.5.1-1.mga3 asterisk-plugins-unistim-11.5.1-1.mga3 asterisk-plugins-voicemail-11.5.1-1.mga3 asterisk-plugins-voicemail-imap-11.5.1-1.mga3 asterisk-plugins-voicemail-plain-11.5.1-1.mga3 asterisk-gui-11.5.1-1.mga3 from asterisk-11.5.1-1.mga3.src.rpm
Assignee: bugsquad => qa-bugs
CVEs assigned: http://openwall.com/lists/oss-security/2013/08/28/5 Advisory: ======================== Updated asterisk packages fix security vulnerabilities: A remotely exploitable crash vulnerability exists in the SIP channel driver if an ACK with SDP is received after the channel has been terminated. The handling code incorrectly assumes that the channel will always be present (CVE-2013-5641). A remotely exploitable crash vulnerability exists in the SIP channel driver if an invalid SDP is sent in a SIP request that defines media descriptions before connection information. The handling code incorrectly attempts to reference the socket address information even though that information has not yet been set (CVE-2013-5642). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5641 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5642 http://downloads.asterisk.org/pub/security/AST-2013-004.html http://downloads.asterisk.org/pub/security/AST-2013-005.html ======================== Updated packages in core/updates_testing: ======================== asterisk-11.5.1-1.mga3 libasteriskssl1-11.5.1-1.mga3 asterisk-addons-11.5.1-1.mga3 asterisk-firmware-11.5.1-1.mga3 asterisk-devel-11.5.1-1.mga3 asterisk-plugins-corosync-11.5.1-1.mga3 asterisk-plugins-alsa-11.5.1-1.mga3 asterisk-plugins-calendar-11.5.1-1.mga3 asterisk-plugins-cel-11.5.1-1.mga3 asterisk-plugins-curl-11.5.1-1.mga3 asterisk-plugins-dahdi-11.5.1-1.mga3 asterisk-plugins-fax-11.5.1-1.mga3 asterisk-plugins-festival-11.5.1-1.mga3 asterisk-plugins-ices-11.5.1-1.mga3 asterisk-plugins-jabber-11.5.1-1.mga3 asterisk-plugins-jack-11.5.1-1.mga3 asterisk-plugins-lua-11.5.1-1.mga3 asterisk-plugins-ldap-11.5.1-1.mga3 asterisk-plugins-minivm-11.5.1-1.mga3 asterisk-plugins-mobile-11.5.1-1.mga3 asterisk-plugins-mp3-11.5.1-1.mga3 asterisk-plugins-mysql-11.5.1-1.mga3 asterisk-plugins-ooh323-11.5.1-1.mga3 asterisk-plugins-oss-11.5.1-1.mga3 asterisk-plugins-pktccops-11.5.1-1.mga3 asterisk-plugins-portaudio-11.5.1-1.mga3 asterisk-plugins-pgsql-11.5.1-1.mga3 asterisk-plugins-radius-11.5.1-1.mga3 asterisk-plugins-saycountpl-11.5.1-1.mga3 asterisk-plugins-skinny-11.5.1-1.mga3 asterisk-plugins-snmp-11.5.1-1.mga3 asterisk-plugins-speex-11.5.1-1.mga3 asterisk-plugins-sqlite-11.5.1-1.mga3 asterisk-plugins-tds-11.5.1-1.mga3 asterisk-plugins-osp-11.5.1-1.mga3 asterisk-plugins-unistim-11.5.1-1.mga3 asterisk-plugins-voicemail-11.5.1-1.mga3 asterisk-plugins-voicemail-imap-11.5.1-1.mga3 asterisk-plugins-voicemail-plain-11.5.1-1.mga3 asterisk-gui-11.5.1-1.mga3 from asterisk-11.5.1-1.mga3.src.rpm
Summary: multiple vulnerabilities in asterisk => asterisk new security issues fixed in 11.5.1 (CVE-2013-5641 and CVE-2013-5642)
No poc. I doubt we'll be able to do much other ensure the packages install cleanly. I'm doing that now, and will see if there's anything further that can be tested.
CC: (none) => davidwhodgins
Testing complete on Mageia 3 i586. Just ensuring that all of the packages install cleanly, then (as root) running "asterisk -vvvc", then at the *CLI> prompt, running the command "core show help", then using ctrl+c to exit. I'll test x86_64 shortly.
Whiteboard: (none) => MGA3-32-OK has_procedure
Advisory 11094.adv uploaded to svn, and testing complete on Mageia 3 x86_64. Could someone from the sysadmin team push 11094.adv to updates.
Keywords: (none) => validated_updateWhiteboard: MGA3-32-OK has_procedure => MGA3-32-OK has_procedure MGA3-64-OKCC: (none) => sysadmin-bugs
Update pushed: http://advisories.mageia.org/MGASA-2013-0266.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/565377/
Blocks: (none) => 11674
Blocks: 11674 => (none)
mga5 i586 virtualbox Mate Installed all the asterisk packages then updated them from updates/testing. All installed cleanly. Invoked asterisk under root and ran the simple tests. Checked that the -B option worked and accessed the asterix server from another root terminal. After exiting the original session could get back to the server using 'asterisk -r'. Validating this update. Could someone from sysadmin please push it to updates.
CC: (none) => tarazed25
Oh boy. Wrong bug again!