Bug 13061 - asterisk several new security issues
: asterisk several new security issues
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 4
: i586 Linux
: Normal Severity: critical
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/591371/
: MGA3TOO has_procedure advisory MGA3-3...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2014-03-21 21:54 CET by David Walser
Modified: 2014-04-15 20:23 CEST (History)
4 users (show)

See Also:
Source RPM: asterisk-11.7.0-2.mga4.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2014-03-21 21:54:41 CET
Fedora has issued an advisory on March 12:
https://lists.fedoraproject.org/pipermail/package-announce/2014-March/130426.html

Mageia 3 is affected by the last two 2013 advisories linked there:
http://downloads.asterisk.org/pub/security/AST-2013-006.html
http://downloads.asterisk.org/pub/security/AST-2013-007.html

Mageia 3, Mageia 4, and Cauldron are affected by the first two 2014 advisories:
http://downloads.asterisk.org/pub/security/AST-2014-001.html
http://downloads.asterisk.org/pub/security/AST-2014-002.html

The issues are fixed in 11.8.1.

We are not affected by AST-2014-003 or AST-2014-004 as they only affect 12.x.

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2014-04-11 15:29:20 CEST
Updated packages uploaded by Oden for Mageia 3, Mageia 4, and Cauldron.

Advisory (Mageia 3):
========================

Updated asterisk packages fix security vulnerabilities:

In Asterisk before 11.6.1, a 16 bit SMS message that contains an odd message
length value will cause the message decoding loop to run forever. The message
buffer is not on the stack but will be overflowed resulting in corrupted
memory and an immediate crash (CVE-2013-7100).

In Asterisk before 11.6.1, external control protocols, such as the Asterisk
Manager Interface, often have the ability to get and set channel variables;
this allows the execution of dialplan functions. Reading the SHELL() function
can execute arbitrary commands on the system Asterisk is running on. Writing
to the FILE() function can change any file that Asterisk has write access to.
When these functions are executed from an external protocol, that execution
could result in a privilege escalation (AST-2013-007).

In Asterisk before 11.8.1, sending a HTTP request that is handled by Asterisk
with a large number of Cookie headers could overflow the stack. You could
even exhaust memory if you sent an unlimited number of headers in the request
(CVE-2014-2286).

In Asterisk before 11.8.1, an attacker can use all available file descriptors
using SIP INVITE requests. Each INVITE meeting certain conditions will leak a
channel and several file descriptors. The file descriptors cannot be released
without restarting Asterisk which may allow intrusion detection systems to be
bypassed by sending the requests slowly (CVE-2014-2287).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7100
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2286
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2287
http://downloads.asterisk.org/pub/security/AST-2013-006.html
http://downloads.asterisk.org/pub/security/AST-2013-007.html
http://downloads.asterisk.org/pub/security/AST-2014-001.html
http://downloads.asterisk.org/pub/security/AST-2014-002.html
========================

Updated packages in core/updates_testing:
========================
asterisk-11.8.1-1.mga3
libasteriskssl1-11.8.1-1.mga3
asterisk-addons-11.8.1-1.mga3
asterisk-firmware-11.8.1-1.mga3
asterisk-devel-11.8.1-1.mga3
asterisk-plugins-corosync-11.8.1-1.mga3
asterisk-plugins-alsa-11.8.1-1.mga3
asterisk-plugins-calendar-11.8.1-1.mga3
asterisk-plugins-cel-11.8.1-1.mga3
asterisk-plugins-curl-11.8.1-1.mga3
asterisk-plugins-dahdi-11.8.1-1.mga3
asterisk-plugins-fax-11.8.1-1.mga3
asterisk-plugins-festival-11.8.1-1.mga3
asterisk-plugins-ices-11.8.1-1.mga3
asterisk-plugins-jabber-11.8.1-1.mga3
asterisk-plugins-jack-11.8.1-1.mga3
asterisk-plugins-lua-11.8.1-1.mga3
asterisk-plugins-ldap-11.8.1-1.mga3
asterisk-plugins-minivm-11.8.1-1.mga3
asterisk-plugins-mobile-11.8.1-1.mga3
asterisk-plugins-mp3-11.8.1-1.mga3
asterisk-plugins-mysql-11.8.1-1.mga3
asterisk-plugins-ooh323-11.8.1-1.mga3
asterisk-plugins-oss-11.8.1-1.mga3
asterisk-plugins-pktccops-11.8.1-1.mga3
asterisk-plugins-portaudio-11.8.1-1.mga3
asterisk-plugins-pgsql-11.8.1-1.mga3
asterisk-plugins-radius-11.8.1-1.mga3
asterisk-plugins-saycountpl-11.8.1-1.mga3
asterisk-plugins-skinny-11.8.1-1.mga3
asterisk-plugins-snmp-11.8.1-1.mga3
asterisk-plugins-speex-11.8.1-1.mga3
asterisk-plugins-sqlite-11.8.1-1.mga3
asterisk-plugins-tds-11.8.1-1.mga3
asterisk-plugins-osp-11.8.1-1.mga3
asterisk-plugins-unistim-11.8.1-1.mga3
asterisk-plugins-voicemail-11.8.1-1.mga3
asterisk-plugins-voicemail-imap-11.8.1-1.mga3
asterisk-plugins-voicemail-plain-11.8.1-1.mga3
asterisk-gui-11.8.1-1.mga3

from asterisk-11.8.1-1.mga3.src.rpm


Advisory (Mageia 4):
========================

Updated asterisk packages fix security vulnerabilities:

In Asterisk before 11.8.1, sending a HTTP request that is handled by Asterisk
with a large number of Cookie headers could overflow the stack. You could
even exhaust memory if you sent an unlimited number of headers in the request
(CVE-2014-2286).

In Asterisk before 11.8.1, an attacker can use all available file descriptors
using SIP INVITE requests. Each INVITE meeting certain conditions will leak a
channel and several file descriptors. The file descriptors cannot be released
without restarting Asterisk which may allow intrusion detection systems to be
bypassed by sending the requests slowly (CVE-2014-2287).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2286
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2287
http://downloads.asterisk.org/pub/security/AST-2014-001.html
http://downloads.asterisk.org/pub/security/AST-2014-002.html
========================

Updated packages in core/updates_testing:
========================
asterisk-11.8.1-1.mga4
libasteriskssl1-11.8.1-1.mga4
asterisk-addons-11.8.1-1.mga4
asterisk-firmware-11.8.1-1.mga4
asterisk-devel-11.8.1-1.mga4
asterisk-plugins-corosync-11.8.1-1.mga4
asterisk-plugins-alsa-11.8.1-1.mga4
asterisk-plugins-calendar-11.8.1-1.mga4
asterisk-plugins-cel-11.8.1-1.mga4
asterisk-plugins-curl-11.8.1-1.mga4
asterisk-plugins-dahdi-11.8.1-1.mga4
asterisk-plugins-fax-11.8.1-1.mga4
asterisk-plugins-festival-11.8.1-1.mga4
asterisk-plugins-ices-11.8.1-1.mga4
asterisk-plugins-jabber-11.8.1-1.mga4
asterisk-plugins-jack-11.8.1-1.mga4
asterisk-plugins-lua-11.8.1-1.mga4
asterisk-plugins-ldap-11.8.1-1.mga4
asterisk-plugins-minivm-11.8.1-1.mga4
asterisk-plugins-mobile-11.8.1-1.mga4
asterisk-plugins-mp3-11.8.1-1.mga4
asterisk-plugins-mysql-11.8.1-1.mga4
asterisk-plugins-ooh323-11.8.1-1.mga4
asterisk-plugins-oss-11.8.1-1.mga4
asterisk-plugins-pktccops-11.8.1-1.mga4
asterisk-plugins-portaudio-11.8.1-1.mga4
asterisk-plugins-pgsql-11.8.1-1.mga4
asterisk-plugins-radius-11.8.1-1.mga4
asterisk-plugins-saycountpl-11.8.1-1.mga4
asterisk-plugins-skinny-11.8.1-1.mga4
asterisk-plugins-snmp-11.8.1-1.mga4
asterisk-plugins-speex-11.8.1-1.mga4
asterisk-plugins-sqlite-11.8.1-1.mga4
asterisk-plugins-tds-11.8.1-1.mga4
asterisk-plugins-osp-11.8.1-1.mga4
asterisk-plugins-unistim-11.8.1-1.mga4
asterisk-plugins-voicemail-11.8.1-1.mga4
asterisk-plugins-voicemail-imap-11.8.1-1.mga4
asterisk-plugins-voicemail-plain-11.8.1-1.mga4
asterisk-gui-11.8.1-1.mga4

from asterisk-11.8.1-1.mga4.src.rpm
Comment 2 William Kenney 2014-04-13 18:09:54 CEST
In VirtualBox, M3, KDE, 32-bit

Package(s) under test:
asterisk

default install of asterisk

[root@localhost wilcal]# urpmi asterisk
Package asterisk-11.7.0-1.mga3.i586 is already installed

Per: https://bugs.mageia.org/show_bug.cgi?id=11094#c5
asterisk installs cleanly. As root ran "asterisk -vvvc",
then at the *CLI> prompt, ran the command "core show help",
then using ctrl+c exited. Process executed as expected.

install asterisk from updates_testing

[root@localhost wilcal]# urpmi asterisk
Package asterisk-11.8.1-1.mga3.i586 is already installed

Per: https://bugs.mageia.org/show_bug.cgi?id=11094#c5
asterisk installs cleanly. As root ran "asterisk -vvvc",
then at the *CLI> prompt, ran the command "core show help",
then using ctrl+c exited. Process executed as expected.

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
VirtualBox 4.3.6-1.mga4.x86_64.rpm
Comment 3 William Kenney 2014-04-13 18:25:09 CEST
In VirtualBox, M3, KDE, 64-bit

Package(s) under test:
asterisk

default install of asterisk

[root@localhost wilcal]# urpmi asterisk
Package asterisk-11.7.0-1.mga3.x86_64 is already installed

Per: https://bugs.mageia.org/show_bug.cgi?id=11094#c5
asterisk installs cleanly. As root ran "asterisk -vvvc",
then at the *CLI> prompt, ran the command "core show help",
then using ctrl+c exited. Process executed as expected.

install asterisk from updates_testing

[root@localhost wilcal]# urpmi asterisk
Package asterisk-11.8.1-1.mga3.x86_64 is already installed

Per: https://bugs.mageia.org/show_bug.cgi?id=11094#c5
asterisk installs cleanly. As root ran "asterisk -vvvc",
then at the *CLI> prompt, ran the command "core show help",
then using ctrl+c exited. Process executed as expected.

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
VirtualBox 4.3.6-1.mga4.x86_64.rpm
Comment 4 William Kenney 2014-04-13 19:11:54 CEST
In VirtualBox, M4, KDE, 32-bit

Package(s) under test:
asterisk

default install of asterisk

[root@localhost wilcal]# urpmi asterisk
Package asterisk-11.7.0-2.mga4.i586 is already installed

Per: https://bugs.mageia.org/show_bug.cgi?id=11094#c5
asterisk installs cleanly. As root ran "asterisk -vvvc",
then at the *CLI> prompt, ran the command "core show help",
then using ctrl+c exited. Process executed as expected.

install asterisk from updates_testing

[root@localhost wilcal]# urpmi asterisk
Package asterisk-11.8.1-1.mga4.i586 is already installed

Per: https://bugs.mageia.org/show_bug.cgi?id=11094#c5
asterisk installs cleanly. As root ran "asterisk -vvvc",
then at the *CLI> prompt, ran the command "core show help",
then using ctrl+c exited. Process executed as expected.

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
VirtualBox 4.3.6-1.mga4.x86_64.rpm
Comment 5 William Kenney 2014-04-13 19:23:37 CEST
In VirtualBox, M4, KDE, 64-bit

Package(s) under test:
asterisk

default install of asterisk

[root@localhost wilcal]# urpmi asterisk
Package asterisk-11.7.0-2.mga4.x86_64 is already installed

Per: https://bugs.mageia.org/show_bug.cgi?id=11094#c5
asterisk installs cleanly. As root ran "asterisk -vvvc",
then at the *CLI> prompt, ran the command "core show help",
then using ctrl+c exited. Process executed as expected.

install asterisk from updates_testing

[root@localhost wilcal]# urpmi asterisk
Package asterisk-11.8.1-1.mga4.x86_64 is already installed

Per: https://bugs.mageia.org/show_bug.cgi?id=11094#c5
asterisk installs cleanly. As root ran "asterisk -vvvc",
then at the *CLI> prompt, ran the command "core show help",
then using ctrl+c exited. Process executed as expected.

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
VirtualBox 4.3.6-1.mga4.x86_64.rpm
Comment 6 William Kenney 2014-04-13 19:24:23 CEST
For me this update works fine.
Testing complete for mga3 32-bit & 64-bit
Testing complete for mga4 32-bit & 64-bit
Validating the update.
Could someone from the sysadmin team push this to updates.
Thanks
Comment 7 claire robinson 2014-04-14 17:27:09 CEST
Separate advisories uploaded for mga3 & 4 (13061.mga3.adv & 13061.mga4.adv)

Note You need to log in before you can comment on or make changes to this bug.