Bug 14915 - asterisk new security issue CVE-2014-9374
Summary: asterisk new security issue CVE-2014-9374
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/628109/
Whiteboard: has_procedure advisory MGA4-64-OK MGA...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2014-12-30 17:22 CET by David Walser
Modified: 2015-01-07 17:32 CET (History)
4 users (show)

See Also:
Source RPM: asterisk-11.14.1-1.mga4.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2014-12-30 17:22:39 CET
Gentoo has issued an advisory on December 28:
http://www.gentoo.org/security/en/glsa/glsa-201412-51.xml

The CVE-2014-841* CVEs were addressed in Bug 14466.

CVE-2014-9374 was fixed upstream in 11.14.2.

The corresponding upstream advisory is here:
http://downloads.asterisk.org/pub/security/AST-2014-019.html

Mageia 4 is also affected.

Reproducible: 

Steps to Reproduce:
David Walser 2014-12-30 17:23:03 CET

Blocks: (none) => 14674
Whiteboard: (none) => MGA4TOO

Comment 1 Oden Eriksson 2014-12-30 17:37:32 CET
11.14.2 has been submitted to mga4.

Someone needs to submit 11.14.2 for cauldron.
Comment 2 David Walser 2014-12-30 18:47:06 CET
Thanks Oden!

Freeze push request sent for Cauldron.

Testing procedure:
https://bugs.mageia.org/show_bug.cgi?id=11094#c5

Advisory:
========================

Updated asterisk packages fix security vulnerability:

Double free vulnerability in the WebSocket Server (res_http_websocket module)
in Asterisk Open Source 11.x before 11.14.2 allows remote attackers to cause a
denial of service (crash) by sending a zero length frame after a non-zero
length frame (CVE-2014-9374).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9374
http://downloads.asterisk.org/pub/security/AST-2014-019.html
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-11.14.2
http://downloads.asterisk.org/pub/telephony/asterisk/asterisk-11.14.2-summary.html
http://www.gentoo.org/security/en/glsa/glsa-201412-51.xml
========================

Updated packages in core/updates_testing:
========================
asterisk-11.14.2-1.mga4
libasteriskssl1-11.14.2-1.mga4
asterisk-addons-11.14.2-1.mga4
asterisk-firmware-11.14.2-1.mga4
asterisk-devel-11.14.2-1.mga4
asterisk-plugins-corosync-11.14.2-1.mga4
asterisk-plugins-alsa-11.14.2-1.mga4
asterisk-plugins-calendar-11.14.2-1.mga4
asterisk-plugins-cel-11.14.2-1.mga4
asterisk-plugins-curl-11.14.2-1.mga4
asterisk-plugins-dahdi-11.14.2-1.mga4
asterisk-plugins-fax-11.14.2-1.mga4
asterisk-plugins-festival-11.14.2-1.mga4
asterisk-plugins-ices-11.14.2-1.mga4
asterisk-plugins-jabber-11.14.2-1.mga4
asterisk-plugins-jack-11.14.2-1.mga4
asterisk-plugins-lua-11.14.2-1.mga4
asterisk-plugins-ldap-11.14.2-1.mga4
asterisk-plugins-minivm-11.14.2-1.mga4
asterisk-plugins-mobile-11.14.2-1.mga4
asterisk-plugins-mp3-11.14.2-1.mga4
asterisk-plugins-mysql-11.14.2-1.mga4
asterisk-plugins-ooh323-11.14.2-1.mga4
asterisk-plugins-oss-11.14.2-1.mga4
asterisk-plugins-pktccops-11.14.2-1.mga4
asterisk-plugins-portaudio-11.14.2-1.mga4
asterisk-plugins-pgsql-11.14.2-1.mga4
asterisk-plugins-radius-11.14.2-1.mga4
asterisk-plugins-saycountpl-11.14.2-1.mga4
asterisk-plugins-skinny-11.14.2-1.mga4
asterisk-plugins-snmp-11.14.2-1.mga4
asterisk-plugins-speex-11.14.2-1.mga4
asterisk-plugins-sqlite-11.14.2-1.mga4
asterisk-plugins-tds-11.14.2-1.mga4
asterisk-plugins-osp-11.14.2-1.mga4
asterisk-plugins-unistim-11.14.2-1.mga4
asterisk-plugins-voicemail-11.14.2-1.mga4
asterisk-plugins-voicemail-imap-11.14.2-1.mga4
asterisk-plugins-voicemail-plain-11.14.2-1.mga4
asterisk-gui-11.14.2-1.mga4

from asterisk-11.14.2-1.mga4.src.rpm

CC: (none) => oe
Version: Cauldron => 4
Blocks: 14674 => (none)
Assignee: oe => qa-bugs
Whiteboard: MGA4TOO => has_procedure

Comment 3 Herman Viaene 2015-01-03 16:38:53 CET
MGA4-64 on HP Probook 6555b KDE
Followed PoC as in Comment 2, Commands seem to run OK.

CC: (none) => herman.viaene
Whiteboard: has_procedure => has_procedure MGA4-64-OK

Comment 4 Herman Viaene 2015-01-03 17:09:32 CET
MGA-32 on AcerD620 Xfce
Followed PoC as in Comment 2, Commands seem to run OK.

Whiteboard: has_procedure MGA4-64-OK => has_procedure MGA4-64-OK MGA-32-OK

Comment 5 William Kenney 2015-01-04 17:42:04 CET
This package requires intimate knowledge of its operation
plus supporing hardware. It can only be insured that it
initially installs, then updates, cleanly.

CC: (none) => wilcal.int

Comment 6 William Kenney 2015-01-04 17:42:32 CET
In VirtualBox, M4, KDE, 32-bit

Package(s) under test:
asterisk asterisk-firmware asterisk-plugins-pktccops libasteriskssl1

default install of asterisk-firmware asterisk-plugins-pktccops
and libasteriskssl1

[root@localhost wilcal]# urpmi asterisk
Package asterisk-11.14.1-1.mga4.i586 is already installed
[root@localhost wilcal]# urpmi asterisk-firmware
Package asterisk-firmware-11.14.1-1.mga4.i586 is already installed
[root@localhost wilcal]# urpmi asterisk-plugins-pktccops
Package asterisk-plugins-pktccops-11.14.1-1.mga4.i586 is already installed
[root@localhost wilcal]# urpmi libasteriskssl1
Package libasteriskssl1-11.14.1-1.mga4.i586 is already installed

install asterisk asterisk-firmware asterisk-plugins-pktccops
and libasteriskssl1 from updates_testing

[root@localhost wilcal]# urpmi asterisk
Package asterisk-11.14.2-1.mga4.i586 is already installed
[root@localhost wilcal]# urpmi asterisk-firmware
Package asterisk-firmware-11.14.2-1.mga4.i586 is already installed
[root@localhost wilcal]# urpmi asterisk-plugins-pktccops
Package asterisk-plugins-pktccops-11.14.2-1.mga4.i586 is already installed
[root@localhost wilcal]# urpmi libasteriskssl1
Package libasteriskssl1-11.14.2-1.mga4.i586 is already installed

Packages install without errors

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
Comment 7 claire robinson 2015-01-04 17:45:05 CET
We usually ensure it works interactively Bill.

Procedure: https://bugs.mageia.org/show_bug.cgi?id=11094#c5
Comment 8 William Kenney 2015-01-04 18:12:42 CET
In VirtualBox, M4, KDE, 64-bit

Package(s) under test:
asterisk asterisk-firmware asterisk-plugins-pktccops lib64asteriskssl1

default install of asterisk-firmware asterisk-plugins-pktccops
and lib64asteriskssl1

[root@localhost wilcal]# urpmi asterisk
Package asterisk-11.14.1-1.mga4.x86_64 is already installed
[root@localhost wilcal]# urpmi asterisk-firmware
Package asterisk-firmware-11.14.1-1.mga4.x86_64 is already installed
[root@localhost wilcal]# urpmi asterisk-plugins-pktccops
Package asterisk-plugins-pktccops-11.14.1-1.mga4.x86_64 is already installed
[root@localhost wilcal]# urpmi lib64asteriskssl1
Package lib64asteriskssl1-11.14.1-1.mga4.x86_64 is already installed

[root@localhost wilcal]# asterisk -r
Asterisk 11.14.1, Copyright (C) 1999 - 2013 Digium, Inc. and others.
Created by Mark Spencer <markster@digium.com>
Asterisk comes with ABSOLUTELY NO WARRANTY; type 'core show warranty' for details....
localhost*CLI> core show warranty

                            NO WARRANTY

BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW.  EXCEPT WHEN
OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES.....

install asterisk asterisk-firmware asterisk-plugins-pktccops
and lib64asteriskssl1 from updates_testing

[root@localhost wilcal]# urpmi asterisk
Package asterisk-11.14.2-1.mga4.x86_64 is already installed
[root@localhost wilcal]# urpmi asterisk-firmware
Package asterisk-firmware-11.14.2-1.mga4.x86_64 is already installed
[root@localhost wilcal]# urpmi asterisk-plugins-pktccops
Package asterisk-plugins-pktccops-11.14.2-1.mga4.x86_64 is already installed
[root@localhost wilcal]# urpmi lib64asteriskssl1
Package lib64asteriskssl1-11.14.2-1.mga4.x86_64 is already installed

Packages install without errors

[root@localhost wilcal]# asterisk -r
Asterisk 11.14.2, Copyright (C) 1999 - 2013 Digium, Inc. and others.
Created by Mark Spencer <markster@digium.com>
Asterisk comes with ABSOLUTELY NO WARRANTY; type 'core show warranty' for details....
localhost*CLI> core show warranty

                            NO WARRANTY

BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW.  EXCEPT WHEN
OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES.....

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
Comment 9 William Kenney 2015-01-04 18:18:41 CET
In VirtualBox, M4, KDE, 32-bit

[root@localhost wilcal]# urpmi asterisk
Package asterisk-11.14.2-1.mga4.x86_64 is already installed

[root@localhost wilcal]# asterisk -r
Asterisk 11.14.2, Copyright (C) 1999 - 2013 Digium, Inc. and others.
Created by Mark Spencer <markster@digium.com>
Asterisk comes with ABSOLUTELY NO WARRANTY; type 'core show warranty' for details....
localhost*CLI> core show warranty

                            NO WARRANTY

BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW.  EXCEPT WHEN
OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES.....

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
Comment 10 William Kenney 2015-01-04 18:19:30 CET
This update works fine.
Testing complete for mga4 32-bit & 64-bit
Validating the update.
Could someone from the sysadmin team push this to updates.
Thanks

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

William Kenney 2015-01-04 18:20:53 CET

Whiteboard: has_procedure MGA4-64-OK MGA-32-OK => has_procedure MGA4-64-OK MGA4-32-OK

Comment 11 claire robinson 2015-01-07 16:33:01 CET
Advisory uploaded.

Whiteboard: has_procedure MGA4-64-OK MGA4-32-OK => has_procedure advisory MGA4-64-OK MGA4-32-OK

Comment 12 Mageia Robot 2015-01-07 17:32:45 CET
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0010.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.