Ubuntu
asterisk package

Remote Crash Vulnerability in Milliwatt Application

Bug #956580 reported by Paul Belanger
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
asterisk (Ubuntu)
Fix Released
Undecided
Paul Belanger

Bug Description

An attacker can cause Asterisk to crash in one of two ways:
1. A dialplan uses the Milliwatt application with 'o' option
2. The internal_timing opion in asterisk.conf is off
3. The attacker sends a large audio packet. The number of samples in the audio packet determines the number of internal data samples that are copied into the buffer. This overruns the buffer, potentially causing a crash.
OR
1. A diaplan uses the Milliwatt application with the 'o' option
2. The attacker negotiates a media format with a sampling rate greater than 32kHz. The application will attempt to generate an audio packet using the sample rate of the negotiated format, where the sample rate will require a number of data points greater then the size of the buffer. Again, the the application copies a number of internal data samples into the buffer that are greater then the size of the buffer, potentially causing a crash.

Note that the latter attack vector is only possible in Asterisk 10, as it supports codecs with a sample rate greater then 32kHz.

http://downloads.asterisk.org/pub/security/AST-2012-002.html

Related branches

lp:ubuntu/precise/asterisk

CVE References

Paul Belanger (pabelanger)
Changed in asterisk (Ubuntu):
status: New → Confirmed
assignee: nobody → Paul Belanger (pabelanger)
Steve Beattie (sbeattie)
visibility: private → public
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (4.3 KiB)

This bug was fixed in the package asterisk - 1:1.8.10.1~dfsg-1ubuntu1

---------------
asterisk (1:1.8.10.1~dfsg-1ubuntu1) precise; urgency=low

  * Merge from Debian unstable. (LP: #987772, #956578, #956580, #956581)
  * Remaining changes:
    - debian/asterisk.init: chown /dev/dahdi
    - debian/backports/hardy: add file
    - debian/backports/asterisk.init.hardy: add file
    - Fix building on armhf with debian/patches/armhf-fixes:
      + Flatten linux-gnueabihf in configure to linux-gnu, in
        the same way that's already done for linux-gnueabi
  * Changes dropped from Ubuntu delta as no longer applicable:
    - debian/patches/backport-r312866.diff: Backported from upstream
    - debian/control: Build-depend on hardening-wrapper, now handled
      by dpkg-buildflags
    - debian/rules: Make use of hardening-wrapper

asterisk (1:1.8.10.1~dfsg-1) unstable; urgency=low

  [ Victor Seva ]
  * Update backports/squeeze script gmime2.6 -> gmime2.4

  [ Tzafrir Cohen ]
  * New upstrean bug-fix release.
    - Fixes "[CVE-2012-1183 - CVE-2012-1184] Asterisk: AST-2012-002 and
      AST-2012-003 flaws" (Closes: #664411).
  * Patch gmime2.6 (Closes: #663998, #664004), also fixed Build-Depends.
  * Remove the text of RFC 3951 from the tarball. (Closes: #665937)

asterisk (1:1.8.10.0~dfsg-1) unstable; urgency=low

  [ Tzafrir Cohen ]
  * New upstrean release.
  * Build-depend on sqlite3 as well (Closes: #531759).

  [ Paul Belanger ]
  * debian/patch/chan_iax2-detach-thread-on-non-stop-exit:
    - Dropped; merged upstream

  [ Mark Purcell ]
  * New Release:
    - Fixes "SHA-1 code is doesn't allow modification" (Closes: #643703)
    - Fixes "Placing calls on hold fails with some IP phones" (Closes: #632518)
    - Fixes "Pass the correct value to ast_timer_set_rate() for IAX2
    trunking." (Closes: #661974)
    - Fixes "Call quality on IAX significantly worse than SIP" (Closes: #481702)
    - Fixes "New upstream release: 1.8.2.2" (Closes: #610811)
    - Fixes "asterisk german number pronunciation" (Closes: #402991)
    - Fixes "Why using version 1.6.2.9 - it's not LTS" (Closes: #612147)
    - Fixes "SRTP/ZRTP support for Asterisk" (Closes: #577686)
    - Fixes "fails to register SIP channels on ARM" (Closes: #660240)
  * export CFLAGS LDFLAGS
    - Fixes "Hardening flags missing for menuselect" (Closes: #664086)
    - Fixes "enable hardening options" (Closes: #542741)

asterisk (1:1.8.8.2~dfsg-1) unstable; urgency=high

  * New upstream release, fixes AST-2012-001 (Closes: #656596).
  * Use CFLAGS and LDFLAGS from dpkg-buildflags (Closes: #653944).

asterisk (1:1.8.8.0~dfsg-1) unstable; urgency=high

  [ Faidon Liambotis ]
  * Fix Breaks/Conflicts to contain the epoch.
  * Urgency high since this resulted in file conflicts when upgrading from
    stable.
  * Patch reenable-pri-optional: Backport a patch from upstream to fix
    several PRI features being compiled-out and hence disabled.
  * Bump libpri-dev dependency to 1.4.12; it is not strictly needed but extra
    functionality is enabled at build-time.

  [ Tzafrir Cohen ]
  * New upstream release. Closes: #651552.
    - Patch reenable-pri-optional dropped: included upstream.
  * Officially r...

Read more...

Changed in asterisk (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.