Debian GNU/Linux

(CVE-2012-3812) CVE-2012-3812 asterisk: Remote crash vulnerability in voice mail application (CVE-2012-3863) CVE-2012-3863 asterisk: Possible resource leak on uncompleted re-invite transactions

Reported by Karma Dorje on 2012-07-08
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Gentoo Linux
Fix Released
Low
asterisk (Debian)
Fix Released
Unknown
asterisk (Fedora)
Unknown
Unknown
asterisk (Ubuntu)
Undecided
Unassigned
Precise
Undecided
Unassigned

Bug Description

+*asterisk-10.5.2 (06 Jul 2012)
+*asterisk-1.8.13.1 (06 Jul 2012)
+
+ 06 Jul 2012; Tony Vroon <email address hidden> -asterisk-1.8.13.0.ebuild,
+ -asterisk-1.8.13.0-r1.ebuild, +asterisk-1.8.13.1.ebuild,
+ -asterisk-10.5.1.ebuild, +asterisk-10.5.2.ebuild:
+ Upgrades on the 1.8 & 10 branches to address a potential resource leak when a
+ re-invite transaction is not completed (AST-2012-010) and on the 1.8 branch
+ only for a remote crash vulnerability in the voicemail application
+ (AST-2012-011). Both covered under CVE-2012-3812. Removed any non-stable
+ vulnerable ebuild.

Arches, please test and mark stable:
=net-misc/asterisk-1.8.13.1

Last arch, please remove:
=net-misc/asterisk-1.8.12.1

In , J-ago (j-ago) wrote :

amd64 stable

Karma Dorje (taaroa) wrote :

AST-2012-010

If Asterisk sends a re-invite and an endpoint responds to the re-invite with a provisional
response but never sends a final response, then the SIP dialog structure is never freed
and the RTP ports for the call are never released. If an attacker has the ability to place a
call, they could create a denial of service by using all available RTP ports.

References:

http://downloads.asterisk.org/pub/security/AST-2012-010.pdf
http://downloads.asterisk.org/pub/security/AST-2012-010.txt
http://downloads.asterisk.org/pub/security/AST-2012-010-10.diff
http://downloads.asterisk.org/pub/security/AST-2012-010-1.8.diff

summary: (CVE-2012-3812) CVE-2012-3812 asterisk: Remote crash vulnerability in
- voice mail application
+ voice mail application (CVE-2012-3863) CVE-2012-3863 asterisk: Possible
+ resource leak on uncompleted re-invite transactions
Changed in asterisk (Debian):
status: Unknown → Fix Committed
Changed in gentoo:
importance: Unknown → Low

x86 stable

In , Ackle (ackle) wrote :

Thanks, everyone.

GLSA vote: yes.

CVE-2012-3812 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3812):
  Double free vulnerability in apps/app_voicemail.c in Asterisk Open Source
  1.8.x before 1.8.13.1 and 10.x before 10.5.2, Certified Asterisk
  1.8.11-certx before 1.8.11-cert4, and Asterisk Digiumphones
  10.x.x-digiumphones before 10.5.2-digiumphones allows remote authenticated
  users to cause a denial of service (daemon crash) by establishing multiple
  voicemail sessions and accessing both the Urgent mailbox and the INBOX
  mailbox.

CVE-2012-3863 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3863):
  channels/chan_sip.c in Asterisk Open Source 1.8.x before 1.8.13.1 and 10.x
  before 10.5.2, Asterisk Business Edition C.3.x before C.3.7.5, Certified
  Asterisk 1.8.11-certx before 1.8.11-cert4, and Asterisk Digiumphones
  10.x.x-digiumphones before 10.5.2-digiumphones does not properly handle a
  provisional response to a SIP reINVITE request, which allows remote
  authenticated users to cause a denial of service (RTP port exhaustion) via
  sessions that lack final responses.

Jamie Strandboge (jdstrand) wrote :

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

Changed in asterisk (Ubuntu):
status: New → Triaged

Thanks, folks. GLSA Vote: yes too. Request filed.

Changed in asterisk (Debian):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package asterisk - 1:1.8.13.1~dfsg-1ubuntu1

---------------
asterisk (1:1.8.13.1~dfsg-1ubuntu1) quantal; urgency=low

  * Merge from Debian unstable. (LP: #1022360, CVE-2012-3812)
    Remaining changes:
    - debian/asterisk.init: chown /dev/dahdi
    - Fix building on armhf with debian/patches/armhf-fixes:
      + Flatten linux-gnueabihf in configure to linux-gnu, in
        the same way that's already done for linux-gnueabi

asterisk (1:1.8.13.1~dfsg-1) unstable; urgency=low

  * New upstream release (Closes: #680470):
    - Fixes AST-2012-010 (CVE-2012-3863).
    - Fixes AST-2012-011 (CVE-2012-38612).
  * Patch AST-2012-012 (CVE-2012-2186): AMI User Shell Access with ExternalIVR
  * Patch AST-2012-012 (CVE-2012-4737): ACL rules ignored during calls
    by some IAX2 peers.
 -- Julian Taylor <email address hidden> Sat, 08 Sep 2012 12:38:06 +0200

Changed in asterisk (Ubuntu):
status: Triaged → Fix Released

This issue was resolved and addressed in
 GLSA 201209-15 at http://security.gentoo.org/glsa/glsa-201209-15.xml
by GLSA coordinator Sean Amoss (ackle).

Changed in gentoo:
status: Unknown → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.