Debian
asterisk package

(CVE-2012-3812) CVE-2012-3812 asterisk: Remote crash vulnerability in voice mail application (CVE-2012-3863) CVE-2012-3863 asterisk: Possible resource leak on uncompleted re-invite transactions

Bug #1022360 reported by Karma Dorje on 2012-07-08

258

This bug affects 1 person

	Status	Importance	Assigned to
Gentoo Linux	Fix Released	Low	gentoo-bugs #425050
asterisk (Debian)	Fix Released	Unknown	debbugs #680470
asterisk (Fedora)	Fix Released	Medium	redhat-bugs #838179
asterisk (Ubuntu)	Fix Released	Undecided	Unassigned
Precise	Won't Fix	Undecided	Unassigned

Bug Description

AST-2012-011

If a single voicemail account is manipulated by two parties
simultaneously, a condition can occur where memory is freed
twice causing a crash.

http://downloads.asterisk.org/pub/security/AST-2012-011.txt
http://downloads.asterisk.org/pub/security/AST-2012-011.pdf
http://downloads.asterisk.org/pub/security/AST-2012-011-1.8.diff
http://downloads.asterisk.org/pub/security/AST-2012-011-10.diff

Related branches

lp:ubuntu/quantal/asterisk

CVE References

Revision history for this message

In Gentoo Bugzilla #425050, J-ago (j-ago) wrote on 2012-07-06:

http://downloads.asterisk.org/pub/security/AST-2012-010.html
http://downloads.asterisk.org/pub/security/AST-2012-011.html

Please bump 1.8.13.1

Revision history for this message

In Gentoo Bugzilla #425050, Chainsaw (chainsaw) wrote on 2012-07-06:

+*asterisk-10.5.2 (06 Jul 2012)
+*asterisk-1.8.13.1 (06 Jul 2012)
+
+ 06 Jul 2012; Tony Vroon <email address hidden> -asterisk-1.8.13.0.ebuild,
+ -asterisk-1.8.13.0-r1.ebuild, +asterisk-1.8.13.1.ebuild,
+ -asterisk-10.5.1.ebuild, +asterisk-10.5.2.ebuild:
+ Upgrades on the 1.8 & 10 branches to address a potential resource leak when a
+ re-invite transaction is not completed (AST-2012-010) and on the 1.8 branch
+ only for a remote crash vulnerability in the voicemail application
+ (AST-2012-011). Both covered under CVE-2012-3812. Removed any non-stable
+ vulnerable ebuild.

Arches, please test and mark stable:
=net-misc/asterisk-1.8.13.1

Last arch, please remove:
=net-misc/asterisk-1.8.12.1

Revision history for this message

In Gentoo Bugzilla #425050, J-ago (j-ago) wrote on 2012-07-06:

amd64 stable

Revision history for this message

In Red Hat Bugzilla #838179, Kurt (kurt-redhat-bugs) wrote on 2012-07-06:

#13

AST-2012-011

If a single voicemail account is manipulated by two parties
simultaneously, a condition can occur where memory is freed
twice causing a crash.

Revision history for this message

In Red Hat Bugzilla #838179, Kurt (kurt-redhat-bugs) wrote on 2012-07-06:

#14

Created asterisk tracking bugs for this issue

Affects: fedora-17 [bug 838180]
Affects: fedora-16 [bug 838181]
Affects: epel-6 [bug 838182]

Revision history for this message

Karma Dorje (taaroa) wrote on 2012-07-08:

AST-2012-010

If Asterisk sends a re-invite and an endpoint responds to the re-invite with a provisional
response but never sends a final response, then the SIP dialog structure is never freed
and the RTP ports for the call are never released. If an attacker has the ability to place a
call, they could create a denial of service by using all available RTP ports.

References:

http://downloads.asterisk.org/pub/security/AST-2012-010.pdf
http://downloads.asterisk.org/pub/security/AST-2012-010.txt
http://downloads.asterisk.org/pub/security/AST-2012-010-10.diff
http://downloads.asterisk.org/pub/security/AST-2012-010-1.8.diff

summary:

(CVE-2012-3812) CVE-2012-3812 asterisk: Remote crash vulnerability in
- voice mail application
+ voice mail application (CVE-2012-3863) CVE-2012-3863 asterisk: Possible
+ resource leak on uncompleted re-invite transactions

Bug Watch Updater (bug-watch-updater) on 2012-07-08

Changed in asterisk (Debian):
status:	Unknown → Fix Committed
Changed in gentoo:
importance:	Unknown → Low

Revision history for this message

In Gentoo Bugzilla #425050, Jdhore (jdhore) wrote on 2012-07-09:

x86 stable

Revision history for this message

In Gentoo Bugzilla #425050, Ackle (ackle) wrote on 2012-07-11:

Thanks, everyone.

GLSA vote: yes.

Revision history for this message

In Gentoo Bugzilla #425050, Glsamaker (glsamaker) wrote on 2012-07-12:

CVE-2012-3812 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3812):
  Double free vulnerability in apps/app_voicemail.c in Asterisk Open Source
  1.8.x before 1.8.13.1 and 10.x before 10.5.2, Certified Asterisk
  1.8.11-certx before 1.8.11-cert4, and Asterisk Digiumphones
  10.x.x-digiumphones before 10.5.2-digiumphones allows remote authenticated
  users to cause a denial of service (daemon crash) by establishing multiple
  voicemail sessions and accessing both the Urgent mailbox and the INBOX
  mailbox.

Revision history for this message

In Gentoo Bugzilla #425050, Glsamaker (glsamaker) wrote on 2012-07-12:

CVE-2012-3863 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3863):
  channels/chan_sip.c in Asterisk Open Source 1.8.x before 1.8.13.1 and 10.x
  before 10.5.2, Asterisk Business Edition C.3.x before C.3.7.5, Certified
  Asterisk 1.8.11-certx before 1.8.11-cert4, and Asterisk Digiumphones
  10.x.x-digiumphones before 10.5.2-digiumphones does not properly handle a
  provisional response to a SIP reINVITE request, which allows remote
  authenticated users to cause a denial of service (RTP port exhaustion) via
  sessions that lack final responses.

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2012-07-13:

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

Changed in asterisk (Ubuntu):
status:	New → Triaged

Revision history for this message

In Red Hat Bugzilla #838179, Fedora (fedora-redhat-bugs) wrote on 2012-07-20:

#15

asterisk-10.5.2-1.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.

Revision history for this message

In Gentoo Bugzilla #425050, Underling (underling) wrote on 2012-08-14:

#10

Thanks, folks. GLSA Vote: yes too. Request filed.

Bug Watch Updater (bug-watch-updater) on 2012-09-01

Changed in asterisk (Debian):
status:	Fix Committed → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2012-09-08:

#11

This bug was fixed in the package asterisk - 1:1.8.13.1~dfsg-1ubuntu1

---------------
asterisk (1:1.8.13.1~dfsg-1ubuntu1) quantal; urgency=low

  * Merge from Debian unstable. (LP: #1022360, CVE-2012-3812)
    Remaining changes:
    - debian/asterisk.init: chown /dev/dahdi
    - Fix building on armhf with debian/patches/armhf-fixes:
      + Flatten linux-gnueabihf in configure to linux-gnu, in
        the same way that's already done for linux-gnueabi

asterisk (1:1.8.13.1~dfsg-1) unstable; urgency=low

  * New upstream release (Closes: #680470):
    - Fixes AST-2012-010 (CVE-2012-3863).
    - Fixes AST-2012-011 (CVE-2012-38612).
  * Patch AST-2012-012 (CVE-2012-2186): AMI User Shell Access with ExternalIVR
  * Patch AST-2012-012 (CVE-2012-4737): ACL rules ignored during calls
    by some IAX2 peers.
-- Julian Taylor <email address hidden> Sat, 08 Sep 2012 12:38:06 +0200

Changed in asterisk (Ubuntu):
status:	Triaged → Fix Released

Revision history for this message

In Gentoo Bugzilla #425050, Glsamaker (glsamaker) wrote on 2012-09-26:

#12

This issue was resolved and addressed in
GLSA 201209-15 at http://security.gentoo.org/glsa/glsa-201209-15.xml
by GLSA coordinator Sean Amoss (ackle).

Bug Watch Updater (bug-watch-updater) on 2012-10-04

Changed in gentoo:
status:	Unknown → Fix Released

Revision history for this message

In Red Hat Bugzilla #838179, Kurt (kurt-redhat-bugs) wrote on 2012-12-11:

#16

asterisk-1.8.18.0-1.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.

Revision history for this message

In Red Hat Bugzilla #838179, Kurt (kurt-redhat-bugs) wrote on 2012-12-11:

#17

asterisk-1.8.18.0-1.el6 has been pushed to the Epel 6 repository. If problems still persist, please make note of it in this bug report.

Bug Watch Updater (bug-watch-updater) on 2017-10-28

Changed in asterisk (Fedora):
importance:	Unknown → Medium
status:	Unknown → Fix Released

Revision history for this message

Steve Langasek (vorlon) wrote on 2021-10-14:

#18

The Precise Pangolin has reached end of life, so this bug will not be fixed for that release

Changed in asterisk (Ubuntu Precise):
status:	New → Won't Fix

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

debbugs #680470
[done grave security] Edit
gentoo-bugs #425050
[RESOLVED FIXED] Edit
redhat-bugs #838179
[CLOSED ERRATA] Edit

Bug watches keep track of this bug in other bug trackers.

Debianasterisk package

(CVE-2012-3812) CVE-2012-3812 asterisk: Remote crash vulnerability in voice mail application (CVE-2012-3863) CVE-2012-3863 asterisk: Possible resource leak on uncompleted re-invite transactions

Bug Description

Related branches

CVE References

Other bug subscribers

Remote bug watches

Debian
asterisk package