Outstanding security fixes in asterisk

Bug #1048093 reported by Allison Randal on 2012-09-09
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
asterisk (Debian)
Fix Released
Unknown
asterisk (Ubuntu)
Undecided
Unassigned
Precise
Undecided
Unassigned
Quantal
Undecided
Unassigned

Bug Description

(Tracking some collaborative work with persia)

A review of RC bugs from Debian shows 4 CVEs fixed in the latest Debian release. This includes 2 CVEs fixed in an upstream (bug-fix level) release, and 2 fixed in Debian. Update: this Debian release has now been merged to quantal, see LP: #1022360

The patch for AST-2012-012 (CVE-2012-4737) from Debian 1:1.8.13.1~dfsg-1 does not apply cleanly to precise package 1:1.8.10.1~dfsg-1ubuntu1. The patch modifies code already changed by AST-2012-004 and other merged changes from upstream 1.4 and 1.6 series (see r314628, r363141, r364841). The change is too disruptive for inclusion in precise SRU, and severity is only rated as "Minor".

Fixes for the other 3 CVEs have been cherrypicked to precise asterisk package:

[Impact]
DoS exploits for voice mail and re-invite transactions, ACL bypass for IAX2 peer calls.

[Test Cases]
Steps to reproduce each issue provided in upstream bug reports:
https://issues.asterisk.org/jira/browse/ASTERISK-19992
https://issues.asterisk.org/jira/browse/ASTERISK-20052
https://issues.asterisk.org/jira/browse/ASTERISK-20186

Testers will need to install both 'asterisk' and 'asterisk-voicemail' packages. A simple asterisk configuration is attached to the bug report.

[Regression Potential]
Minimal, no known regressions in asterisk issue tracker or Debian BTS.

Also recommend 1:1.8.13.1~dfsg-1ubuntu1 for possible precise Backport (from quantal). It includes some feature additions and many non-critical fixes (too many to SRU the whole package), sufficient for some users to prefer the more recent version.

It is unlikely that cherrypicked patches for precise will apply cleanly to oneiric, given the code drift between 1.8.4 and 1.8.10. All CVEs affect only 1.8.x series of asterisk, so no work is needed for releases earlier than oneiric.

Allison Randal (allison) on 2012-09-09
description: updated
Allison Randal (allison) on 2012-09-09
description: updated
Dave Walker (davewalker) wrote :

Hey, i believe these are fixed in Quantal.. but Precise should be nominated?

Allison Randal (allison) wrote :
description: updated
Allison Randal (allison) wrote :

Yes, jtaylor made the quantal release last night.

I've linked in a branch with an SRU candidate for precise. Nominated for precise.

Emmet Hikory (persia) on 2012-09-10
Changed in asterisk (Ubuntu Quantal):
status: New → Fix Released
Changed in asterisk (Debian):
status: Unknown → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.