Remote Crash Vulnerability in Milliwatt Application
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
asterisk (Ubuntu) |
Fix Released
|
Undecided
|
Paul Belanger |
Bug Description
An attacker can cause Asterisk to crash in one of two ways:
1. A dialplan uses the Milliwatt application with 'o' option
2. The internal_timing opion in asterisk.conf is off
3. The attacker sends a large audio packet. The number of samples in the audio packet determines the number of internal data samples that are copied into the buffer. This overruns the buffer, potentially causing a crash.
OR
1. A diaplan uses the Milliwatt application with the 'o' option
2. The attacker negotiates a media format with a sampling rate greater than 32kHz. The application will attempt to generate an audio packet using the sample rate of the negotiated format, where the sample rate will require a number of data points greater then the size of the buffer. Again, the the application copies a number of internal data samples into the buffer that are greater then the size of the buffer, potentially causing a crash.
Note that the latter attack vector is only possible in Asterisk 10, as it supports codecs with a sample rate greater then 32kHz.
http://
Related branches
Changed in asterisk (Ubuntu): | |
status: | New → Confirmed |
assignee: | nobody → Paul Belanger (pabelanger) |
visibility: | private → public |
This bug was fixed in the package asterisk - 1:1.8.10. 1~dfsg- 1ubuntu1
--------------- 10.1~dfsg- 1ubuntu1) precise; urgency=low
asterisk (1:1.8.
* Merge from Debian unstable. (LP: #987772, #956578, #956580, #956581) asterisk. init: chown /dev/dahdi backports/ hardy: add file backports/ asterisk. init.hardy: add file patches/ armhf-fixes: patches/ backport- r312866. diff: Backported from upstream
* Remaining changes:
- debian/
- debian/
- debian/
- Fix building on armhf with debian/
+ Flatten linux-gnueabihf in configure to linux-gnu, in
the same way that's already done for linux-gnueabi
* Changes dropped from Ubuntu delta as no longer applicable:
- debian/
- debian/control: Build-depend on hardening-wrapper, now handled
by dpkg-buildflags
- debian/rules: Make use of hardening-wrapper
asterisk (1:1.8.10.1~dfsg-1) unstable; urgency=low
[ Victor Seva ]
* Update backports/squeeze script gmime2.6 -> gmime2.4
[ Tzafrir Cohen ]
* New upstrean bug-fix release.
- Fixes "[CVE-2012-1183 - CVE-2012-1184] Asterisk: AST-2012-002 and
AST-2012-003 flaws" (Closes: #664411).
* Patch gmime2.6 (Closes: #663998, #664004), also fixed Build-Depends.
* Remove the text of RFC 3951 from the tarball. (Closes: #665937)
asterisk (1:1.8.10.0~dfsg-1) unstable; urgency=low
[ Tzafrir Cohen ]
* New upstrean release.
* Build-depend on sqlite3 as well (Closes: #531759).
[ Paul Belanger ] patch/chan_ iax2-detach- thread- on-non- stop-exit:
* debian/
- Dropped; merged upstream
[ Mark Purcell ] set_rate( ) for IAX2
* New Release:
- Fixes "SHA-1 code is doesn't allow modification" (Closes: #643703)
- Fixes "Placing calls on hold fails with some IP phones" (Closes: #632518)
- Fixes "Pass the correct value to ast_timer_
trunking." (Closes: #661974)
- Fixes "Call quality on IAX significantly worse than SIP" (Closes: #481702)
- Fixes "New upstream release: 1.8.2.2" (Closes: #610811)
- Fixes "asterisk german number pronunciation" (Closes: #402991)
- Fixes "Why using version 1.6.2.9 - it's not LTS" (Closes: #612147)
- Fixes "SRTP/ZRTP support for Asterisk" (Closes: #577686)
- Fixes "fails to register SIP channels on ARM" (Closes: #660240)
* export CFLAGS LDFLAGS
- Fixes "Hardening flags missing for menuselect" (Closes: #664086)
- Fixes "enable hardening options" (Closes: #542741)
asterisk (1:1.8.8.2~dfsg-1) unstable; urgency=high
* New upstream release, fixes AST-2012-001 (Closes: #656596).
* Use CFLAGS and LDFLAGS from dpkg-buildflags (Closes: #653944).
asterisk (1:1.8.8.0~dfsg-1) unstable; urgency=high
[ Faidon Liambotis ] pri-optional: Backport a patch from upstream to fix
* Fix Breaks/Conflicts to contain the epoch.
* Urgency high since this resulted in file conflicts when upgrading from
stable.
* Patch reenable-
several PRI features being compiled-out and hence disabled.
* Bump libpri-dev dependency to 1.4.12; it is not strictly needed but extra
functionality is enabled at build-time.
[ Tzafrir Cohen ] pri-optional dropped: included upstream.
* New upstream release. Closes: #651552.
- Patch reenable-
* Officially r...