CVE-2009-2651: Remote Crash Vulnerability in RTP stack

Debian Bug report logs - #539473
CVE-2009-2651: Remote Crash Vulnerability in RTP stack

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Giuseppe Iuculano <giuseppe@iuculano.it>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: CVE-2009-2651: Remote Crash Vulnerability in RTP stack

Date: Sat, 01 Aug 2009 10:57:33 +0200

Package: asterisk
Version: 1:1.6.2.0~dfsg~beta3-1
Severity: serious
Tags: security patch

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for asterisk.

CVE-2009-2651[0]:
| main/rtp.c in Asterisk Open Source 1.6.1 before 1.6.1.2 allows remote
| attackers to cause a denial of service (crash) via an RTP text frame
| without a certain delimiter, which triggers a NULL pointer dereference
| and the subsequent calculation of an invalid pointer.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2651
    http://security-tracker.debian.net/tracker/CVE-2009-2651
    http://downloads.asterisk.org/pub/security/AST-2009-004.html
    Patch: http://downloads.asterisk.org/pub/security/AST-2009-004-1.6.1.diff.txt

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkp0A3oACgkQNxpp46476arl4ACdH0o5O/dZ4iQfOEEeMIWrKGVa
zEMAnjHCiRqFue+b7dRArjbCINLwLTXJ
=plQS
-----END PGP SIGNATURE-----

Message #10 received at 539473@bugs.debian.org (full text, mbox, reply):

From: Tzafrir Cohen <tzafrir.cohen@xorcom.com>

To: control@bugs.debian.org

Cc: 532971@bugs.debian.org, 539150@bugs.debian.org, 539473@bugs.debian.org, 541441@bugs.debian.org

Subject: setting package to asterisk-dbg asterisk-config asterisk-doc asterisk-dev asterisk asterisk-sounds-main asterisk-h423 ...

Date: Sun, 13 Sep 2009 00:42:13 +0300

# Automatically generated email from bts, devscripts version 2.10.35lenny3
# via tagpending 
#
# asterisk (1:1.6.2.0~dfsg~rc1-1) UNRELEASED; urgency=low
#
#  * New upstream release.
#    - Fixes CVE-2009-2726 aka AST-2009-005 (Closes: #541441).
#    - Ship CC BY-SA 3.0 licensed music-on-hold sounds, replacing the old
#      non-free FreePlay Music that were never distributed by Debian.
#    - Removed patches/makefile_appdocs_dtd (merged upstream) and
#      patches/disable_moh (obsoleted, see above).
#  * Fix FTBFS on armel. (Closes: #532971)
#  * Fix name of voicemail 'openssl' dep. (Thomas Renard) (Closes: #539150)
#  * Patch AST-2009-006: Closes: #539473 but breaks IAX2 compatibility. 

package asterisk-dbg asterisk-config asterisk-doc asterisk-dev asterisk asterisk-sounds-main asterisk-h423
tags 541441 + pending
tags 532971 + pending
tags 539150 + pending
tags 539473 + pending

Message #17 received at 539473-close@bugs.debian.org (full text, mbox, reply):

From: Faidon Liambotis <paravoid@debian.org>

To: 539473-close@bugs.debian.org

Subject: Bug#539473: fixed in asterisk 1:1.6.2.0~dfsg~rc1-1

Date: Sun, 13 Sep 2009 00:02:25 +0000

Source: asterisk
Source-Version: 1:1.6.2.0~dfsg~rc1-1

We believe that the bug you reported is fixed in the latest version of
asterisk, which is due to be installed in the Debian FTP archive:

asterisk-config_1.6.2.0~dfsg~rc1-1_all.deb
  to pool/main/a/asterisk/asterisk-config_1.6.2.0~dfsg~rc1-1_all.deb
asterisk-dbg_1.6.2.0~dfsg~rc1-1_i386.deb
  to pool/main/a/asterisk/asterisk-dbg_1.6.2.0~dfsg~rc1-1_i386.deb
asterisk-dev_1.6.2.0~dfsg~rc1-1_all.deb
  to pool/main/a/asterisk/asterisk-dev_1.6.2.0~dfsg~rc1-1_all.deb
asterisk-doc_1.6.2.0~dfsg~rc1-1_all.deb
  to pool/main/a/asterisk/asterisk-doc_1.6.2.0~dfsg~rc1-1_all.deb
asterisk-h423_1.6.2.0~dfsg~rc1-1_i386.deb
  to pool/main/a/asterisk/asterisk-h423_1.6.2.0~dfsg~rc1-1_i386.deb
asterisk-sounds-main_1.6.2.0~dfsg~rc1-1_all.deb
  to pool/main/a/asterisk/asterisk-sounds-main_1.6.2.0~dfsg~rc1-1_all.deb
asterisk_1.6.2.0~dfsg~rc1-1.diff.gz
  to pool/main/a/asterisk/asterisk_1.6.2.0~dfsg~rc1-1.diff.gz
asterisk_1.6.2.0~dfsg~rc1-1.dsc
  to pool/main/a/asterisk/asterisk_1.6.2.0~dfsg~rc1-1.dsc
asterisk_1.6.2.0~dfsg~rc1-1_i386.deb
  to pool/main/a/asterisk/asterisk_1.6.2.0~dfsg~rc1-1_i386.deb
asterisk_1.6.2.0~dfsg~rc1.orig.tar.gz
  to pool/main/a/asterisk/asterisk_1.6.2.0~dfsg~rc1.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 539473@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Faidon Liambotis <paravoid@debian.org> (supplier of updated asterisk package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 13 Sep 2009 02:22:17 +0300
Source: asterisk
Binary: asterisk asterisk-h423 asterisk-doc asterisk-dev asterisk-dbg asterisk-sounds-main asterisk-config
Architecture: source all i386
Version: 1:1.6.2.0~dfsg~rc1-1
Distribution: unstable
Urgency: low
Maintainer: Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>
Changed-By: Faidon Liambotis <paravoid@debian.org>
Description: 
 asterisk   - Open Source Private Branch Exchange (PBX)
 asterisk-config - Configuration files for Asterisk
 asterisk-dbg - Debugging symbols for Asterisk
 asterisk-dev - Development files for Asterisk
 asterisk-doc - Source code documentation for Asterisk
 asterisk-h423 - H.323 protocol support for Asterisk
 asterisk-sounds-main - Core Sound files for Asterisk (English)
Closes: 532971 539150 539473 541441
Changes: 
 asterisk (1:1.6.2.0~dfsg~rc1-1) unstable; urgency=low
 .
   [ Faidon Liambotis ]
   * New upstream release.
     - Fixes CVE-2009-2726 aka AST-2009-005 (Closes: #541441).
     - Ship CC BY-SA 3.0 licensed music-on-hold sounds, replacing the old
       non-free FreePlay Music that were never distributed by Debian.
     - Removed patches/makefile_appdocs_dtd (merged upstream) and
       patches/disable_moh (obsoleted, see above).
   * Fix FTBFS on armel. (Closes: #532971)
   * Bump Standards-Version to 3.8.3, no changes needed.
   * Provides: asterisk-1.6.2, instead of 1.6.1; there are no ABI gurantees
     between 1.6.x releases.
   * Remove references of Section: comm in individual binary packages as it is
     inherited from the source package.
 .
   [ Tzafrir Cohen ]
   * Patch hardware_dtmf_mute_fix removed: Applied upstream.
   * No need for a separate app_directory_odbc (will use app_voicemail_odbc).
   * Fix name of voicemail 'openssl' dep. (Thomas Renard) (Closes: #539150)
   * Patch AST-2009-006: breaks IAX2 compatibility, note it in NEWS.Debian.
     (Closes: #539473)
Checksums-Sha1: 
 e20967a93e0587d5f3e10772d4184307acac1883 2102 asterisk_1.6.2.0~dfsg~rc1-1.dsc
 991fc1f0a82f2388302c38e553287a357db3c4b2 22626309 asterisk_1.6.2.0~dfsg~rc1.orig.tar.gz
 8065b96a58675496e55bfc5b6a538739e6cf5780 80269 asterisk_1.6.2.0~dfsg~rc1-1.diff.gz
 bbfbaee5599eff515f669645e10c7a37e04fbd9e 1619684 asterisk-doc_1.6.2.0~dfsg~rc1-1_all.deb
 8a5f5e6591f1f08a79a336f7674d68ddc7907f14 532718 asterisk-dev_1.6.2.0~dfsg~rc1-1_all.deb
 58301afdd738849a0454d23d11a127a8b4531e1a 2042140 asterisk-sounds-main_1.6.2.0~dfsg~rc1-1_all.deb
 c330f74e8abc7b6abb1508ab79c1c0da157e7fcb 601162 asterisk-config_1.6.2.0~dfsg~rc1-1_all.deb
 81814709d14270f5a48a40b8b8e5d5871cbe243b 3364074 asterisk_1.6.2.0~dfsg~rc1-1_i386.deb
 e040369c02de4abdb4aba39bf0d514cf76915935 427472 asterisk-h423_1.6.2.0~dfsg~rc1-1_i386.deb
 b3452fabc0abc28e42d4dcfb9e3f8b54dbd71f6a 21247064 asterisk-dbg_1.6.2.0~dfsg~rc1-1_i386.deb
Checksums-Sha256: 
 e174918021c752cbe2a8eba17c41d1f2899e2289795538de5dd1ce148a0f228f 2102 asterisk_1.6.2.0~dfsg~rc1-1.dsc
 f6c912954add4b515e9bc9bc8f9d9055f7b8ff011a85d43e649a86143e86b43f 22626309 asterisk_1.6.2.0~dfsg~rc1.orig.tar.gz
 0f56079e3ae5cb49ac285610d3fb2c8f6b1ddbd4ca25e29d8ce69d045589fb57 80269 asterisk_1.6.2.0~dfsg~rc1-1.diff.gz
 b39b8cb1f0ce978557a5111ac9683659f27c32d140617a2f22fa22cf32a03095 1619684 asterisk-doc_1.6.2.0~dfsg~rc1-1_all.deb
 56436524855458954f54d1363fd51c87e6cfa728069f83a0e63643e0bc0e0900 532718 asterisk-dev_1.6.2.0~dfsg~rc1-1_all.deb
 165fdaba87dd7d345a48d8564cf62e8176d43a022dd3f676924982fcca74bd1c 2042140 asterisk-sounds-main_1.6.2.0~dfsg~rc1-1_all.deb
 b8cf7703b9c278a63fe5b9f077fa59b554e7430c8c7a363864d2dae9fdf5923f 601162 asterisk-config_1.6.2.0~dfsg~rc1-1_all.deb
 30e6dc5d329e49751b523c35d1fddabd99ec454defb2e0136c40fd4fe9ef3412 3364074 asterisk_1.6.2.0~dfsg~rc1-1_i386.deb
 6e8b500c2d53f0507594c8b7eaee0d17e03ecc980999ce6d8d7f3b62025b0f7e 427472 asterisk-h423_1.6.2.0~dfsg~rc1-1_i386.deb
 40b9dcb82fd967d6353e255e3659f4b0d5d9257478d129a74003fd91fb23dac1 21247064 asterisk-dbg_1.6.2.0~dfsg~rc1-1_i386.deb
Files: 
 9cef842ff291527a5a7230d97a1a7242 2102 comm optional asterisk_1.6.2.0~dfsg~rc1-1.dsc
 2db6571b1cc0fd5d1f8851424d6d343a 22626309 comm optional asterisk_1.6.2.0~dfsg~rc1.orig.tar.gz
 e8a6ae097e9624d9ee403f199a3b075d 80269 comm optional asterisk_1.6.2.0~dfsg~rc1-1.diff.gz
 36ee42bb54fea845e4c35c6dcfd36309 1619684 doc extra asterisk-doc_1.6.2.0~dfsg~rc1-1_all.deb
 719fcf609e028969454c309a9aaa78ab 532718 devel extra asterisk-dev_1.6.2.0~dfsg~rc1-1_all.deb
 2ab2f7dfe786c5bf23a4e8617e9e2f29 2042140 comm optional asterisk-sounds-main_1.6.2.0~dfsg~rc1-1_all.deb
 b10be7705922db03c945aa8037a3444c 601162 comm optional asterisk-config_1.6.2.0~dfsg~rc1-1_all.deb
 dd66e995cf2ec8ecae412bd618653b6c 3364074 comm optional asterisk_1.6.2.0~dfsg~rc1-1_i386.deb
 e9e34fa93d5dda4f42cf5cc242c4b6d0 427472 comm optional asterisk-h423_1.6.2.0~dfsg~rc1-1_i386.deb
 81b4b8207e6030d18c572433602aeb36 21247064 debug extra asterisk-dbg_1.6.2.0~dfsg~rc1-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkqsM+oACgkQVty5d8XpUzMQOACfff2J7r9h4VzyH8Pplv0qwujw
y1wAnAki7MjDlukPnIhM9qOz6Tn6Wo5A
=Ea4V
-----END PGP SIGNATURE-----

Message #22 received at 539473@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: 539473@bugs.debian.org

Subject: Re: CVE-2009-2651: Remote Crash Vulnerability in RTP stack

Date: Wed, 16 Sep 2009 21:17:44 +0200

On Sat, Aug 01, 2009 at 10:57:33AM +0200, Giuseppe Iuculano wrote:
> Package: asterisk
> Version: 1:1.6.2.0~dfsg~beta3-1
> Severity: serious
> Tags: security patch
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> 
> Hi,
> the following CVE (Common Vulnerabilities & Exposures) id was
> published for asterisk.
> 
> CVE-2009-2651[0]:
> | main/rtp.c in Asterisk Open Source 1.6.1 before 1.6.1.2 allows remote
> | attackers to cause a denial of service (crash) via an RTP text frame
> | without a certain delimiter, which triggers a NULL pointer dereference
> | and the subsequent calculation of an invalid pointer.
> 
> If you fix the vulnerability please also make sure to include the
> CVE id in your changelog entry.
> 
> For further information see:
> 
> [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2651
>     http://security-tracker.debian.net/tracker/CVE-2009-2651
>     http://downloads.asterisk.org/pub/security/AST-2009-004.html
>     Patch: http://downloads.asterisk.org/pub/security/AST-2009-004-1.6.1.diff.txt

Asterisk maintainers, what should be done about stable? Would it
make sense to update the stable version to 1.4.26.2 in a point update?
(IIRC there's still a performance regression affecting Lenny from
a previous security update?)

Cheers,
        Moritz

Message #27 received at 539473@bugs.debian.org (full text, mbox, reply):

From: Faidon Liambotis <paravoid@debian.org>

To: Moritz Muehlenhoff <jmm@inutil.org>

Cc: 539473@bugs.debian.org

Subject: Re: Bug#539473: CVE-2009-2651: Remote Crash Vulnerability in RTP stack

Date: Wed, 16 Sep 2009 23:21:39 +0300

Hi,

Moritz Muehlenhoff wrote:
> Asterisk maintainers, what should be done about stable? Would it
> make sense to update the stable version to 1.4.26.2 in a point update?
> (IIRC there's still a performance regression affecting Lenny from
> a previous security update?)
This particular vulnerability does not affect lenny/1.4.

There hasn't been a security update for lenny yet, perhaps you're
thinking etch?

You are right that we should do an update for a point release of lenny
though to address a minor information disclosure vulnerability[1], plus
some other non-security related bugs. However, I'd like to avoid
upgrading to a newer 1.4.x release but backport changes instead; we used
to heavily patch our sources and changing the upstream release is prone
to errors.

As for etch, the current version should be affected by multiple
vulnerabilities (information disclosure *and* remote DoS) and I'm
currently unable to properly take care of them and test it. Unless a
comaintainer steps up (please people, do!) I'd more inclined to suggest
a premature end of security support (are there precedents for this?)

Thanks,
Faidon

1: http://downloads.asterisk.org/pub/security/AST-2009-001.html

Message #32 received at 539473@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: Faidon Liambotis <paravoid@debian.org>

Cc: 539473@bugs.debian.org

Subject: Re: Bug#539473: CVE-2009-2651: Remote Crash Vulnerability in RTP stack

Date: Sun, 4 Oct 2009 21:25:00 +0200

Sorry for the late followup, I've been on vacation.

On Wed, Sep 16, 2009 at 11:21:39PM +0300, Faidon Liambotis wrote:
> Hi,
> 
> Moritz Muehlenhoff wrote:
> > Asterisk maintainers, what should be done about stable? Would it
> > make sense to update the stable version to 1.4.26.2 in a point update?
> > (IIRC there's still a performance regression affecting Lenny from
> > a previous security update?)
> This particular vulnerability does not affect lenny/1.4.
> 
> There hasn't been a security update for lenny yet, perhaps you're
> thinking etch?

Yes, I seem to have confused this.
 
> You are right that we should do an update for a point release of lenny
> though to address a minor information disclosure vulnerability[1], plus
> some other non-security related bugs. However, I'd like to avoid
> upgrading to a newer 1.4.x release but backport changes instead; we used
> to heavily patch our sources and changing the upstream release is prone
> to errors.

Fine with me.
 
> As for etch, the current version should be affected by multiple
> vulnerabilities (information disclosure *and* remote DoS) and I'm
> currently unable to properly take care of them and test it. Unless a
> comaintainer steps up (please people, do!) I'd more inclined to suggest
> a premature end of security support (are there precedents for this?)

We can do that, yes. The are some precedents, like rails or Mozilla.

Cheers,
        Moritz

Message #37 received at 539473@bugs.debian.org (full text, mbox, reply):

From: Faidon Liambotis <paravoid@debian.org>

To: Moritz Muehlenhoff <jmm@inutil.org>

Cc: 539473@bugs.debian.org

Subject: Re: Bug#539473: CVE-2009-2651: Remote Crash Vulnerability in RTP stack

Date: Mon, 05 Oct 2009 15:02:55 +0300

Moritz Muehlenhoff wrote:
>> You are right that we should do an update for a point release of lenny
>> though to address a minor information disclosure vulnerability[1], plus
>> some other non-security related bugs. However, I'd like to avoid
>> upgrading to a newer 1.4.x release but backport changes instead; we used
>> to heavily patch our sources and changing the upstream release is prone
>> to errors.
> 
> Fine with me.
OK, will do soon.

>> As for etch, the current version should be affected by multiple
>> vulnerabilities (information disclosure *and* remote DoS) and I'm
>> currently unable to properly take care of them and test it. Unless a
>> comaintainer steps up (please people, do!) I'd more inclined to suggest
>> a premature end of security support (are there precedents for this?)
> 
> We can do that, yes. The are some precedents, like rails or Mozilla.
Hm, OK, I'll let you know in a few days.
I guess an e-mail to security@d.o would be sufficient?

Thanks,
Faidon

Message #42 received at 539473@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: Faidon Liambotis <paravoid@debian.org>

Cc: Moritz Muehlenhoff <jmm@inutil.org>, 539473@bugs.debian.org

Subject: Re: Bug#539473: CVE-2009-2651: Remote Crash Vulnerability in RTP stack

Date: Tue, 6 Oct 2009 00:05:41 +0200

On Mon, Oct 05, 2009 at 03:02:55PM +0300, Faidon Liambotis wrote:
> Moritz Muehlenhoff wrote:
> >> You are right that we should do an update for a point release of lenny
> >> though to address a minor information disclosure vulnerability[1], plus
> >> some other non-security related bugs. However, I'd like to avoid
> >> upgrading to a newer 1.4.x release but backport changes instead; we used
> >> to heavily patch our sources and changing the upstream release is prone
> >> to errors.
> > 
> > Fine with me.
> OK, will do soon.
> 
> >> As for etch, the current version should be affected by multiple
> >> vulnerabilities (information disclosure *and* remote DoS) and I'm
> >> currently unable to properly take care of them and test it. Unless a
> >> comaintainer steps up (please people, do!) I'd more inclined to suggest
> >> a premature end of security support (are there precedents for this?)
> > 
> > We can do that, yes. The are some precedents, like rails or Mozilla.

> Hm, OK, I'll let you know in a few days.
> I guess an e-mail to security@d.o would be sufficient?

We can announce the EOL for Etch when the next Asterisk DSA appears for Lenny,
but feel free to post to debian-securityl.d.o earlier.

Cheers,
        Moritz

Send a report that this bug log contains spam.