AST-2009-001: Information leak in IAX2 authentication

Debian Bug report logs - #513413
AST-2009-001: Information leak in IAX2 authentication

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: AST-2009-001: Information leak in IAX2 authentication

Date: Wed, 28 Jan 2009 22:31:00 +0100

Package: asterisk
Severity: normal

Please see CVE-2008-0041:
http://www.securityfocus.com/archive/1/archive/1/499884/100/0/threaded

This doesn't warrant a DSA, but please keep in mind for the next
Asterisk DSA (which will surely come in the future).

Cheers,
        Moritz

-- System Information:
Debian Release: 5.0
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-1-686 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15@euro (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/bash

Versions of packages asterisk depends on:
ii  adduser                3.110             add and remove users and groups
pn  asterisk-config | aste <none>            (no description available)
pn  asterisk-sounds-main   <none>            (no description available)
ii  libasound2             1.0.16-2          ALSA library
pn  libc-client2007b       <none>            (no description available)
ii  libc6                  2.7-18            GNU C Library: Shared libraries
ii  libcap1                1:1.10-14         support for getting/setting POSIX.
ii  libcurl3               7.18.2-8          Multi-protocol file transfer libra
ii  libgcc1                1:4.3.3-1         GCC support library
ii  libgsm1                1.0.12-1          Shared libraries for GSM speech co
pn  libiksemel3            <none>            (no description available)
ii  libncurses5            5.7+20090124-1    shared libraries for terminal hand
ii  libnewt0.52            0.52.2-11.3       Not Erik's Windowing Toolkit - tex
ii  libogg0                1.1.3-4           Ogg Bitstream Library
ii  libpopt0               1.14-4            lib for parsing cmdline parameters
ii  libpq5                 8.3.5-1           PostgreSQL C client library
pn  libpri1.0              <none>            (no description available)
pn  libradiusclient-ng2    <none>            (no description available)
pn  libsnmp15              <none>            (no description available)
ii  libspeex1              1.2~rc1-1         The Speex codec runtime library
pn  libspeexdsp1           <none>            (no description available)
pn  libsqlite0             <none>            (no description available)
ii  libssl0.9.8            0.9.8g-15         SSL shared libraries
ii  libstdc++6             4.3.3-1           The GNU Standard C++ Library v3
pn  libtonezone1           <none>            (no description available)
ii  libvorbis0a            1.2.0.dfsg-3.1    The Vorbis General Audio Compressi
ii  libvorbisenc2          1.2.0.dfsg-3.1    The Vorbis General Audio Compressi
pn  libvpb0                <none>            (no description available)
pn  unixodbc               <none>            (no description available)
ii  zlib1g                 1:1.2.3.3.dfsg-12 compression library - runtime

asterisk recommends no packages.

Versions of packages asterisk suggests:
pn  asterisk-dev                  <none>     (no description available)
pn  asterisk-doc                  <none>     (no description available)
pn  asterisk-h423                 <none>     (no description available)
pn  ekiga                         <none>     (no description available)
pn  kphone                        <none>     (no description available)
pn  ohphone                       <none>     (no description available)
pn  twinkle                       <none>     (no description available)

Message #10 received at 513413@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>

To: 513413@bugs.debian.org

Cc: control@bugs.debian.org, 514524-done@bugs.debian.org

Subject: Re: AST-2009-001: Information leak in IAX2 authentication

Date: Sun, 8 Feb 2009 13:39:44 +0100

[Message part 1 (text/plain, inline)]

tags 513413 + patch
severity 513413 important
thanks

Missed that Moritz already filed a bug.

A patch for this issue is at:
http://downloads.digium.com/pub/security/AST-2009-001-1.4.diff

It applies fine to the package currently in unstable.

Btw this is CVE-2009-0041 not CVE-2008-0041.

Cheers
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

[Message part 2 (application/pgp-signature, inline)]

Message #19 received at 513413@bugs.debian.org (full text, mbox, reply):

From: Tzafrir Cohen <tzafrir.cohen@xorcom.com>

To: control@bugs.debian.org

Cc: 513413@bugs.debian.org

Subject: setting package to asterisk-dbg asterisk-config asterisk-doc asterisk-dev asterisk asterisk-sounds-main asterisk-h423 ...

Date: Sat, 21 Feb 2009 19:20:26 +0200

# Automatically generated email from bts, devscripts version 2.10.35lenny2
# via tagpending 
#
# asterisk (1:1.4.21.2~dfsg-4) unstable; urgency=low
#
#  * Patch AST-2009-001 - Fix CVE-2009-0041 - Information leak in IAX2
#    authentication (Closes: #513413).
#

package asterisk-dbg asterisk-config asterisk-doc asterisk-dev asterisk asterisk-sounds-main asterisk-h423
tags 513413 + pending

Message #26 received at 513413-close@bugs.debian.org (full text, mbox, reply):

From: Mark Purcell <msp@debian.org>

To: 513413-close@bugs.debian.org

Subject: Bug#513413: fixed in asterisk 1:1.6.1.0~dfsg~rc3-1

Date: Mon, 30 Mar 2009 06:53:09 +0000

Source: asterisk
Source-Version: 1:1.6.1.0~dfsg~rc3-1

We believe that the bug you reported is fixed in the latest version of
asterisk, which is due to be installed in the Debian FTP archive:

asterisk-config_1.6.1.0~dfsg~rc3-1_all.deb
  to pool/main/a/asterisk/asterisk-config_1.6.1.0~dfsg~rc3-1_all.deb
asterisk-dbg_1.6.1.0~dfsg~rc3-1_i386.deb
  to pool/main/a/asterisk/asterisk-dbg_1.6.1.0~dfsg~rc3-1_i386.deb
asterisk-dev_1.6.1.0~dfsg~rc3-1_all.deb
  to pool/main/a/asterisk/asterisk-dev_1.6.1.0~dfsg~rc3-1_all.deb
asterisk-doc_1.6.1.0~dfsg~rc3-1_all.deb
  to pool/main/a/asterisk/asterisk-doc_1.6.1.0~dfsg~rc3-1_all.deb
asterisk-h423_1.6.1.0~dfsg~rc3-1_i386.deb
  to pool/main/a/asterisk/asterisk-h423_1.6.1.0~dfsg~rc3-1_i386.deb
asterisk-progdoc_1.6.1.0~dfsg~rc3-1_all.deb
  to pool/main/a/asterisk/asterisk-progdoc_1.6.1.0~dfsg~rc3-1_all.deb
asterisk-sounds-main_1.6.1.0~dfsg~rc3-1_all.deb
  to pool/main/a/asterisk/asterisk-sounds-main_1.6.1.0~dfsg~rc3-1_all.deb
asterisk_1.6.1.0~dfsg~rc3-1.diff.gz
  to pool/main/a/asterisk/asterisk_1.6.1.0~dfsg~rc3-1.diff.gz
asterisk_1.6.1.0~dfsg~rc3-1.dsc
  to pool/main/a/asterisk/asterisk_1.6.1.0~dfsg~rc3-1.dsc
asterisk_1.6.1.0~dfsg~rc3-1_i386.deb
  to pool/main/a/asterisk/asterisk_1.6.1.0~dfsg~rc3-1_i386.deb
asterisk_1.6.1.0~dfsg~rc3.orig.tar.gz
  to pool/main/a/asterisk/asterisk_1.6.1.0~dfsg~rc3.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 513413@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Mark Purcell <msp@debian.org> (supplier of updated asterisk package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 29 Mar 2009 22:21:47 +1100
Source: asterisk
Binary: asterisk asterisk-h423 asterisk-doc asterisk-progdoc asterisk-dev asterisk-dbg asterisk-sounds-main asterisk-config
Architecture: source all i386
Version: 1:1.6.1.0~dfsg~rc3-1
Distribution: experimental
Urgency: low
Maintainer: Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>
Changed-By: Mark Purcell <msp@debian.org>
Description: 
 asterisk   - Open Source Private Branch Exchange (PBX)
 asterisk-config - Configuration files for Asterisk
 asterisk-dbg - Debugging symbols for Asterisk
 asterisk-dev - Development files for Asterisk
 asterisk-doc - Source code documentation for Asterisk
 asterisk-h423 - H.323 protocol support for Asterisk
 asterisk-progdoc - Source code documentation for Asterisk
 asterisk-sounds-main - Core Sound files for Asterisk (English)
Closes: 513413
Changes: 
 asterisk (1:1.6.1.0~dfsg~rc3-1) experimental; urgency=low
 .
   [ Tzafrir Cohen ]
   * Experimental 1.6.x branch.
   * Remove bristuff for now.
   * Also drop zap-fix-deadlock and zap-fix-cause34 that are in bristuff code.
   * And likewise the example agi/xagi-test.c .
   * Drop patch silence-buildsum-warning - a legitimate change for 1.6.x .
   * Refresh patch debian-banner.
   * Slightly rework patch hack-multiple-app-voicemail
   * Drop patch h423 fixes as they fails and I don't fully understand them.
   * drop patch func_devstate: was backport from 1.6.
   * drop patch feature-bridge: was backport from 1.6.
   * Drop vpb-handle-nocards that is not needed anymore.
   * Patch disable_moh: Disable MOH file through the XML spec.
   * Don't do ant makeopts manipulation in the rules, as makeopts gets
     regenerated when running 'make install', rendering build-*-stamp
     useless.
   * Patch libtonezone_libm: libtonezone requires -lm .
   * Separate API documentation to the progdoc package.
   * Move configuration files to the doc package, as they are reference.
   * Include the new asterisk.pdf .
   * Depend on libgmime: allows uploads in the built-in httpd.
   * Depend on libjack. Though app_jack also depends on libresample.
   * Depend on liblua: For pbx_lua (dialplan in lua).
   * Depend on libss7 and newer libpri (1.4.7) for latest chan_dahdi abilities.
   * Depend on libtonezone from dahdi (ver. 2.0).
   * Includes fix for AST-2009-001 (Closes: #513413).
   * Remove hashtest and hashtest2: debugging utilities.
   * Patch zap-fix-timing-source removed: Problem fixed.
   * Build-Depends on libopenais-dev (for res_ais.so)
   * Build-Depends on libosptk3-dev (for app_osplookup.so)
   * Patch dahdi-fxsks-hookstate: Fix FXO dialout issue.
   * Patch h423-make-fix: No, we should not need to run 'make' twice.
 .
   [ Victor Seva ]
   * Drop patch misdn_FOP. Applied upstream (r112521 branches/1.6.0/).
 .
   [ Mark Purcell ]
   * Update debian/watch
   * asterisk-dbg -> Section: debug
Checksums-Sha1: 
 e2e212fd69572cd2e2d9121a6c94e1977fc8689f 2083 asterisk_1.6.1.0~dfsg~rc3-1.dsc
 a5151e4f14ffb0d90d888bd36d817713f22eed25 7524009 asterisk_1.6.1.0~dfsg~rc3.orig.tar.gz
 fa9c5c7e8aea634e4b461e0343852d1b3cb9fa42 54836 asterisk_1.6.1.0~dfsg~rc3-1.diff.gz
 a1da4e26d62eabf5846962d4313f430798331407 1961022 asterisk-doc_1.6.1.0~dfsg~rc3-1_all.deb
 d79500a73374993c64b96d0133c86a1f32d0b6d0 45271920 asterisk-progdoc_1.6.1.0~dfsg~rc3-1_all.deb
 40b7ebfd712f75d5c4d4a1afe0901dd02df568e3 956086 asterisk-dev_1.6.1.0~dfsg~rc3-1_all.deb
 aad723f365e5697ca6f0fa76a9216fa39ccffc8a 2493752 asterisk-sounds-main_1.6.1.0~dfsg~rc3-1_all.deb
 161f0486ceb4a5b4d5f4b5fc74cf7dc2a5cd6fb7 1025714 asterisk-config_1.6.1.0~dfsg~rc3-1_all.deb
 78049391aeb1b0b12b4083373f2e5d5071b4b31b 3565606 asterisk_1.6.1.0~dfsg~rc3-1_i386.deb
 36f6d455b1fff3dfb5c374cee8d77b28ff10ed8e 853172 asterisk-h423_1.6.1.0~dfsg~rc3-1_i386.deb
 e640ce81cc4e01164b817c08b6e675a6f1e72625 20166852 asterisk-dbg_1.6.1.0~dfsg~rc3-1_i386.deb
Checksums-Sha256: 
 cbed9aaf4fac3ca209913de2530daca5ff482f6744510e91cbcd4f4bdff1ca2d 2083 asterisk_1.6.1.0~dfsg~rc3-1.dsc
 6150b2ed0b5e4346576008df70c6dae7859674a0d96e6e9d6d78829c14bb8acf 7524009 asterisk_1.6.1.0~dfsg~rc3.orig.tar.gz
 c9c69811b4fa5625ed1fb30f0c0796df3af13520df49833748b164d1e7de7b88 54836 asterisk_1.6.1.0~dfsg~rc3-1.diff.gz
 3443253ff42ddaa68a5c744c5761f85cc9cb025222001a6c8ea09e3b34875281 1961022 asterisk-doc_1.6.1.0~dfsg~rc3-1_all.deb
 fde2ce5e3400e14d6955f1b6aea6b8cd736d8a8a2683d5e6040507bee097e6e6 45271920 asterisk-progdoc_1.6.1.0~dfsg~rc3-1_all.deb
 9064a0a96bd0e28f920540240ec2fc3ea27f81f755f89aadea8608f3f5caa0ef 956086 asterisk-dev_1.6.1.0~dfsg~rc3-1_all.deb
 0bf7a36260bdf263d378d760bb8792d31abfe6a6c3d1344b279e9478524eee13 2493752 asterisk-sounds-main_1.6.1.0~dfsg~rc3-1_all.deb
 635d6da83497357b5d7ea20b3a3b237f1a5175881fac0a7519046f0a93be7300 1025714 asterisk-config_1.6.1.0~dfsg~rc3-1_all.deb
 c5ea8c9124ab6a0cebf7e0358e654479c0be0549c4000fef2aa3985b41ef5c01 3565606 asterisk_1.6.1.0~dfsg~rc3-1_i386.deb
 ad9e84befa72d91f2b363d29251ffc66226f3af6ea7457daafb0cfe94a51d1be 853172 asterisk-h423_1.6.1.0~dfsg~rc3-1_i386.deb
 5da0a914b5abd0d06cd7806b1fddf337a30d1264f1b4ce3495a4e1db237cac70 20166852 asterisk-dbg_1.6.1.0~dfsg~rc3-1_i386.deb
Files: 
 31f860a64673d23c996eb7da90d76f6f 2083 comm optional asterisk_1.6.1.0~dfsg~rc3-1.dsc
 595f3417439126c306a711f45c0ae3e9 7524009 comm optional asterisk_1.6.1.0~dfsg~rc3.orig.tar.gz
 0ee6e34f6ed31157ca067b1b4792c481 54836 comm optional asterisk_1.6.1.0~dfsg~rc3-1.diff.gz
 db0e7704e7f256872449bae386c5b961 1961022 doc extra asterisk-doc_1.6.1.0~dfsg~rc3-1_all.deb
 2965931c971163d456a9f43703a709ee 45271920 doc extra asterisk-progdoc_1.6.1.0~dfsg~rc3-1_all.deb
 24bdc0e13f37bda5e1677fe2eaf6ee53 956086 devel extra asterisk-dev_1.6.1.0~dfsg~rc3-1_all.deb
 609fde3841adf6ede1566d261cf8edd1 2493752 comm optional asterisk-sounds-main_1.6.1.0~dfsg~rc3-1_all.deb
 42007bf68405bed70346667c674bbb89 1025714 comm optional asterisk-config_1.6.1.0~dfsg~rc3-1_all.deb
 e5301a84763bccd525e1a7983d308072 3565606 comm optional asterisk_1.6.1.0~dfsg~rc3-1_i386.deb
 365289f5c7d6e8d8744c135273bf76ff 853172 comm optional asterisk-h423_1.6.1.0~dfsg~rc3-1_i386.deb
 fefc338ce0668f63cab7d41af389ac1e 20166852 debug extra asterisk-dbg_1.6.1.0~dfsg~rc3-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAknPX6YACgkQoCzanz0IthK+YwCfYBEnGCjHm1E88h/yQ+N7PCAg
TTcAn3Z+UBRHIiXWdJTPtXCbA1zkdcKo
=fnmg
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.