Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

asterisk: CVE-2017-9358: AST-2017-004: Memory exhaustion on short SCCP packets

Related Vulnerabilities: CVE-2017-9358  

Source

Debian Bug report logs - #863906
asterisk: CVE-2017-9358: AST-2017-004: Memory exhaustion on short SCCP packets

version graph

Package: src:asterisk; Maintainer for src:asterisk is Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>;

Reported by: Bernhard Schmidt <berni@debian.org>

Date: Thu, 1 Jun 2017 19:39:04 UTC

Severity: critical

Tags: security

Found in version asterisk/1:13.0.0~dfsg-1

Fixed in version asterisk/1:13.14.1~dfsg-2

Done: Bernhard Schmidt <berni@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>:
Bug#863906; Package src:asterisk. (Thu, 01 Jun 2017 19:39:06 GMT) (full text, mbox, link).

Acknowledgement sent to Bernhard Schmidt <berni@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>. (Thu, 01 Jun 2017 19:39:06 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Bernhard Schmidt <berni@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: AST-2017-004: Memory exhaustion on short SCCP packets
Date: Thu, 01 Jun 2017 21:37:53 +0200
Package: src:asterisk
Version: 1:13.0.0~dfsg-1
Severity: critical
Tags: security


               Asterisk Project Security Advisory - AST-2017-004

          Product         Asterisk                                            
          Summary         Memory exhaustion on short SCCP packets             
     Nature of Advisory   Denial of Service                                   
       Susceptibility     Remote Unauthenticated Sessions                     
          Severity        Critical                                            
       Exploits Known     No                                                  
        Reported On       April 13, 2017                                      
        Reported By       Sandro Gauci                                        
         Posted On        
      Last Updated On     April 13, 2017                                      
      Advisory Contact    George Joseph <gjoseph AT digium DOT com>           
          CVE Name        

    Description  A remote memory exhaustion can be triggered by sending an    
                 SCCP packet to Asterisk system with “chan_skinny” enabled    
                 that is larger than the length of the SCCP header but        
                 smaller than the packet length specified in the header. The  
                 loop that reads the rest of the packet doesn’t detect that   
                 the call to read() returned end-of-file before the expected  
                 number of bytes and continues infinitely. The “partial       
                 data” message logging in that tight loop causes Asterisk to  
                 exhaust all available memory.                                

    Resolution  If support for the SCCP protocol is not required, remove or   
                disable the module.                                           
                                                                              
                If support for SCCP is required, an upgrade to Asterisk will  
                be necessary.                                                 

                               Affected Versions
                Product              Release Series  
         Asterisk Open Source             11.x       Unaffected               
         Asterisk Open Source             13.x       All versions             
         Asterisk Open Source             14.x       All versions             
          Certified Asterisk             13.13       All versions             

                                  Corrected In
                   Product                              Release               
             Asterisk Open Source                   13.15.1, 14.4.1           
              Certified Asterisk                      13.13-cert4             

                                    Patches
                  SVN URL                             Revision                

           Links         

    Asterisk Project Security Advisories are posted at                        
    http://www.asterisk.org/security                                          
                                                                              
    This document may be superseded by later versions; if so, the latest      
    version will be posted at http://downloads.digium.com/pub/security/.pdf   
    and http://downloads.digium.com/pub/security/.html                        

                                Revision History
          Date                Editor                  Revisions Made          
    13 April 2017      George Joseph          Initial report created          

                      Asterisk Project Security Advisory -
               Copyright © 2017 Digium, Inc. All Rights Reserved.
  Permission is hereby granted to distribute and publish this advisory in its
                           original, unaltered form.

Changed Bug title to 'asterisk: CVE-2017-9358: AST-2017-004: Memory exhaustion on short SCCP packets' from 'AST-2017-004: Memory exhaustion on short SCCP packets'. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Fri, 02 Jun 2017 04:39:02 GMT) (full text, mbox, link).

Reply sent to Bernhard Schmidt <berni@debian.org>:
You have taken responsibility. (Fri, 02 Jun 2017 13:06:07 GMT) (full text, mbox, link).

Notification sent to Bernhard Schmidt <berni@debian.org>:
Bug acknowledged by developer. (Fri, 02 Jun 2017 13:06:07 GMT) (full text, mbox, link).

Message #12 received at 863906-close@bugs.debian.org (full text, mbox, reply):

From: Bernhard Schmidt <berni@debian.org>
To: 863906-close@bugs.debian.org
Subject: Bug#863906: fixed in asterisk 1:13.14.1~dfsg-2
Date: Fri, 02 Jun 2017 13:03:39 +0000
Source: asterisk
Source-Version: 1:13.14.1~dfsg-2

We believe that the bug you reported is fixed in the latest version of
asterisk, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 863906@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Bernhard Schmidt <berni@debian.org> (supplier of updated asterisk package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Fri, 02 Jun 2017 14:40:15 +0200
Source: asterisk
Binary: asterisk asterisk-modules asterisk-dahdi asterisk-vpb asterisk-voicemail asterisk-voicemail-imapstorage asterisk-voicemail-odbcstorage asterisk-ooh423 asterisk-mp3 asterisk-mysql asterisk-mobile asterisk-doc asterisk-dev asterisk-config
Architecture: source
Version: 1:13.14.1~dfsg-2
Distribution: unstable
Urgency: high
Maintainer: Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>
Changed-By: Bernhard Schmidt <berni@debian.org>
Description:
 asterisk   - Open Source Private Branch Exchange (PBX)
 asterisk-config - Configuration files for Asterisk
 asterisk-dahdi - DAHDI devices support for the Asterisk PBX
 asterisk-dev - Development files for Asterisk
 asterisk-doc - Source code documentation for Asterisk
 asterisk-mobile - Bluetooth phone support for the Asterisk PBX
 asterisk-modules - loadable modules for the Asterisk PBX
 asterisk-mp3 - MP3 playback support for the Asterisk PBX
 asterisk-mysql - MySQL database protocol support for the Asterisk PBX
 asterisk-ooh423 - H.323 protocol support for the Asterisk PBX - ooH323c
 asterisk-voicemail - simple voicemail support for the Asterisk PBX
 asterisk-voicemail-imapstorage - IMAP voicemail storage support for the Asterisk PBX
 asterisk-voicemail-odbcstorage - ODBC voicemail storage support for the Asterisk PBX
 asterisk-vpb - VoiceTronix devices support for the Asterisk PBX
Closes: 860902 863906
Changes:
 asterisk (1:13.14.1~dfsg-2) unstable; urgency=high
 .
   [ Tzafrir Cohen ]
   * CVE-2017-9358 / AST-2017-004: Memory exhaustion on short SCCP packets
     (Closes: #863906)
   * Documentation updates in debian/:
     - d/p/test_framework.patch: no longer an upstream issue
     - d/asterisk-config-custom:
       - fix typo: buildbuildpackage (Closes: #860902)
       - add comment that dpkg-buildpackage comes from dpkg-dev
Checksums-Sha1:
 2cb97e35a21005c46aadf74f082024b901a2e09f 4105 asterisk_13.14.1~dfsg-2.dsc
 705c46a021014102080d47e8885258d86bb178dd 130836 asterisk_13.14.1~dfsg-2.debian.tar.xz
 abf15993b8a96ea804156ef8baaca18ec397e489 25969 asterisk_13.14.1~dfsg-2_amd64.buildinfo
Checksums-Sha256:
 dfb49baab73fa13decf7512e739c41ef10e140468f0d321d18d3db13db14e082 4105 asterisk_13.14.1~dfsg-2.dsc
 fe8b3a93852c38c585081e6e8839c569a3f001d49b49b9cdb725a4de5aa22472 130836 asterisk_13.14.1~dfsg-2.debian.tar.xz
 87c4b0b85e7d991cb83f9b037d4d31600e4d6b942f4d225fafea6d8008c902b2 25969 asterisk_13.14.1~dfsg-2_amd64.buildinfo
Files:
 3c3f8a701749e1cda53af49f9dbc1e2a 4105 comm optional asterisk_13.14.1~dfsg-2.dsc
 e2e06a4a5dcbca5a1ea8878f882587c4 130836 comm optional asterisk_13.14.1~dfsg-2.debian.tar.xz
 c94c6a2523c6ef729ac033cb9aa63c3c 25969 comm optional asterisk_13.14.1~dfsg-2_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJFBAEBCAAvFiEE1uAexRal3873GVbTd1B55bhQvJMFAlkxXycRHGJlcm5pQGRl
Ymlhbi5vcmcACgkQd1B55bhQvJPZFQ//TQqt4j4G1ja57cACbZg7tA58OwNf8A9Q
xc1rhabruG9TwNfeRuuWKpReow2Tg4AZpIqZZ/mUn3ZWKUr/lcYwCyH+HQuYFzMw
hJuIB3n0/R5k5qtXjpFvNLOT3URsZiw5EjPR9UPRIh44pkD1QdNxQq3+q1wQ2baJ
y4ZcOTtjmEYEP1nXJt53r+qKx73Fmp+YQqsgDzROiwZPrwJN/uM3c9j6Z6aWPQ/c
lRyeAXcieCiIdF1VOyMP/m3UAEPRmbbgFQKlIgZWk3rF6DaWB3BOmwX7iqZdq1sL
7iFB03RkEmmD7rTu1dps3y2Rec/+g4433kwEPHNvan47+l+LwN5r83z4YfMVT9lv
dj0clNUY4OoJeJgz6KnNO5+JJxlS9kPfvhXLTZtO7rLe5VMYtjchuPMR8j/lgXY3
9w/KzUQBY8onC4qIW7mDzWoaHFaB70xh6tN/lvH9aPiV3aLBfnnQI2QVREEcuBBx
+B8liF818XYKuwZ5CTmZ78HYXsv0WHg1euz/f4+KdMDnvZXtDh41w6U9wqFtV+jI
7RdCYR7dfLi1dJQWCmPoJI6rpDKAe8ZRgdKIP1RvjNtUS3i0l994WHOvbMm7megx
wlLl+L/HH5LOzyU/o3br9fRdmocACXrFMUtRfct4Wz6IVQDFHgB4bJ/x3phv918J
VdMnTSaWkXQ=
=njyn
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 16 Jul 2017 07:27:26 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 14:46:27 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started