asterisk: Two security issues: AST-2012-014 / AST-2012-015

Debian Bug report logs - #697230
asterisk: Two security issues: AST-2012-014 / AST-2012-015

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: asterisk: Two security issues: AST-2012-014 / AST-2012-015

Date: Wed, 02 Jan 2013 22:56:43 +0100

Package: asterisk
Severity: grave
Tags: security
Justification: user security hole

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi,

the following vulnerabilities were published for asterisk.

CVE-2012-5976[0]:
Crashes due to large stack allocations when using TCP

CVE-2012-5977[1]:
Denial of Service Through Exploitation of Device State Caching

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] http://security-tracker.debian.org/tracker/CVE-2012-5976
[1] http://security-tracker.debian.org/tracker/CVE-2012-5977

Please adjust the affected versions in the BTS as needed.

According to the advisories all 1.8.x versions seems affected.

Regards,
Salvatore

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCgAGBQJQ5K0XAAoJEHidbwV/2GP+4kMQAL2fplVcLBKGn0a03HlCWMdm
Dc0uLrlaSG/YG5jCGOLwyNiNrL/+h4Y1Ld2AaHLInEvoHPTUO4GGTTkdUFWmMxpP
C8EyihsbG/bCYykimfLXBBp+4ndRvXY5akxGRVDLve06uy3NPlerqo6kbslBADgX
BSNRmYOE4J+Zpue2TkcmQSpeFeyClzFYA7viKJP7xXa9OqTCaC+yHRIQqxLOhQl6
9YiHuxaO0IbmeZmrbbrRzuO3qbM1QpRbvkL0Am2IOl4zcYzQGUd7FtbgadtPOL9k
qTwDM2xXNG/3HzbxInX0DnJoIl4tVxpMteNZBUzRrof3dvh7CU2d0Ql5k6GDAyau
r/yrA9SftFD7JZADQPmAT5LonwXplFvLE8AMBDaegeirrSbNayQVbxp4l5rxBpN7
4esfQrWJs0ecmPPCoHoST4uZgelFev7UHWpCE2spOVpBwxBkcDLm1Hl3w0r9WYlk
4ek+XlLPw/Rkhy/75jEBb/k73DTwXSwPX49jedOR1ysic9ADqu3SuYOVrX28/sCr
ZS6V1L5W2kkqETCrgl55jGqG8rJq2QsEMIzJ17HyIdpxe9IVdLzhSzf8yFUo2puG
O1fcqpUHK6uo4Jz8dcd1GnzsJzn/bU9FjczO6SzRMeyQt1fJZlssbQBtxSTuLgYm
MHbhYUTKLs372+Yr1/S5
=dP/T
-----END PGP SIGNATURE-----

Message #10 received at 697230@bugs.debian.org (full text, mbox, reply):

From: Tzafrir Cohen <tzafrir.cohen@xorcom.com>

To: Salvatore Bonaccorso <carnil@debian.org>, 697230@bugs.debian.org

Subject: Re: Bug#697230: asterisk: Two security issues: AST-2012-014 / AST-2012-015

Date: Mon, 7 Jan 2013 23:11:14 +0200

On Wed, Jan 02, 2013 at 10:56:43PM +0100, Salvatore Bonaccorso wrote:
> Package: asterisk
> Severity: grave
> Tags: security
> Justification: user security hole
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
> 
> Hi,
> 
> the following vulnerabilities were published for asterisk.
> 
> CVE-2012-5976[0]:
> Crashes due to large stack allocations when using TCP
> 
> CVE-2012-5977[1]:
> Denial of Service Through Exploitation of Device State Caching

Both apply to th stable vrsion as well. I commited fixes to th SVN.
Working on building them.

-- 
               Tzafrir Cohen
icq#16849755              jabber:tzafrir.cohen@xorcom.com
+972-50-7952406           mailto:tzafrir.cohen@xorcom.com
http://www.xorcom.com  iax:guest@local.xorcom.com/tzafrir

Message #15 received at 697230@bugs.debian.org (full text, mbox, reply):

From: Tzafrir Cohen <tzafrir.cohen@xorcom.com>

To: team@security.debian.org, 697230@bugs.debian.org

Subject: Re: Bug#697230: asterisk: Two security issues: AST-2012-014 / AST-2012-015

Date: Tue, 8 Jan 2013 02:45:59 +0200

Hi,

On Wed, Jan 02, 2013 at 10:56:43PM +0100, Salvatore Bonaccorso wrote:
> Package: asterisk
> Severity: grave
> Tags: security
> Justification: user security hole
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
> 
> Hi,
> 
> the following vulnerabilities were published for asterisk.
> 
> CVE-2012-5976[0]:
> Crashes due to large stack allocations when using TCP
> 
> CVE-2012-5977[1]:
> Denial of Service Through Exploitation of Device State Caching
> 
> If you fix the vulnerabilities please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
> 
> For further information see:
> 
> [0] http://security-tracker.debian.org/tracker/CVE-2012-5976
> [1] http://security-tracker.debian.org/tracker/CVE-2012-5977
> 
> Please adjust the affected versions in the BTS as needed.
> 
> According to the advisories all 1.8.x versions seems affected.

Likewise is version 1.6.2 from Stable. I have fixes ready.

On a side note, I'm not sure why
https://security-tracker.debian.org/tracker/CVE-2011-2666 is listed as
open. The respective bug has been closed:
As I mentioned before, I can change the default for alwaysauthreject,
I'm just not sure this should be done on a Stable package.

-- 
               Tzafrir Cohen
icq#16849755              jabber:tzafrir.cohen@xorcom.com
+972-50-7952406           mailto:tzafrir.cohen@xorcom.com
http://www.xorcom.com  iax:guest@local.xorcom.com/tzafrir

Message #20 received at 697230@bugs.debian.org (full text, mbox, reply):

From: Moritz Mühlenhoff <jmm@inutil.org>

To: Tzafrir Cohen <tzafrir.cohen@xorcom.com>

Cc: team@security.debian.org, 697230@bugs.debian.org

Subject: Re: Bug#697230: asterisk: Two security issues: AST-2012-014 / AST-2012-015

Date: Tue, 8 Jan 2013 18:49:56 +0100

On Tue, Jan 08, 2013 at 02:45:59AM +0200, Tzafrir Cohen wrote:
> Hi,
> 
> On Wed, Jan 02, 2013 at 10:56:43PM +0100, Salvatore Bonaccorso wrote:
> > Package: asterisk
> > Severity: grave
> > Tags: security
> > Justification: user security hole
> > 
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA512
> > 
> > Hi,
> > 
> > the following vulnerabilities were published for asterisk.
> > 
> > CVE-2012-5976[0]:
> > Crashes due to large stack allocations when using TCP
> > 
> > CVE-2012-5977[1]:
> > Denial of Service Through Exploitation of Device State Caching
> > 
> > If you fix the vulnerabilities please also make sure to include the
> > CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
> > 
> > For further information see:
> > 
> > [0] http://security-tracker.debian.org/tracker/CVE-2012-5976
> > [1] http://security-tracker.debian.org/tracker/CVE-2012-5977
> > 
> > Please adjust the affected versions in the BTS as needed.
> > 
> > According to the advisories all 1.8.x versions seems affected.
> 
> Likewise is version 1.6.2 from Stable. I have fixes ready.

Ok, please upload to security-master once tests are sufficient.
 
> On a side note, I'm not sure why
> https://security-tracker.debian.org/tracker/CVE-2011-2666 is listed as
> open. The respective bug has been closed:
> As I mentioned before, I can change the default for alwaysauthreject,
> I'm just not sure this should be done on a Stable package.

It's marked as 

        [squeeze] - asterisk <no-dsa> (minor issue; can be addressed through configuration)

The tracker is correct in so far, that this isn't fixed in squeeze through
a code fix. If you provide a short text what people need to modify in their
config we can add it to the DSA text and use this as the "fix" for stable.

Cheers,
        Moritz

Message #25 received at 697230@bugs.debian.org (full text, mbox, reply):

From: Tzafrir Cohen <tzafrir@cohens.org.il>

To: Moritz Mühlenhoff <jmm@inutil.org>

Cc: team@security.debian.org, 697230@bugs.debian.org

Subject: Re: Bug#697230: asterisk: Two security issues: AST-2012-014 / AST-2012-015

Date: Fri, 11 Jan 2013 23:00:30 +0000

On Tue, Jan 08, 2013 at 06:49:56PM +0100, Moritz Mühlenhoff wrote:
> On Tue, Jan 08, 2013 at 02:45:59AM +0200, Tzafrir Cohen wrote:
> > Hi,
> > 
> > On Wed, Jan 02, 2013 at 10:56:43PM +0100, Salvatore Bonaccorso wrote:
> > > Package: asterisk
> > > Severity: grave
> > > Tags: security
> > > Justification: user security hole
> > > 
> > > -----BEGIN PGP SIGNED MESSAGE-----
> > > Hash: SHA512
> > > 
> > > Hi,
> > > 
> > > the following vulnerabilities were published for asterisk.
> > > 
> > > CVE-2012-5976[0]:
> > > Crashes due to large stack allocations when using TCP
> > > 
> > > CVE-2012-5977[1]:
> > > Denial of Service Through Exploitation of Device State Caching
> > > 
> > > If you fix the vulnerabilities please also make sure to include the
> > > CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
> > > 
> > > For further information see:
> > > 
> > > [0] http://security-tracker.debian.org/tracker/CVE-2012-5976
> > > [1] http://security-tracker.debian.org/tracker/CVE-2012-5977
> > > 
> > > Please adjust the affected versions in the BTS as needed.
> > > 
> > > According to the advisories all 1.8.x versions seems affected.
> > 
> > Likewise is version 1.6.2 from Stable. I have fixes ready.
> 
> Ok, please upload to security-master once tests are sufficient.

Uploaded.

>  
> > On a side note, I'm not sure why
> > https://security-tracker.debian.org/tracker/CVE-2011-2666 is listed as
> > open. The respective bug has been closed:
> > As I mentioned before, I can change the default for alwaysauthreject,
> > I'm just not sure this should be done on a Stable package.
> 
> It's marked as 
> 
>         [squeeze] - asterisk <no-dsa> (minor issue; can be addressed through configuration)
> 
> The tracker is correct in so far, that this isn't fixed in squeeze through
> a code fix. If you provide a short text what people need to modify in their
> config we can add it to the DSA text and use this as the "fix" for stable.

Here goes:

CVE-2011-2666 (AST-2011-011) is an advisory that containd two parts:
It is gnerally useful security-wise to provide the same answer upon
authntication whether or not the authntication failed due to a missing
bad username or a bad password (to prever enumerating existing users).
Asterisk has a setting called 'alwaysauthreject' in sip.conf to do that,
but up until 1.8 its value has defaulted to "no" (different answer).

The patch of CVE-2011-2666 fixed a case that even with this set to yes,
the response is different. This was fixed in 1.6.2.9-2+squeeze3 .
However in order to avoid breaking backward compatibility the default
has remained the same. Upstream developers strongly recommend that users
set 'alwaysauthreject=yes' in the section '[general]' of sip.conf.

-- 
Tzafrir Cohen         | tzafrir@jabber.org | VIM is
http://tzafrir.org.il |                    | a Mutt's
tzafrir@cohens.org.il |                    |  best
tzafrir@debian.org    |                    | friend

Message #30 received at 697230-close@bugs.debian.org (full text, mbox, reply):

From: Tzafrir Cohen <tzafrir@debian.org>

To: 697230-close@bugs.debian.org

Subject: Bug#697230: fixed in asterisk 1:1.6.2.9-2+squeeze9

Date: Sun, 13 Jan 2013 22:17:06 +0000

Source: asterisk
Source-Version: 1:1.6.2.9-2+squeeze9

We believe that the bug you reported is fixed in the latest version of
asterisk, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 697230@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Tzafrir Cohen <tzafrir@debian.org> (supplier of updated asterisk package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 08 Jan 2013 00:46:31 +0200
Source: asterisk
Binary: asterisk asterisk-h423 asterisk-doc asterisk-dev asterisk-dbg asterisk-sounds-main asterisk-config
Architecture: source all amd64
Version: 1:1.6.2.9-2+squeeze9
Distribution: stable-security
Urgency: high
Maintainer: Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>
Changed-By: Tzafrir Cohen <tzafrir@debian.org>
Description: 
 asterisk   - Open Source Private Branch Exchange (PBX)
 asterisk-config - Configuration files for Asterisk
 asterisk-dbg - Debugging symbols for Asterisk
 asterisk-dev - Development files for Asterisk
 asterisk-doc - Source code documentation for Asterisk
 asterisk-h423 - H.323 protocol support for Asterisk
 asterisk-sounds-main - Core Sound files for Asterisk (English)
Closes: 697230
Changes: 
 asterisk (1:1.6.2.9-2+squeeze9) stable-security; urgency=high
 .
   * Patches backported from Asterisk 1.8.19.1 (Closes: #697230):
     - Patch AST-2012-014 (CVE-2012-5976) - Crashes due to large memory
       allocations when using TCP.
     - Patch AST-2012-015 (CVE-2012-5977) - Denial of Service Through
       Exploitation of Device State Caching.
Checksums-Sha1: 
 51164a25dfd69f05a323c25691f4ff1612bb46ca 2222 asterisk_1.6.2.9-2+squeeze9.dsc
 7f1c394e9206cef842ccc129113d245962aa61b2 114830 asterisk_1.6.2.9-2+squeeze9.debian.tar.gz
 f42e976deb274f306a12a7d4318f3b15ac65eb28 1707942 asterisk-doc_1.6.2.9-2+squeeze9_all.deb
 f4ed804b570f04fb8120862b3d8736e50db4a724 636486 asterisk-dev_1.6.2.9-2+squeeze9_all.deb
 b5446b8bc175ae3b08be94e11414165c47771f84 2186142 asterisk-sounds-main_1.6.2.9-2+squeeze9_all.deb
 b8df5fce9b1d6dd6b7f88f6f368cc5546806dc91 717616 asterisk-config_1.6.2.9-2+squeeze9_all.deb
 0fd6e88f4a8dbe5995683d2b6f4a93073fe791f8 3603188 asterisk_1.6.2.9-2+squeeze9_amd64.deb
 2d7176fa4469035bb8b94021afbec09be4e51626 534058 asterisk-h423_1.6.2.9-2+squeeze9_amd64.deb
 9deb886e122ee6533d93cddf43125475973fb194 20345324 asterisk-dbg_1.6.2.9-2+squeeze9_amd64.deb
Checksums-Sha256: 
 d4cde1fe011005315d647702e70fb21ab10539fb20b9bf7449e30fac5cacbc9c 2222 asterisk_1.6.2.9-2+squeeze9.dsc
 6bdcd29d87431f1df57b45ecc68d7893284f50657946744ffd47176291a5b3b3 114830 asterisk_1.6.2.9-2+squeeze9.debian.tar.gz
 76d6fdc0c0f34cc14d37567ec088f4a1421f0b8dd507b8d5add9d4dc8fa4e560 1707942 asterisk-doc_1.6.2.9-2+squeeze9_all.deb
 1addf55223a24d576e95110fa99faad64e6b65d0359e1122df88c08f15652159 636486 asterisk-dev_1.6.2.9-2+squeeze9_all.deb
 7bf64c3c5b4ee64de6c9d0165cd6fd9523d56ba52cc7ebb2f82cd1fb4cabaeea 2186142 asterisk-sounds-main_1.6.2.9-2+squeeze9_all.deb
 10fcf7c8da72148f406de352ec0e9439facb34ac97b2b3d3ecdf03dcd8821186 717616 asterisk-config_1.6.2.9-2+squeeze9_all.deb
 52619f94e03314b73ce7e95c711d6df0c6b186c5452f9b22102acb132f876272 3603188 asterisk_1.6.2.9-2+squeeze9_amd64.deb
 4eeef7a30bbf3777717502f56dab615661498a629a2fdfad6a0522de42fb49ea 534058 asterisk-h423_1.6.2.9-2+squeeze9_amd64.deb
 8a177931ee7582975df1b182cf300a18523201bd5566ebf7110e3f2c94f28def 20345324 asterisk-dbg_1.6.2.9-2+squeeze9_amd64.deb
Files: 
 7b20251ff3c1feecf908eea3e8a04b44 2222 comm optional asterisk_1.6.2.9-2+squeeze9.dsc
 20980bb2480a888dda7239d34d4aa71c 114830 comm optional asterisk_1.6.2.9-2+squeeze9.debian.tar.gz
 c9e9b5cdc30fbe0723a86a76203ed7d2 1707942 doc extra asterisk-doc_1.6.2.9-2+squeeze9_all.deb
 c8c768581c99f97ec08fe9c329353dde 636486 devel extra asterisk-dev_1.6.2.9-2+squeeze9_all.deb
 f6d68798cfb2103cb0e150cbb41ce8c1 2186142 comm optional asterisk-sounds-main_1.6.2.9-2+squeeze9_all.deb
 c0acea76fd5651801dfb57fb3e5623b6 717616 comm optional asterisk-config_1.6.2.9-2+squeeze9_all.deb
 e36525a11fc608838f3e631fc9e480dd 3603188 comm optional asterisk_1.6.2.9-2+squeeze9_amd64.deb
 0b5de9db378e3d798b9fa61629455731 534058 comm optional asterisk-h423_1.6.2.9-2+squeeze9_amd64.deb
 3a4de1ba33e6ee54db0dcc0ec7cf4bcf 20345324 debug extra asterisk-dbg_1.6.2.9-2+squeeze9_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlDwkW8ACgkQxArWdkN9MoupYQCfbHK+mMfzVorIyWAxmn9vO/Kf
g0sAn1sK3rFRUYK6G0KESJQNrp3D2Yt3
=7Kur
-----END PGP SIGNATURE-----

Message #35 received at 697230@bugs.debian.org (full text, mbox, reply):

From: Tzafrir Cohen <tzafrir.cohen@xorcom.com>

To: 697230@bugs.debian.org, Moritz Mühlenhoff <jmm@inutil.org>

Subject: Re: Bug#697230: asterisk: Two security issues: AST-2012-014 / AST-2012-015

Date: Mon, 14 Jan 2013 16:54:07 +0200

On Fri, Jan 11, 2013 at 11:00:30PM +0000, Tzafrir Cohen wrote:
> On Tue, Jan 08, 2013 at 06:49:56PM +0100, Moritz Mühlenhoff wrote:
> > On Tue, Jan 08, 2013 at 02:45:59AM +0200, Tzafrir Cohen wrote:
> > > Hi,
> > > 
> > > On Wed, Jan 02, 2013 at 10:56:43PM +0100, Salvatore Bonaccorso wrote:
> > > > Package: asterisk
> > > > Severity: grave
> > > > Tags: security
> > > > Justification: user security hole
> > > > 
> > > > -----BEGIN PGP SIGNED MESSAGE-----
> > > > Hash: SHA512
> > > > 
> > > > Hi,
> > > > 
> > > > the following vulnerabilities were published for asterisk.
> > > > 
> > > > CVE-2012-5976[0]:
> > > > Crashes due to large stack allocations when using TCP
> > > > 
> > > > CVE-2012-5977[1]:
> > > > Denial of Service Through Exploitation of Device State Caching
> > > > 
> > > > If you fix the vulnerabilities please also make sure to include the
> > > > CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
> > > > 
> > > > For further information see:
> > > > 
> > > > [0] http://security-tracker.debian.org/tracker/CVE-2012-5976
> > > > [1] http://security-tracker.debian.org/tracker/CVE-2012-5977
> > > > 
> > > > Please adjust the affected versions in the BTS as needed.
> > > > 
> > > > According to the advisories all 1.8.x versions seems affected.
> > > 
> > > Likewise is version 1.6.2 from Stable. I have fixes ready.
> > 
> > Ok, please upload to security-master once tests are sufficient.
> 
> Uploaded.

It seems that there has been a bug with the patch for Stable (#698112,
#698118):

  http://anonscm.debian.org/viewvc/pkg-voip?view=revision&revision=10073

I have prepared a fix for this (1:1.6.2.9-2+squeeze10).

-- 
               Tzafrir Cohen
icq#16849755              jabber:tzafrir.cohen@xorcom.com
+972-50-7952406           mailto:tzafrir.cohen@xorcom.com
http://www.xorcom.com  iax:guest@local.xorcom.com/tzafrir

Message #40 received at 697230@bugs.debian.org (full text, mbox, reply):

From: Javier Serrano Polo <javier@jasp.net>

To: 697230@bugs.debian.org

Cc: Salvatore Bonaccorso <carnil@debian.org>

Subject: Re: asterisk: Two security issues: AST-2012-014 / AST-2012-015

Date: Mon, 14 Jan 2013 16:02:22 +0100

[Message part 1 (text/plain, inline)]

AST-2012-014: b/channels/chan_sip.c

@@ -3078,7 +3079,7 @@ static void *_sip_tcp_helper_thread(stru
 			req.socket.fd = tcptls_session->fd;
 
 			/* Read in headers one line at a time */
-			while (req.len < 4 || strncmp(REQ_OFFSET_TO_STR(&req, len - 4), "\r\n\r\n", 4)) {
+			while ((req.len <= SIP_MAX_PACKET_SIZE) || (req.len < 4 || strncmp(REQ_OFFSET_TO_STR(&req, len - 4), "\r\n\r\n", 4))) {
 				if (!tcptls_session->client && !authenticated ) {
 					if ((timeout = sip_check_authtimeout(start)) < 0) {
 						goto cleanup;

Are you sure? That size hint condition should be ANDed.

[smime.p7s (application/pkcs7-signature, attachment)]

Message #45 received at 697230@bugs.debian.org (full text, mbox, reply):

From: Tzafrir Cohen <tzafrir.cohen@xorcom.com>

To: javier--UfshIAPYmIqNpnQdQHBbjd2N1Llg6d@jasp.net, 697230@bugs.debian.org

Subject: Re: Bug#697230: asterisk: Two security issues: AST-2012-014 / AST-2012-015

Date: Mon, 14 Jan 2013 18:03:37 +0200

On Mon, Jan 14, 2013 at 04:02:22PM +0100, Javier Serrano Polo wrote:
> AST-2012-014: b/channels/chan_sip.c
> 
> @@ -3078,7 +3079,7 @@ static void *_sip_tcp_helper_thread(stru
>  			req.socket.fd = tcptls_session->fd;
>  
>  			/* Read in headers one line at a time */
> -			while (req.len < 4 || strncmp(REQ_OFFSET_TO_STR(&req, len - 4), "\r\n\r\n", 4)) {
> +			while ((req.len <= SIP_MAX_PACKET_SIZE) || (req.len < 4 || strncmp(REQ_OFFSET_TO_STR(&req, len - 4), "\r\n\r\n", 4))) {
>  				if (!tcptls_session->client && !authenticated ) {
>  					if ((timeout = sip_check_authtimeout(start)) < 0) {
>  						goto cleanup;
> 
> Are you sure? That size hint condition should be ANDed.

You're right.

-- 
               Tzafrir Cohen
icq#16849755              jabber:tzafrir.cohen@xorcom.com
+972-50-7952406           mailto:tzafrir.cohen@xorcom.com
http://www.xorcom.com  iax:guest@local.xorcom.com/tzafrir

Message #50 received at 697230@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: 697230@bugs.debian.org

Cc: control@bugs.debian.org

Subject: Re: asterisk: Two security issues: AST-2012-014 / AST-2012-015

Date: Fri, 1 Mar 2013 17:53:18 +0100

found 697230 1:1.8.13.1~dfsg-1
thanks

On Wed, Jan 02, 2013 at 10:56:43PM +0100, Salvatore Bonaccorso wrote:
> Package: asterisk
> Severity: grave
> Tags: security
> Justification: user security hole
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
> 
> Hi,
> 
> the following vulnerabilities were published for asterisk.
> 
> CVE-2012-5976[0]:
> Crashes due to large stack allocations when using TCP
> 
> CVE-2012-5977[1]:
> Denial of Service Through Exploitation of Device State Caching
> 
> If you fix the vulnerabilities please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
> 
> For further information see:
> 
> [0] http://security-tracker.debian.org/tracker/CVE-2012-5976
> [1] http://security-tracker.debian.org/tracker/CVE-2012-5977
> 
> Please adjust the affected versions in the BTS as needed.
> 
> According to the advisories all 1.8.x versions seems affected.

This is still unfixed in sid!

Cheers,
        Moritz

Message #61 received at 697230@bugs.debian.org (full text, mbox, reply):

From: Christian Staake <staaki@gmx.net>

To: 697230@bugs.debian.org

Subject: Re: asterisk: Two security issues: AST-2012-014 / AST-2012-015

Date: Fri, 08 Mar 2013 12:07:53 +0100

Hello,

why has this bug been marked as not found in the version in sid again? I 
can't see a new version of the package in the repository and it's still 
listed as vulnerable on security-tracker.debian.org.
As I'm currently using the version from squeeze-backports, I'd really 
like to see this fixed in sid (and then wheezy and then 
squeeze-backports, hopefully).

-- 
So long,
Christian.

Message #66 received at 697230@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 697230@bugs.debian.org, jmm@debian.org, tzafrir@debian.org

Subject: Re: Bug#697230: asterisk: Two security issues: AST-2012-014 / AST-2012-015

Date: Sat, 9 Mar 2013 19:20:44 +0100

Hi Tzafrir!

Are there news on this?

I have noticed that in the svn repository for asterisk there is
already:

asterisk (1:1.8.13.1~dfsg-2) unstable; urgency=high

  * Patches backported from Asterisk 1.8.19.1 (Closes: #697230):
    - Patch AST-2012-014 (CVE-2012-5976) - fixes Crashes due to large stack
      allocations when using TCP.
      The following two fixes were also pulled in order to easily apply it:
      - Patch fix-sip-tcp-no-FILE - Switch to reading with a recv loop
      - Patch fix-sip-tls-leak - Memory leak in the SIP TLS code
    - Patch AST-2012-015 (CVE-2012-5977) - Denial of Service Through
      Exploitation of Device State Caching

 -- Tzafrir Cohen <tzafrir@debian.org>  Tue, 08 Jan 2013 00:06:09 +0200

Could you have a look if there is only the upload missing?

Regards,
Salvatore

Message #73 received at 697230@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 697230@bugs.debian.org

Cc: jmm@debian.org, tzafrir@debian.org

Subject: Re: Bug#697230: asterisk: Two security issues: AST-2012-014 / AST-2012-015

Date: Sun, 24 Mar 2013 07:56:24 +0100

Hi

On Sat, Mar 09, 2013 at 07:20:44PM +0100, Salvatore Bonaccorso wrote:
> Hi Tzafrir!
>
> Are there news on this?
>
> I have noticed that in the svn repository for asterisk there is
> already:
>
> asterisk (1:1.8.13.1~dfsg-2) unstable; urgency=high
>
>   * Patches backported from Asterisk 1.8.19.1 (Closes: #697230):
>     - Patch AST-2012-014 (CVE-2012-5976) - fixes Crashes due to large stack
>       allocations when using TCP.
>       The following two fixes were also pulled in order to easily apply it:
>       - Patch fix-sip-tcp-no-FILE - Switch to reading with a recv loop
>       - Patch fix-sip-tls-leak - Memory leak in the SIP TLS code
>     - Patch AST-2012-015 (CVE-2012-5977) - Denial of Service Through
>       Exploitation of Device State Caching
>
>  -- Tzafrir Cohen <tzafrir@debian.org>  Tue, 08 Jan 2013 00:06:09 +0200
>
> Could you have a look if there is only the upload missing?

Ping? I'm asking again as the release of wheezy is getting nearer.

Regards,
Salvatore

Message #78 received at 697230-close@bugs.debian.org (full text, mbox, reply):

From: Tzafrir Cohen <tzafrir@debian.org>

To: 697230-close@bugs.debian.org

Subject: Bug#697230: fixed in asterisk 1:1.8.13.1~dfsg-2

Date: Sat, 06 Apr 2013 12:47:55 +0000

Source: asterisk
Source-Version: 1:1.8.13.1~dfsg-2

We believe that the bug you reported is fixed in the latest version of
asterisk, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 697230@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Tzafrir Cohen <tzafrir@debian.org> (supplier of updated asterisk package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 06 Apr 2013 14:15:41 +0300
Source: asterisk
Binary: asterisk asterisk-modules asterisk-dahdi asterisk-voicemail asterisk-voicemail-imapstorage asterisk-voicemail-odbcstorage asterisk-ooh423 asterisk-mp3 asterisk-mysql asterisk-mobile asterisk-doc asterisk-dev asterisk-dbg asterisk-config
Architecture: source all amd64
Version: 1:1.8.13.1~dfsg-2
Distribution: unstable
Urgency: high
Maintainer: Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>
Changed-By: Tzafrir Cohen <tzafrir@debian.org>
Description: 
 asterisk   - Open Source Private Branch Exchange (PBX)
 asterisk-config - Configuration files for Asterisk
 asterisk-dahdi - DAHDI devices support for the Asterisk PBX
 asterisk-dbg - Debugging symbols for Asterisk
 asterisk-dev - Development files for Asterisk
 asterisk-doc - Source code documentation for Asterisk
 asterisk-mobile - Bluetooth phone support for the Asterisk PBX
 asterisk-modules - loadable modules for the Asterisk PBX
 asterisk-mp3 - MP3 playback support for the Asterisk PBX
 asterisk-mysql - MySQL database protocol support for the Asterisk PBX
 asterisk-ooh423 - H.323 protocol support for the Asterisk PBX - ooH323c
 asterisk-voicemail - simple voicemail support for the Asterisk PBX
 asterisk-voicemail-imapstorage - IMAP voicemail storage support for the Asterisk PBX
 asterisk-voicemail-odbcstorage - ODBC voicemail storage support for the Asterisk PBX
Closes: 545272 614786 697230 701505 704114
Changes: 
 asterisk (1:1.8.13.1~dfsg-2) unstable; urgency=high
 .
   * Patches backported from Asterisk 1.8.19.1 (Closes: #697230):
     - Patch AST-2012-014 (CVE-2012-5976) - fixes Crashes due to large stack
       allocations when using TCP.
       The following two fixes were also pulled in order to easily apply it:
       - Patch fix-sip-tcp-no-FILE - Switch to reading with a recv loop
       - Patch fix-sip-tls-leak - Memory leak in the SIP TLS code
     - Patch AST-2012-015 (CVE-2012-5977) - Denial of Service Through
       Exploitation of Device State Caching
   * Patch powerpcspe: Fix OSARCH for powerpcspe (Closes: #701505).
   * README.Debian: document running the testsuite.
   * Patch fix_xmpp_19532: fix a crash of the XMPP code (Closes: #545272).
   * Patches backported from Asterisk 1.8.20.2 (Closes: #704114):
     - Patch AST-2013-002 (CVE-2012-2686): Prevent DoS in HTTP server with
       a large POST.
     - Patch AST-2013-003 (CVE-2012-2264): Prevent username disclosure in
       SIP channel driver.
   * Patch bluetooth_bind - fix breakage of chan_mobile (Closes: #614786).
Checksums-Sha1: 
 44deeaec180e8ea1a8b5fadcb437b47f8e0a9210 2997 asterisk_1.8.13.1~dfsg-2.dsc
 47bf9b69eda991176312c44e547e18535e3d289f 383725 asterisk_1.8.13.1~dfsg-2.debian.tar.gz
 682838a4acda2dd6ac6815a1e0e10dbbdf14a773 1990642 asterisk-doc_1.8.13.1~dfsg-2_all.deb
 ecdd8185947fad10b842c43808f712fa10fb4147 958432 asterisk-dev_1.8.13.1~dfsg-2_all.deb
 8fa7dff25ed7098053ad52bb7c4816a20af44a58 999336 asterisk-config_1.8.13.1~dfsg-2_all.deb
 e0d01dfea3849b2231f4be962cd24d413d36a694 1773024 asterisk_1.8.13.1~dfsg-2_amd64.deb
 2fc7e7b14e54911abafe25b88a96846b7157a3ad 2835034 asterisk-modules_1.8.13.1~dfsg-2_amd64.deb
 ad62ed168388d782add5a9a22b20c56572a326eb 924448 asterisk-dahdi_1.8.13.1~dfsg-2_amd64.deb
 1402f4b7688da5eb8edb8632ff5013f9252ec365 693284 asterisk-voicemail_1.8.13.1~dfsg-2_amd64.deb
 9ea2cc9639f3344f6af7745d9aec8cdf82025a1b 710612 asterisk-voicemail-imapstorage_1.8.13.1~dfsg-2_amd64.deb
 42b7a0cd5d37eb16d02e2c60619b4f78428f4aeb 699496 asterisk-voicemail-odbcstorage_1.8.13.1~dfsg-2_amd64.deb
 1e2492cd001cc8bb145bf21ce4e3d9c5aa5e61d0 1037736 asterisk-ooh423_1.8.13.1~dfsg-2_amd64.deb
 5b6d842fce8c1a512091cf89e28262a9d70c544e 632852 asterisk-mp3_1.8.13.1~dfsg-2_amd64.deb
 8e0bfa80bd7efa3e538d417da9349db2cac49c59 658036 asterisk-mysql_1.8.13.1~dfsg-2_amd64.deb
 55e6eb43719cfc7e398d16818f80d4d9f7ddbe80 646350 asterisk-mobile_1.8.13.1~dfsg-2_amd64.deb
 4bc9e9f3b1e262b4a18b1e9132ca8b9794378641 30063412 asterisk-dbg_1.8.13.1~dfsg-2_amd64.deb
Checksums-Sha256: 
 89849cdc7dbfe6a58641d00f47451d8b14b33323d11869cffaf353cff7c3d324 2997 asterisk_1.8.13.1~dfsg-2.dsc
 164fa8209cf09ca0d55ccff68ca5c0106925fb859778e4cdb8c11db70ded35a4 383725 asterisk_1.8.13.1~dfsg-2.debian.tar.gz
 65fff2025ff9f2ca54ff831138f5fffc37c6468f718358b99694d350d384dd1d 1990642 asterisk-doc_1.8.13.1~dfsg-2_all.deb
 6973b0577ae30a7eb5fe06ef203011cd559f4e4b523549663c36122af1a0a3d5 958432 asterisk-dev_1.8.13.1~dfsg-2_all.deb
 2f0610a11d5cde2fc2a2250009040f7d2235d233ee0165cdda387ea9e1d09692 999336 asterisk-config_1.8.13.1~dfsg-2_all.deb
 2f0ae2081b1274aa63393fdde89c263885938da012cecb719e583f903c2fff95 1773024 asterisk_1.8.13.1~dfsg-2_amd64.deb
 15807f0011a6eaa52247e62cf7f53db2a0ebaae9ad036c5c326e587276d3bf2f 2835034 asterisk-modules_1.8.13.1~dfsg-2_amd64.deb
 455b97dc22c5d1115e7f48a29f7682b71f52099c514df0f75944b1e86dfdae00 924448 asterisk-dahdi_1.8.13.1~dfsg-2_amd64.deb
 729a9596ca446331d110aaf7abf20990e788ed5d0de7692af10b756432f2a7d8 693284 asterisk-voicemail_1.8.13.1~dfsg-2_amd64.deb
 d26a732649fcb6977fb678741335ee58c7d2cf82ce5c7e6708a174ccb86a144e 710612 asterisk-voicemail-imapstorage_1.8.13.1~dfsg-2_amd64.deb
 5a15ec459ef6c20a4a1ed87d1aff9f2ba43c60f750499f70518344c111a1d70c 699496 asterisk-voicemail-odbcstorage_1.8.13.1~dfsg-2_amd64.deb
 eccce382fd00fb608609fa9a2060f870348c99fb73f35766a3f67523ac16e65b 1037736 asterisk-ooh423_1.8.13.1~dfsg-2_amd64.deb
 562d61c503610bcb0c68d1bdf8728ae448ef2c9c2a6665c5b7ce0a3773c15474 632852 asterisk-mp3_1.8.13.1~dfsg-2_amd64.deb
 e83d2c9aced0eef64dd9cb29d5104dd8bd88c9617e484bc4a6fedec47b99ea34 658036 asterisk-mysql_1.8.13.1~dfsg-2_amd64.deb
 1438f69b175baf1960ba7e8c8a2fe8453982d497f00197458a309ffd4f44c050 646350 asterisk-mobile_1.8.13.1~dfsg-2_amd64.deb
 88d736ece78908ab1788b4c6e21ec35417bdfb9b1c285c56fd93b2a2223adb72 30063412 asterisk-dbg_1.8.13.1~dfsg-2_amd64.deb
Files: 
 6417f1680400a558fc88d1fe3489a158 2997 comm optional asterisk_1.8.13.1~dfsg-2.dsc
 e3e59cb57da45bfa59bd9d44e87fd8f9 383725 comm optional asterisk_1.8.13.1~dfsg-2.debian.tar.gz
 6621a43552c9007fe39a9d64f36e009e 1990642 doc extra asterisk-doc_1.8.13.1~dfsg-2_all.deb
 012ea04e3c90958b57f4f2af077a8e69 958432 devel extra asterisk-dev_1.8.13.1~dfsg-2_all.deb
 f335f94a1cce11392816b7984a455d6a 999336 comm optional asterisk-config_1.8.13.1~dfsg-2_all.deb
 e924e3d1ab119404299ef1626e5d9454 1773024 comm optional asterisk_1.8.13.1~dfsg-2_amd64.deb
 12ba4a5c0535905238d6e4b8da6ad666 2835034 libs optional asterisk-modules_1.8.13.1~dfsg-2_amd64.deb
 ba55a3695011d6e53eb6a8cc15ea5402 924448 comm optional asterisk-dahdi_1.8.13.1~dfsg-2_amd64.deb
 8946a745e196176c5991ac6249141427 693284 comm optional asterisk-voicemail_1.8.13.1~dfsg-2_amd64.deb
 86992f9a500b3c59ae923a95f0683590 710612 comm optional asterisk-voicemail-imapstorage_1.8.13.1~dfsg-2_amd64.deb
 705ced4dc7b61c1a74577ff9ec1a8b3d 699496 comm optional asterisk-voicemail-odbcstorage_1.8.13.1~dfsg-2_amd64.deb
 0ef84fe24f2c13ba539b59c6dbe9546b 1037736 comm optional asterisk-ooh423_1.8.13.1~dfsg-2_amd64.deb
 29a7c7638b4f0d8a017c9dbf79f6c34f 632852 comm optional asterisk-mp3_1.8.13.1~dfsg-2_amd64.deb
 2273410dc983bcaac8506b64d6412b0d 658036 comm optional asterisk-mysql_1.8.13.1~dfsg-2_amd64.deb
 65ac1a8e20069544dbc588b523777c38 646350 comm optional asterisk-mobile_1.8.13.1~dfsg-2_amd64.deb
 9747dd54d35010cae24da3bab606187c 30063412 debug extra asterisk-dbg_1.8.13.1~dfsg-2_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlFgEIoACgkQxArWdkN9MoskNQCeKhYqVSoK9vwajzANRV322clg
dw0AoK3CX1VlQjzsJQ54lReRt6awxnyE
=pWhD
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.