asterisk: CVE-2018-7284: AST-2018-004: Crash when receiving SUBSCRIBE request

Debian Bug report logs - #891227
asterisk: CVE-2018-7284: AST-2018-004: Crash when receiving SUBSCRIBE request

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: asterisk: CVE-2018-7284: AST-2018-004: Crash when receiving SUBSCRIBE request

Date: Fri, 23 Feb 2018 16:04:52 +0100

Source: asterisk
Version: 1:13.18.5~dfsg-1
Severity: grave
Tags: patch security upstream

Hi,

the following vulnerability was published for asterisk.

CVE-2018-7284[0]:
| A Buffer Overflow issue was discovered in Asterisk through 13.19.1,
| 14.x through 14.7.5, and 15.x through 15.2.1, and Certified Asterisk
| through 13.18-cert2. When processing a SUBSCRIBE request, the
| res_pjsip_pubsub module stores the accepted formats present in the
| Accept headers of the request. This code did not limit the number of
| headers it processed, despite having a fixed limit of 32. If more than
| 32 Accept headers were present, the code would write outside of its
| memory and cause a crash.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-7284
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7284
[1] http://downloads.asterisk.org/pub/security/AST-2018-004.html

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Message #12 received at 891227@bugs.debian.org (full text, mbox, reply):

From: Tzafrir Cohen <tzafrir@cohens.org.il>

To: Salvatore Bonaccorso <carnil@debian.org>, 891227@bugs.debian.org

Subject: Re: Bug#891227: asterisk: CVE-2018-7284: AST-2018-004: Crash when receiving SUBSCRIBE request

Date: Sat, 24 Feb 2018 07:38:41 +0100

Hi,

On Fri, Feb 23, 2018 at 04:04:52PM +0100, Salvatore Bonaccorso wrote:
> Source: asterisk
> Version: 1:13.18.5~dfsg-1
> Severity: grave
> Tags: patch security upstream


> [0] https://security-tracker.debian.org/tracker/CVE-2018-7284
>     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7284
> [1] http://downloads.asterisk.org/pub/security/AST-2018-004.html
> 
> Please adjust the affected versions in the BTS as needed.

I'm still looking into this. For the record, there were six security
advisories reposrted by the Asterisk project for the recent release:

    - AST-2018-001 CVE-2018-7285: (Does not apply)
    - AST-2018-002: Crash when given an invalid SDP media format description
    - AST-2018-003: Crash with an invalid SDP fmtp attribute
    - AST-2018-004 CVE-2018-7284: Crash when receiving SUBSCRIBE request
      (Closes: #891227)
    - AST-2018-005 CVE-2018-7286: Crash when large numbers of TCP connections
      are closed suddenly (Closes: #891227)
    - AST-2018-006 CVE-2018-7287: WebSocket frames with 0 sized payload causes
      DoS

For 004 (this one) and 005 there are bugs. 001 does not apply to the
Debian package. I'm still looking at how those affect stable and
oldstable.

-- 
Tzafrir Cohen         | tzafrir@jabber.org | VIM is
http://tzafrir.org.il |                    | a Mutt's
tzafrir@cohens.org.il |                    |  best
tzafrir@debian.org    |                    | friend

Message #17 received at 891227@bugs.debian.org (full text, mbox, reply):

From: Tzafrir Cohen <tzafrir@cohens.org.il>

To: 891227@bugs.debian.org

Subject: Re: Bug#891227: asterisk: CVE-2018-7284: AST-2018-004: Crash when receiving SUBSCRIBE request

Date: Sat, 24 Feb 2018 12:39:38 +0100

On Sat, Feb 24, 2018 at 07:38:41AM +0100, Tzafrir Cohen wrote:
> Hi,
> 
> On Fri, Feb 23, 2018 at 04:04:52PM +0100, Salvatore Bonaccorso wrote:
> > Source: asterisk
> > Version: 1:13.18.5~dfsg-1
> > Severity: grave
> > Tags: patch security upstream
> 
> 
> > [0] https://security-tracker.debian.org/tracker/CVE-2018-7284
> >     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7284
> > [1] http://downloads.asterisk.org/pub/security/AST-2018-004.html
> > 
> > Please adjust the affected versions in the BTS as needed.
> 
> I'm still looking into this. For the record, there were six security
> advisories reposrted by the Asterisk project for the recent release:
> 
>     - AST-2018-001 CVE-2018-7285: (Does not apply)
>     - AST-2018-002: Crash when given an invalid SDP media format description
>     - AST-2018-003: Crash with an invalid SDP fmtp attribute

Those two are fixed in pjproject (specifically in 2.7.2). And probably
need to be backported to Stretch as well.

>     - AST-2018-004 CVE-2018-7284: Crash when receiving SUBSCRIBE request
>       (Closes: #891227)
>     - AST-2018-005 CVE-2018-7286: Crash when large numbers of TCP connections
>       are closed suddenly (Closes: #891227)

Those two only apply to pjsip-related code. Thus they don't apply to
oldstable. AST-004 patch seems to apply as-is to Stretch. AST-005 patch
may require more work.

>     - AST-2018-006 CVE-2018-7287: WebSocket frames with 0 sized payload causes
>       DoS

Only applies to 15. I missed that.

-- 
Tzafrir Cohen         | tzafrir@jabber.org | VIM is
http://tzafrir.org.il |                    | a Mutt's
tzafrir@cohens.org.il |                    |  best
tzafrir@debian.org    |                    | friend

Message #22 received at 891227@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Tzafrir Cohen <tzafrir@cohens.org.il>, 891227@bugs.debian.org

Cc: Debian Security Team <team@security.debian.org>

Subject: Re: Bug#891227: asterisk: CVE-2018-7284: AST-2018-004: Crash when receiving SUBSCRIBE request

Date: Mon, 26 Feb 2018 08:17:14 +0100

Hi Tzafrir,

Sorry for the lack of earlier reply, cc'ing the security team alias.

On Sat, Feb 24, 2018 at 12:39:38PM +0100, Tzafrir Cohen wrote:
> On Sat, Feb 24, 2018 at 07:38:41AM +0100, Tzafrir Cohen wrote:
> > Hi,
> > 
> > On Fri, Feb 23, 2018 at 04:04:52PM +0100, Salvatore Bonaccorso wrote:
> > > Source: asterisk
> > > Version: 1:13.18.5~dfsg-1
> > > Severity: grave
> > > Tags: patch security upstream
> > 
> > 
> > > [0] https://security-tracker.debian.org/tracker/CVE-2018-7284
> > >     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7284
> > > [1] http://downloads.asterisk.org/pub/security/AST-2018-004.html
> > > 
> > > Please adjust the affected versions in the BTS as needed.
> > 
> > I'm still looking into this. For the record, there were six security
> > advisories reposrted by the Asterisk project for the recent release:
> > 
> >     - AST-2018-001 CVE-2018-7285: (Does not apply)
> >     - AST-2018-002: Crash when given an invalid SDP media format description
> >     - AST-2018-003: Crash with an invalid SDP fmtp attribute
> 
> Those two are fixed in pjproject (specifically in 2.7.2). And probably
> need to be backported to Stretch as well.

And I think those two are missing CVEs. I'm going to request two. I'm
though not sure if they would warrant a DSA.

For CVE-2018-7285 we reached same conclusion, that it only applies to
15.x.

> 
> >     - AST-2018-004 CVE-2018-7284: Crash when receiving SUBSCRIBE request
> >       (Closes: #891227)
> >     - AST-2018-005 CVE-2018-7286: Crash when large numbers of TCP connections
> >       are closed suddenly (Closes: #891227)
> 
> Those two only apply to pjsip-related code. Thus they don't apply to
> oldstable. AST-004 patch seems to apply as-is to Stretch. AST-005 patch
> may require more work.

Alright, thanks for working on it!

> >     - AST-2018-006 CVE-2018-7287: WebSocket frames with 0 sized payload causes
> >       DoS
> 
> Only applies to 15. I missed that.

Ack.

Regards,
Salvatore

Message #27 received at 891227-close@bugs.debian.org (full text, mbox, reply):

From: Bernhard Schmidt <berni@debian.org>

To: 891227-close@bugs.debian.org

Subject: Bug#891227: fixed in asterisk 1:13.20.0~dfsg-1

Date: Tue, 03 Apr 2018 12:34:29 +0000

Source: asterisk
Source-Version: 1:13.20.0~dfsg-1

We believe that the bug you reported is fixed in the latest version of
asterisk, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 891227@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Bernhard Schmidt <berni@debian.org> (supplier of updated asterisk package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 03 Apr 2018 10:59:20 +0200
Source: asterisk
Binary: asterisk asterisk-modules asterisk-dahdi asterisk-vpb asterisk-voicemail asterisk-voicemail-imapstorage asterisk-voicemail-odbcstorage asterisk-ooh423 asterisk-mp3 asterisk-mysql asterisk-mobile asterisk-tests asterisk-doc asterisk-dev asterisk-config
Architecture: source
Version: 1:13.20.0~dfsg-1
Distribution: unstable
Urgency: medium
Maintainer: Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>
Changed-By: Bernhard Schmidt <berni@debian.org>
Description:
 asterisk   - Open Source Private Branch Exchange (PBX)
 asterisk-config - Configuration files for Asterisk
 asterisk-dahdi - DAHDI devices support for the Asterisk PBX
 asterisk-dev - Development files for Asterisk
 asterisk-doc - Source code documentation for Asterisk
 asterisk-mobile - Bluetooth phone support for the Asterisk PBX
 asterisk-modules - loadable modules for the Asterisk PBX
 asterisk-mp3 - MP3 playback support for the Asterisk PBX
 asterisk-mysql - MySQL database protocol support for the Asterisk PBX
 asterisk-ooh423 - H.323 protocol support for the Asterisk PBX - ooH323c
 asterisk-tests - internal test modules of the Asterisk PBX
 asterisk-voicemail - simple voicemail support for the Asterisk PBX
 asterisk-voicemail-imapstorage - IMAP voicemail storage support for the Asterisk PBX
 asterisk-voicemail-odbcstorage - ODBC voicemail storage support for the Asterisk PBX
 asterisk-vpb - VoiceTronix devices support for the Asterisk PBX
Closes: 891227 891228
Changes:
 asterisk (1:13.20.0~dfsg-1) unstable; urgency=medium
 .
   * New upstream version 13.20.0 (Closes: #891227, #891228)
   * Reorganize upstream GPG keys
     - Split individual signing keys in separate files
     - Add new key for Ben Ford <bford@digium.com>: 0x073B0C1FC9B2E352
     - Add new key for Joshua Colp <jcolp@digium.com>:
       0xCDBEE4CC699E200EB4D46BB79E76E3A42341CE04
   * Fix missing/broken Closes: in previous changelog
   * Install realtime database schema into asterisk-doc
   * Point Vcs-* to salsa
Checksums-Sha1:
 b552791e29e539d5147d2a597ce1397c6431588b 4239 asterisk_13.20.0~dfsg-1.dsc
 a3fdada38e44765370c3c77cad24f688abec1b92 6275676 asterisk_13.20.0~dfsg.orig.tar.xz
 93ce3bfc83fdadfe6545f643aced8239d832b1e9 136328 asterisk_13.20.0~dfsg-1.debian.tar.xz
 4a929b8f51be364bd64fe882bbe2ed7b930916a6 27997 asterisk_13.20.0~dfsg-1_amd64.buildinfo
Checksums-Sha256:
 94773b221c73a63491e050b26214e901a4338abfff4dcbe6fc48a1a8566a96ef 4239 asterisk_13.20.0~dfsg-1.dsc
 e90da610ebeadb1cc5924a58b5bf962d3d660dcf0a2b7862504a6cc4e7e14d66 6275676 asterisk_13.20.0~dfsg.orig.tar.xz
 dad474a3483519aa1983156e80f9dc7410958d8d347962a1e5dc822e613b06bd 136328 asterisk_13.20.0~dfsg-1.debian.tar.xz
 64ac712184a00fc354ae017fd86e4f237f61a1c6ea641ab22f89f08ccdb7584c 27997 asterisk_13.20.0~dfsg-1_amd64.buildinfo
Files:
 e8a3da57b2a48aa64c789c692aae58a8 4239 comm optional asterisk_13.20.0~dfsg-1.dsc
 5794d9b469ed78fa0c2234129249d041 6275676 comm optional asterisk_13.20.0~dfsg.orig.tar.xz
 6598b3f0655200952dcd83a625db06dc 136328 comm optional asterisk_13.20.0~dfsg-1.debian.tar.xz
 af9b05c2e1b1a0266dd3daa31e298f30 27997 comm optional asterisk_13.20.0~dfsg-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJFBAEBCgAvFiEE1uAexRal3873GVbTd1B55bhQvJMFAlrDcZ0RHGJlcm5pQGRl
Ymlhbi5vcmcACgkQd1B55bhQvJPQsQ//bPjCE9rZ0Jq6e2G9FxfKZQ8gKk5OFtnk
n9EK1Teezoqkrp4H09iKVPL4OIkz3cCwJJRqzZd506vVBoqyVcUuhxXQs50kE2Va
SJ+FY03zGNoajAmjJLkGBe35dxnABCmHMtFtoODubNBVB2+Bn4lO//Voz+b9Bmoa
QMCs1OkefHmnF2AcJkaf9E8GadM3FqPjr0NkoW/JP1h/tBRnA5clX/qNHO6rMUCI
nuwaZCAneuFRmxXtbUSvBGapObssenzyIFHU/HjWJSQxjexL5wDc8rVzg9ZUdBuh
4+izVe5ICHCbrBaRBfClG2rp4WtsfZxZ4Csylsb1j6ORmyyMvG+CEoSchjTnqvNR
oRb2RQzJr9odwPTaRLho0TPXflrmna80ByOSyuKbxmY/bgKjxGlAE+eZDk68Evvb
JjJKd+Dpl/VLXTvhlw+QeQF93R7E/mLVxMAteqrBhYzrMNUX/H+7vvauvoElczan
OYNqyP8Euy1CgJk7aeJYeqO6JEOrL+g3H8SYJRBlneaUdly7P/MVeB4TwGRwlryZ
ob2ikFTtGBljJg2j4LXpklrNRoRVdxmkeAOSOmz+gLAELa+h/mjPsqMybhxmPdYL
6ZkqKHOqBOeDuB+9Dn2CBjZGD0zhUWmLSa5FKKun5EnFHoOfdvkL+oQaIKINkFB6
1CD4hW+9YXU=
=rU52
-----END PGP SIGNATURE-----

Message #32 received at 891227-close@bugs.debian.org (full text, mbox, reply):

From: Bernhard Schmidt <berni@debian.org>

To: 891227-close@bugs.debian.org

Subject: Bug#891227: fixed in asterisk 1:13.14.1~dfsg-2+deb9u4

Date: Sat, 20 Oct 2018 09:47:08 +0000

Source: asterisk
Source-Version: 1:13.14.1~dfsg-2+deb9u4

We believe that the bug you reported is fixed in the latest version of
asterisk, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 891227@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Bernhard Schmidt <berni@debian.org> (supplier of updated asterisk package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 30 Sep 2018 23:24:10 +0200
Source: asterisk
Binary: asterisk asterisk-modules asterisk-dahdi asterisk-vpb asterisk-voicemail asterisk-voicemail-imapstorage asterisk-voicemail-odbcstorage asterisk-ooh423 asterisk-mp3 asterisk-mysql asterisk-mobile asterisk-doc asterisk-dev asterisk-config
Architecture: source
Version: 1:13.14.1~dfsg-2+deb9u4
Distribution: stretch-security
Urgency: medium
Maintainer: Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>
Changed-By: Bernhard Schmidt <berni@debian.org>
Description:
 asterisk   - Open Source Private Branch Exchange (PBX)
 asterisk-config - Configuration files for Asterisk
 asterisk-dahdi - DAHDI devices support for the Asterisk PBX
 asterisk-dev - Development files for Asterisk
 asterisk-doc - Source code documentation for Asterisk
 asterisk-mobile - Bluetooth phone support for the Asterisk PBX
 asterisk-modules - loadable modules for the Asterisk PBX
 asterisk-mp3 - MP3 playback support for the Asterisk PBX
 asterisk-mysql - MySQL database protocol support for the Asterisk PBX
 asterisk-ooh423 - H.323 protocol support for the Asterisk PBX - ooH323c
 asterisk-voicemail - simple voicemail support for the Asterisk PBX
 asterisk-voicemail-imapstorage - IMAP voicemail storage support for the Asterisk PBX
 asterisk-voicemail-odbcstorage - ODBC voicemail storage support for the Asterisk PBX
 asterisk-vpb - VoiceTronix devices support for the Asterisk PBX
Closes: 891227 891228 902954 909554
Changes:
 asterisk (1:13.14.1~dfsg-2+deb9u4) stretch-security; urgency=medium
 .
   * AST-2018-004 / CVE-2018-7284: Crash when receiving SUBSCRIBE request
     (Closes: #891227)
   * AST-2018-005 / CVE-2018-7286: Crash when large numbers of TCP connections
     are closed suddenly (Closes: #891228)
   * AST-2018-008 / CVE-2018-12227: PJSIP endpoint presence disclosure when
     using ACL (Closes: #902954)
   * AST-2018-009 / CVE-2018-17281: Remote crash vulnerability in HTTP
     websocket upgrade (Closes: #909554)
Checksums-Sha1:
 9a3d0f011044550d59f6bf8e2923c431397c4e2e 4133 asterisk_13.14.1~dfsg-2+deb9u4.dsc
 d5d169d9367ec8d67cc3aa9f07fed12d0400c050 154060 asterisk_13.14.1~dfsg-2+deb9u4.debian.tar.xz
 64bbea1c48356a6dd0c687a3b1fcc939388260af 27619 asterisk_13.14.1~dfsg-2+deb9u4_amd64.buildinfo
Checksums-Sha256:
 fae9d4d830d8c45e6c294a27db8c8133bb84671e60a29876416abce9cabdc878 4133 asterisk_13.14.1~dfsg-2+deb9u4.dsc
 4a2bbbcd52004c4b3a5a829335737871f0f316cc5998f303b74243858c252255 154060 asterisk_13.14.1~dfsg-2+deb9u4.debian.tar.xz
 ca23a882cdb0309c2f412598a28cddb950cdecae8acf80bb7d311b4332ac9301 27619 asterisk_13.14.1~dfsg-2+deb9u4_amd64.buildinfo
Files:
 8a617142c87fedca32b83bee1dab0c83 4133 comm optional asterisk_13.14.1~dfsg-2+deb9u4.dsc
 e6fe8549c46eefceb013bd4ff2fba769 154060 comm optional asterisk_13.14.1~dfsg-2+deb9u4.debian.tar.xz
 b7e962fcb77a55234f6e21e240ede4b0 27619 comm optional asterisk_13.14.1~dfsg-2+deb9u4_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJFBAEBCgAvFiEE1uAexRal3873GVbTd1B55bhQvJMFAlvDtFkRHGJlcm5pQGRl
Ymlhbi5vcmcACgkQd1B55bhQvJOXlA//Wa/OyyBpgrTSLo0jtgPuvvkzQaUjai8Q
m00ggHJWacLlNj5fFHzUthWuoC26Sy31QziXfBoUBiJ/T8IMOruNh4cs5F0Uw/qA
14PO9irEivgq1aGzPMqJLMXiZofpJU3dz4Jm9hsGCZwtY9SX4k9UroMZYPxaUbIm
wCJ7c+ALOjv1U+aTDTWDQg8h4t1G6MdyBpaughVkuddfx0Sgxf17DNrbq1+OKpTC
P8Z7PAijrWZPuxMyvEkbF5UgbU4B3Kw28kymSMdJhMRHNEuAyE4EmDlnifSwo5a3
Z3O+lW8eN4Y+HhuwPQW+ILdzG/wM8LwBvtMxoF7dSxnh4kg7gWPO9LaQsmuhZoyn
bVrMmRG4M1hryu/1fUh45wH+xuY3ajYJ0G8LXhenyAILyazmI8PKwj7ZGr0JZCl7
bTKLU1rZ/DTuebMG3J6nw6+uykAezWClg/KI5jaZEchxv9eMg2HEigG7wGbDydwh
YmkD7h6NmpM2tw+7+DOoCJvtZWgNAY3vc+9dApGGDJeUVfDV1KfQPF7aSMCHKhF7
2WL9tpvVStVAvKUQUHKyz517eHPVE4GeejLVnwdB9kF2C0koEzfUbY5cFO1wW8Q0
Dt2/LKqa1W452g1iJadnDmIRx2Ry0rWXHQOOk74x3us+w6HLgp5AeAHbwbKecADa
UTCgAhtIYE8=
=m3FA
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.