CVE-2007-1594: Asterisk segfaults upon receipt of a certain SIP packet (SIP Response code 0)

Debian Bug report logs - #419820
CVE-2007-1594: Asterisk segfaults upon receipt of a certain SIP packet (SIP Response code 0)

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Frédéric Brière <fbriere@fbriere.net>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: CVE-2007-1594: Asterisk segfaults upon receipt of a certain SIP packet (SIP Response code 0)

Date: Wed, 18 Apr 2007 00:51:38 -0400

Package: asterisk
Version: 1:1.2.13~dfsg-2
Severity: important
Tags: security

I was a bit surprised to see this one show up again last week on LWN
with only Gentoo providing a fix.  Apparently, etch/lenny are affected,
but not sid.  (No word on sarge's 1.0 branch, though.)

>From CVE-2007-1594:

  The handle_response function in chan_sip.c in Asterisk before 1.2.17
  and 1.4.x before 1.4.2 allows remote attackers to cause a denial of
  service (crash) via a SIP Response code 0 in a SIP packet.


-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 2.6.18-4-k7 (SMP w/1 CPU core)
Locale: LANG=en_CA, LC_CTYPE=en_CA (charmap=ISO-8859-1)
Shell: /bin/sh linked to /bin/bash

Versions of packages asterisk depends on:
pn  asterisk-sounds       <none>             (no description available)
ii  libasound2            1.0.13-2           ALSA library
ii  libc6                 2.5-1              GNU C Library: Shared libraries
ii  libedit2              2.9.cvs.20050518-3 BSD editline and history libraries
ii  libexpat1             1.95.8-3.4         XML parsing C library - runtime li
ii  libgcc1               1:4.1.1-21         GCC support library
ii  libglib1.2            1.2.10-17          The GLib library of C routines
ii  libgsm1               1.0.10-13          Shared libraries for GSM speech co
ii  libgtk1.2             1.2.10-18          The GIMP Toolkit set of widgets fo
ii  libncurses5           5.5-5              Shared libraries for terminal hand
pn  libopenh423-1.13.2    <none>             (no description available)
pn  libpq3                <none>             (no description available)
pn  libpri1               <none>             (no description available)
pn  libpt-1.6.3           <none>             (no description available)
ii  libspeex1             1.1.12-3           The Speex Speech Codec
ii  libssl0.9.7           0.9.7k-3.1         SSL shared libraries
pn  libtonezone1          <none>             (no description available)
ii  libx11-6              2:1.0.3-7          X11 client-side library
ii  libxext6              1:1.0.3-2          X11 miscellaneous extension librar
ii  libxi6                1:1.0.1-4          X11 Input extension library
pn  unixodbc              <none>             (no description available)
ii  zlib1g                1:1.2.3-13         compression library - runtime

asterisk recommends no packages.

Message #10 received at 419820@bugs.debian.org (full text, mbox, reply):

From: Frédéric Brière <fbriere@fbriere.net>

To: 419820@bugs.debian.org

Subject: Re: CVE-2007-1594: Asterisk segfaults upon receipt of a certain SIP packet (SIP Response code 0)

Date: Wed, 18 Apr 2007 16:02:59 -0400

My apologies to the security team if I'm babbling nonsense, but
security-tracker shows CVE-2007-1594 as being fixed in etch's
1:1.2.13~dfsg-2, while the CVE claims this was only fixed in 1.2.17.  Is
this normal?

(Actually, from reading the bug report and the SVN changelog, it would
appear that this was only fixed on March 24 for the 1.2 branch, after
the latest 1.2.17 release.)


-- 
<wiggyWork> 3990 N   Apr 15 Cute Girlfriend (  45) Erotic Amateur Girlfriends
<wiggyWork> I wasn't aware you had professional girlfriends as well

Message #15 received at 419820@bugs.debian.org (full text, mbox, reply):

From: Florian Weimer <fw@deneb.enyo.de>

To: Frédéric Brière <fbriere@fbriere.net>

Cc: 419820@bugs.debian.org

Subject: Re: Bug#419820: CVE-2007-1594: Asterisk segfaults upon receipt of a certain SIP packet (SIP Response code 0)

Date: Wed, 18 Apr 2007 22:33:25 +0200

* Frédéric Brière:

> My apologies to the security team if I'm babbling nonsense, but
> security-tracker shows CVE-2007-1594 as being fixed in etch's
> 1:1.2.13~dfsg-2, while the CVE claims this was only fixed in 1.2.17.
> Is this normal?

No. 8-) At the botem of the page, there is a table that lists the raw
data.

| The information above is based on the following data on fixed versions.
| 
| Package   Type   Release   Fixed Version  Urgency Origin Debian Bugs
| asterisk source (unstable) 1:1.4.2~dfsg-1 medium         419820
| asterisk source sarge      (not affected)

In this case, we forgot to include the epoch "1:" in the version
number, so the 1.2 version was wrongly marked as fixed.

Thanks for reporting this, and sorry to the Asterisk folks for
cluttering their bug report.

Message #22 received at 419820-close@bugs.debian.org (full text, mbox, reply):

From: Mark Purcell <msp@debian.org>

To: 419820-close@bugs.debian.org

Subject: Bug#419820: fixed in asterisk 1:1.4.3~dfsg-1

Date: Wed, 25 Apr 2007 08:32:05 +0000

Source: asterisk
Source-Version: 1:1.4.3~dfsg-1

We believe that the bug you reported is fixed in the latest version of
asterisk, which is due to be installed in the Debian FTP archive:

asterisk-config_1.4.3~dfsg-1_all.deb
  to pool/main/a/asterisk/asterisk-config_1.4.3~dfsg-1_all.deb
asterisk-dev_1.4.3~dfsg-1_all.deb
  to pool/main/a/asterisk/asterisk-dev_1.4.3~dfsg-1_all.deb
asterisk-doc_1.4.3~dfsg-1_all.deb
  to pool/main/a/asterisk/asterisk-doc_1.4.3~dfsg-1_all.deb
asterisk-h423_1.4.3~dfsg-1_i386.deb
  to pool/main/a/asterisk/asterisk-h423_1.4.3~dfsg-1_i386.deb
asterisk-sounds-main_1.4.3~dfsg-1_all.deb
  to pool/main/a/asterisk/asterisk-sounds-main_1.4.3~dfsg-1_all.deb
asterisk-web-vmail_1.4.3~dfsg-1_all.deb
  to pool/main/a/asterisk/asterisk-web-vmail_1.4.3~dfsg-1_all.deb
asterisk_1.4.3~dfsg-1.diff.gz
  to pool/main/a/asterisk/asterisk_1.4.3~dfsg-1.diff.gz
asterisk_1.4.3~dfsg-1.dsc
  to pool/main/a/asterisk/asterisk_1.4.3~dfsg-1.dsc
asterisk_1.4.3~dfsg-1_i386.deb
  to pool/main/a/asterisk/asterisk_1.4.3~dfsg-1_i386.deb
asterisk_1.4.3~dfsg.orig.tar.gz
  to pool/main/a/asterisk/asterisk_1.4.3~dfsg.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 419820@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Mark Purcell <msp@debian.org> (supplier of updated asterisk package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Wed, 25 Apr 2007 16:47:31 +1000
Source: asterisk
Binary: asterisk-sounds-main asterisk-h423 asterisk-web-vmail asterisk asterisk-config asterisk-dev asterisk-doc
Architecture: source all i386
Version: 1:1.4.3~dfsg-1
Distribution: unstable
Urgency: high
Maintainer: Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>
Changed-By: Mark Purcell <msp@debian.org>
Description: 
 asterisk   - Open Source Private Branch Exchange (PBX)
 asterisk-config - config files for asterisk
 asterisk-dev - development files for asterisk
 asterisk-doc - documentation for asterisk
 asterisk-h423 - asterisk H.323 VoIP channel
 asterisk-sounds-main - sound files for asterisk
 asterisk-web-vmail - Web-based (CGI) voice mail interface for Asterisk
Closes: 384674 419164 419820 420864 420866 420868
Changes: 
 asterisk (1:1.4.3~dfsg-1) unstable; urgency=high
 .
   * Urgency high as this fixes a number of Asterisk Security Advisories (ASA)
 .
   * New upstream release
     - [asteriskteam@digium.com: [asterisk-announce] ASA-2007-011: Multiple
     problems in SIP channel parser handling response codes] (Closes:
     #420864)
     - [asteriskteam@digium.com: [asterisk-announce] ASA-2007-012: Remote
     Crash Vulnerability in Manager Interface] (Closes: #420866)
     - [asteriskteam@digium.com: [asterisk-announce] ASA-2007-010: Two
     stack buffer overflows in SIP channel's T.38 SDP parsing code]
     (Closes: #420868)
     - CVE-2007-1594: Asterisk segfaults upon receipt of a certain SIP
     packet (SIP Response code 0) (Closes: #419820)
 .
   * Update debian/NEWS to broadcast the demise of bristuff
   * Asterisk-classic, asterisk-bristuff are depreciated
     - asterisk has circular Depends on asterisk-bristuff|asterisk-classic
     (Closes: #384674)
   * Ship UPGRADE.txt and refer to it in debian/NEWS
     - UPGRADE.txt cannot be found in any package (Closes: #419164)
Files: 
 19d3388df00ec099c0e3d65a9b6e9305 1456 comm optional asterisk_1.4.3~dfsg-1.dsc
 55476464f6ce3eec950a0e42ecd8255a 10832351 comm optional asterisk_1.4.3~dfsg.orig.tar.gz
 599188ec5c56fedad4679d3b55e8e6ac 253847 comm optional asterisk_1.4.3~dfsg-1.diff.gz
 739146427fdd80cf9c9bb59c1bbf7416 23021932 doc optional asterisk-doc_1.4.3~dfsg-1_all.deb
 f3d246fb7ebcc889afa8593204f38946 248218 devel optional asterisk-dev_1.4.3~dfsg-1_all.deb
 c749a6ee9f86dbc78f2b7376704797c5 7552530 comm optional asterisk-sounds-main_1.4.3~dfsg-1_all.deb
 cb580e5fefa05fa15ebb7bd9ed74446f 114748 comm optional asterisk-web-vmail_1.4.3~dfsg-1_all.deb
 2bbd5be4617161cc1ea42b1b951f6dca 198664 comm optional asterisk-config_1.4.3~dfsg-1_all.deb
 2d7e26bea5574b8107f7cc99568f8716 2100830 comm optional asterisk_1.4.3~dfsg-1_i386.deb
 4cf79225e12e064bdc9f27d34e315c48 228554 comm optional asterisk-h423_1.4.3~dfsg-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGLwFSoCzanz0IthIRAgaaAJ9CrTCHrIMdhTKnRVAWRyy+eno6YACfXXM5
iCCRki3HMUYdmfzlZc9vY64=
=Yie7
-----END PGP SIGNATURE-----

Message #29 received at 419820@bugs.debian.org (full text, mbox, reply):

From: Faidon Liambotis <paravoid@debian.org>

To: control@bugs.debian.org

Cc: 376767@bugs.debian.org, 376767-submitter@bugs.debian.org, 419820@bugs.debian.org, 419820-submitter@bugs.debian.org, 419370@bugs.debian.org, 419370-submitter@bugs.debian.org

Subject: Asterisk security bugs

Date: Mon, 27 Aug 2007 13:01:39 +0300

# ASA-2007-016, CVE-2007-3764
close 376767 1:1.2.13~dfsg-2etch4

# ASA-2007-011, CVE-2007-1594, CVE-2007-2297
close 419820 1:1.2.13~dfsg-2etch4
found 419820 1:1.0.7.dfsg.1-2
fixed 419820 1:1.0.7.dfsg.1-2sarge5

# CVE-2007-1306
close 419370 1:1.2.13~dfsg-2etch4
thanks

All of the known Asterisk security vulnerabilities (CVE-2007-1306,
CVE-2007-1561, CVE-2007-2294, CVE-2007-2297, CVE-2007-2488,
CVE-2007-3762, CVE-2007-3763 and CVE-2007-3764) are fixed in
1:1.2.13~dfsg-2etch4 for stable (etch), 1:1.0.7.dfsg.1-2sarge5 for
oldstable (sarge) and 1:1.4.11~dfsg.1 for unstable (sid).
Current testing (lenny) is still vulnerable, but this is the least of
its problems.
We are hoping to migrate the unstable version soon enough.

The relevant Debian Security Advisory is DSA 1358-1.

Regards,
Faidon

Send a report that this bug log contains spam.