Bug#380054: marked as done (CVE-2006-2898: Denial of service in Asterisk)

Thu, 27 Jul 2006 01:37:09 -0700 

Your message dated Thu, 27 Jul 2006 01:02:17 -0700
with message-id <[EMAIL PROTECTED]>
and subject line Bug#380054: fixed in asterisk 1:1.2.10.dfsg-2
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message --- 
Package: asterisk
Version: 1.2.10.dfsg-1
Severity: grave
Tags: security patch

A problem has been discovered in the IAX2 channel driver of Asterisk,
an Open Source Private Branch Exchange and telephony toolkit, which
may allow a remote to cause au crash of the Asterisk server.

The patch used for security is attached.

Regards,

        Joey


-- 
It's time to close the windows.

Please always Cc to me when replying to me on the lists.

#! /bin/sh /usr/share/dpatch/dpatch-run
## 99_CVE-2006-2898.dpatch by Joey Schulze <[EMAIL PROTECTED]>
##
## DP: Bug in the IAX2 channel allows remote attackers to craft
## DP: a denial of service.

@DPATCH@
--- asterisk-1.0.7.dfsg.1.orig/channels/chan_iax2.c     2005-03-18 
18:30:05.000000000 +0100
 ++ asterisk-1.0.7.dfsg.1/channels/chan_iax2.c  2006-06-07 08:17:19.000000000 
+0200
@@ -5064,10 +5064,20 @@ static int socket_read(int *id, int fd, 
                return 1;
        }
        if ((vh->zeros == 0) && (ntohs(vh->callno) & 0x8000)) {
+               if (res < sizeof(*vh)) {
+                       ast_log(LOG_WARNING, "Rejecting packet from '%s.%d' 
that is flagged as a mini video frame but is too short\n", ast_inet_ntoa(iabuf, 
sizeof(iabuf), sin.sin_addr), ntohs(sin.sin_port));
+                       return 1;
+                       
+               }
                /* This is a video frame, get call number */
                fr.callno = find_callno(ntohs(vh->callno) & ~0x8000, dcallno, 
&sin, new, 1);
                minivid = 1;
-       } else if (meta->zeros == 0) {
+       } else if ((meta->zeros == 0) && !(ntohs(meta->metacmd) & 0x8000)) {
+               if (res < sizeof(*meta)) {
+                       ast_log(LOG_WARNING, "Rejecting packet from '%s.%d' 
that is flagged as a meta frame but is too short\n", ast_inet_ntoa(iabuf, 
sizeof(iabuf), sin.sin_addr), ntohs(sin.sin_port));
+                       return 1;
+                       
+               }
                /* This is a meta header */
                switch(meta->metacmd) {
                case IAX_META_TRUNK:
@@ -5164,7 +5174,7 @@ static int socket_read(int *id, int fd, 
        if (iaxdebug)
                iax_showframe(NULL, fh, 1, &sin, res - sizeof(struct 
ast_iax2_full_hdr));
 #endif
-       if (ntohs(mh->callno) & IAX_FLAG_FULL) {
+       if ((res >= sizeof(*fh)) && ntohs(mh->callno) & IAX_FLAG_FULL) {
                /* Get the destination call number */
                dcallno = ntohs(fh->dcallno) & ~IAX_FLAG_RETRANS;
                /* Retrieve the type and subclass */

--- End Message ---
--- Begin Message --- 
Source: asterisk
Source-Version: 1:1.2.10.dfsg-2

We believe that the bug you reported is fixed in the latest version of
asterisk, which is due to be installed in the Debian FTP archive:

asterisk-bristuff_1.2.10.dfsg-2_i386.deb
  to pool/main/a/asterisk/asterisk-bristuff_1.2.10.dfsg-2_i386.deb
asterisk-classic_1.2.10.dfsg-2_i386.deb
  to pool/main/a/asterisk/asterisk-classic_1.2.10.dfsg-2_i386.deb
asterisk-config_1.2.10.dfsg-2_all.deb
  to pool/main/a/asterisk/asterisk-config_1.2.10.dfsg-2_all.deb
asterisk-dev_1.2.10.dfsg-2_all.deb
  to pool/main/a/asterisk/asterisk-dev_1.2.10.dfsg-2_all.deb
asterisk-doc_1.2.10.dfsg-2_all.deb
  to pool/main/a/asterisk/asterisk-doc_1.2.10.dfsg-2_all.deb
asterisk-h323_1.2.10.dfsg-2_i386.deb
  to pool/main/a/asterisk/asterisk-h323_1.2.10.dfsg-2_i386.deb
asterisk-sounds-main_1.2.10.dfsg-2_all.deb
  to pool/main/a/asterisk/asterisk-sounds-main_1.2.10.dfsg-2_all.deb
asterisk-web-vmail_1.2.10.dfsg-2_all.deb
  to pool/main/a/asterisk/asterisk-web-vmail_1.2.10.dfsg-2_all.deb
asterisk_1.2.10.dfsg-2.diff.gz
  to pool/main/a/asterisk/asterisk_1.2.10.dfsg-2.diff.gz
asterisk_1.2.10.dfsg-2.dsc
  to pool/main/a/asterisk/asterisk_1.2.10.dfsg-2.dsc
asterisk_1.2.10.dfsg-2_all.deb
  to pool/main/a/asterisk/asterisk_1.2.10.dfsg-2_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Mark Purcell <[EMAIL PROTECTED]> (supplier of updated asterisk package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Thu, 27 Jul 2006 08:09:47 +0100
Source: asterisk
Binary: asterisk-h323 asterisk-web-vmail asterisk asterisk-classic asterisk-dev 
asterisk-doc asterisk-sounds-main asterisk-bristuff asterisk-config
Architecture: source all i386
Version: 1:1.2.10.dfsg-2
Distribution: unstable
Urgency: high
Maintainer: Debian VoIP Team <[EMAIL PROTECTED]>
Changed-By: Mark Purcell <[EMAIL PROTECTED]>
Description: 
 asterisk   - Open Source Private Branch Exchange (PBX) - dummy package
 asterisk-bristuff - Open Source Private Branch Exchange (PBX) - 
BRIstuff-enabled vers
 asterisk-classic - Open Source Private Branch Exchange (PBX) - original Digium 
versi
 asterisk-config - config files for asterisk
 asterisk-dev - development files for asterisk
 asterisk-doc - documentation for asterisk
 asterisk-h323 - asterisk H.323 VoIP channel
 asterisk-sounds-main - sound files for asterisk
 asterisk-web-vmail - Web-based (CGI) voice mail interface for Asterisk
Closes: 380054
Changes: 
 asterisk (1:1.2.10.dfsg-2) unstable; urgency=high
 .
   * IAX2 channel driver security patch [CVE-2006-2898]
     - CVE-2006-2898: Denial of service in Asterisk (Closes: #380054)
Files: 
 b0e11e722ee819521836732debe2e71b 1396 comm optional asterisk_1.2.10.dfsg-2.dsc
 a1602686f0eac0457ac155b12c32cae5 162531 comm optional 
asterisk_1.2.10.dfsg-2.diff.gz
 37752761a6644ca4a6d78ee922aa817e 233576 comm optional 
asterisk_1.2.10.dfsg-2_all.deb
 652ba36efd5eddf5c5ad9e707127d545 19039512 doc optional 
asterisk-doc_1.2.10.dfsg-2_all.deb
 22690a91721ffe5d1fc9b1f8195e2d7e 155822 devel optional 
asterisk-dev_1.2.10.dfsg-2_all.deb
 e577eb1e234e034b7641562981645402 1486722 comm optional 
asterisk-sounds-main_1.2.10.dfsg-2_all.deb
 52553a985c047313db01f4bd7d2e111b 59920 comm optional 
asterisk-web-vmail_1.2.10.dfsg-2_all.deb
 01d8d08885dd9fbb4c04a9da26007b64 116734 comm optional 
asterisk-config_1.2.10.dfsg-2_all.deb
 65559e0427c68e45f994ff82fea04138 1595462 comm optional 
asterisk-classic_1.2.10.dfsg-2_i386.deb
 b01c77e324892be840f0c45ac1a96b51 1624752 comm optional 
asterisk-bristuff_1.2.10.dfsg-2_i386.deb
 7d038ceec949a675b37da6c1868ca0eb 116760 comm optional 
asterisk-h323_1.2.10.dfsg-2_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFEyG4IoCzanz0IthIRAqcMAJoCP7J0j2IivR1dbh1yp9Qx1hQLRgCfVA/n
NVmgZwcHE+JcRjGzIMGF/Gs=
=ZVuc
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to