| Main Archive Page > Month Archives > oss-security archives |
Re: [oss-security] CVE Request -- Asterisk: AST-2012-002 and AST-2012-003 flaws
From: Matthew Jordan <mjordan_at_nospam>Date: Fri Mar 16 2012 - 20:24:14 GMT
To: Kurt Seifried <kseifried@redhat.com>
----- Original Message -----
> From: "Kurt Seifried" <kseifried@redhat.com>
> To: oss-security@lists.openwall.com
> Cc: "Jan Lieskovsky" <jlieskov@redhat.com>, "Steven M. Christey" <coley@linus.mitre.org>, "Matt Jordan"
> <mjordan@digium.com>
> Sent: Friday, March 16, 2012 12:57:15 PM
> Subject: Re: [oss-security] CVE Request -- Asterisk: AST-2012-002 and AST-2012-003 flaws
>
> On 03/16/2012 05:47 AM, Jan Lieskovsky wrote:
> > Hello Kurt, Steve, vendors,
> >
> > 1) AST-2012-002:
> >
> > An out-of stack-based buffer write flaw was found in the way the
> > Miliwatt
> > application of the Asterisk, open source telephony toolkit,
> > performed
> > generation of constant audio tone at 1000Hz (the 'o' option) from
> > certain,
> > provided audio packets, when the 'internal_timing' Asterisk
> > configuration file
> > option was disabled. In this configuration, a remote attacker could
> > provide a
> > specially-crafted audio packet file, which once processed by the
> > Miliwatt
> > application would lead to that application crash, or, potentially
> > arbitrary
> > code execution with the privileges of the user running the
> > application.
> >
> > Upstream security advisory:
> > [1] http://downloads.asterisk.org/pub/security/AST-2012-002.pdf
> >
> > Asterisk v1.8.10.1 announcement:
> > [2] http://www.asterisk.org/node/51797
> >
> > Upstream patch against the v1.8 branch:
> > [3]
> > http://downloads.asterisk.org/pub/security/AST-2012-002-1.8.diff
> >
> > References:
> > [4] https://bugs.gentoo.org/show_bug.cgi?id=408431
> > [5] https://bugzilla.redhat.com/show_bug.cgi?id=804038
>
> Please use CVE-2012-1183 for Asterisk AST-2012-002
>
>
> > 2) AST-2012-003:
> >
> > A stack-based buffer overflow flaw was found in the way Asterisk
> > Manager
> > Interface of Asterisk, open source telephony toolkit, performed
> > processing of
> > certain HTTP Digest Authentication headers. A remote attacker,
> > attempting to
> > connect to the HTTP session could send a HTTP Digest Authentication
> > header with
> > specially-crafted values for certain fields, which once processed
> > by the
> > Asterisk parse digest authorization header functionality would lead
> > to
> > asterisk
> > crash, or, potentially arbitrary code execution with the privileges
> > of
> > the user
> > running the application.
> >
> > Upstream security advisory:
> > [1] http://downloads.asterisk.org/pub/security/AST-2012-003.pdf
> >
> > Asterisk v1.8.10.1 announcement:
> > [2] http://www.asterisk.org/node/51797
> >
> > Upstream patch against the v1.8 branch:
> > [3]
> > http://downloads.asterisk.org/pub/security/AST-2012-003-1.8.diff
> >
> > References:
> > [4] https://bugs.gentoo.org/show_bug.cgi?id=408431
> > [5] https://bugzilla.redhat.com/show_bug.cgi?id=804042
> >
> > Could you allocate two ids for these issues?
>
>
> Please use CVE-2012-1184 for Asterisk AST-2012-003
>
>
> > Thank you && Regards, Jan.
> > --
> > Jan iankko Lieskovsky / Red Hat Security Response Team
> >
> > P.S.: Cc-ed Matt Jordan of the Asterisk team, so once the ids are
> > assigned, he
> > can update the advisories.
>
>
> --
> Kurt Seifried Red Hat Security Response Team (SRT)
Thanks Kurt. We'll get those added to the advisories right away.
Matthew Jordan
Digium, Inc. | Software Developer
445 Jan Davis Drive NW - Huntsville, AL 35806 - USA
Check us out at: http://digium.com & http://asterisk.org