Bug#708674: asterisk: segfault when connecting to jabber server (security)

Ralf Schlatterbeck rsc at runtux.com
Fri May 17 15:40:53 UTC 2013 

Package: asterisk
Version: 1:1.8.13.1~dfsg-3
Severity: important
Tags: patch

Dear Maintainer,

Bug #545272 has been closed because the fix was incorporated in
1:1.8.13.1~dfsg-2 but due to a decision by the release team as
documented in /usr/share/doc/asterisk/changelog.Debian.gz the fix was
reverted.

The changelog says the bug would be reopened.
But the bug was not re-opened as stated.

I don't understand the decision of the release-team as the issue is
security relevant. Someone controlling a jabber server to which asterisk
connects can make asterisk segfault. I've already stated this in Message
#25 of #545272.
Note that many people connect to outside servers like google talk.

Contrary to the title of Bug #545272 the problem also happens when the
jabber server is remote. The issue occurs if asterisk receives a buddy
information from an unknown buddy and the search in the local buddy
database returns a NULL pointer.
The bug makes asterisk dereference that pointer and crash. This can
happen with both remote and local jabber servers.

Please fix this issue as a security upgrade!

And please don't make me code up an exploit.

For reference, the patch is here:
https://issues.asterisk.org/jira/secure/attachment/43441/xmpp_no_crash_with_ejabberd.patch

[short sidenote: Bug #701505, the fix for which was also reverted in
1:1.8.13.1~dfsg-3 and for which the changelog mentiones that it would be
re-opened is also still closed as of this writing, you may want to reopen it]

Thanks.
Ralf Schlatterbeck


-- System Information:
Debian Release: 7.0
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-4-amd64 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash

Versions of packages asterisk depends on:
ii  adduser                                       3.113+nmu3
ii  asterisk-config                               1:1.8.13.1~dfsg-3
ii  asterisk-core-sounds-en [asterisk-prompt-en]  1.4.22-1
ii  asterisk-core-sounds-en-gsm                   1.4.22-1
ii  asterisk-modules                              1:1.8.13.1~dfsg-3
ii  libc6                                         2.13-38
ii  libcap2                                       1:2.22-1.2
ii  libgcc1                                       1:4.7.2-5
ii  libssl1.0.0                                   1.0.1e-2
ii  libstdc++6                                    4.7.2-5
ii  libtinfo5                                     5.9-10
ii  libxml2                                       2.8.0+dfsg1-7+nmu1

Versions of packages asterisk recommends:
ii  asterisk-moh-opsound-gsm                         2.03-1
ii  asterisk-voicemail [asterisk-voicemail-storage]  1:1.8.13.1~dfsg-3
ii  sox                                              14.4.0-3

Versions of packages asterisk suggests:
ii  asterisk-dahdi   1:1.8.13.1~dfsg-3
ii  asterisk-dev     1:1.8.13.1~dfsg-3
ii  asterisk-doc     1:1.8.13.1~dfsg-3
pn  asterisk-ooh323  <none>

-- no debconf information
-- 
Dr. Ralf Schlatterbeck                  Tel:   +43/2243/26465-16
Open Source Consulting                  www:   http://www.runtux.com
Reichergasse 131, A-3411 Weidling       email: office at runtux.com
allmenda.com member                     email: rsc at allmenda.com

More information about the Pkg-voip-maintainers mailing list