Bug#847666: asterisk: AST-2016-008: Crash on SDP offer or answer from endpoint using Opus

Salvatore Bonaccorso salvatore.bonaccorso at gmail.com
Mon Dec 12 16:21:18 UTC 2016


Hi Tzafrir,

On Mon, Dec 12, 2016 at 05:48:53PM +0200, Tzafrir Cohen wrote:
> On Sat, Dec 10, 2016 at 03:52:26PM +0100, Salvatore Bonaccorso wrote:
> > Source: asterisk
> > Version: 1:13.12.2~dfsg-1
> > Severity: grave
> > Tags: security upstream patch
> > Forwarded: https://issues.asterisk.org/jira/browse/ASTERISK-26579
> > 
> > Hi
> > 
> > AST-2016-008 was announced at
> > 
> > http://downloads.asterisk.org/pub/security/AST-2016-008.html
> > 
> > referencing patches as well for the 13.x release series.
> > 
> > https://issues.asterisk.org/jira/browse/ASTERISK-26579
> 
> The patch does not seem to apply to the Debian package due to
> opus.patch. It seems however that the original issue likewise doesn't,
> as the code from opus.patch uses a different parsing of the Opus SDP
> headers.
> 
> Attached a sipp scenario that crashes an unpatched upstream asterisk
> 13.13.0:
> 
>   sipp 127.0.0.1:5060 -sf SDP.xml -m 1
> 
> If anyone wants to give a second look to opus.patch (and maybe also
> amr.patch . vp8.patch looks more self-contained). The relevant upstream
> code must have had some extra checks at this point.
> 
> Could someone else please double-check before closing this one?

You seem to be right, but I'm not that confident with asterisk itself.
While the affected code is in the unpatched source (1:13.12.2~dfsg-1),
the opus.patch seem to remove the problematic bits from
http://downloads.asterisk.org/pub/security/AST-2016-008-13.diff which
seem to be the patch from upstream for the 13.x series.

The problematic funtiion got removed with the update of opus.patch in
the packaging repository with commit
6400f660ec6b62b68b7df84e2df588552b7c1ad0 and thus should be fixed
already with the 1:13.12.1~dfsg-1 upload.

Am I correct?

Regards,
Salvatore



More information about the Pkg-voip-maintainers mailing list