Bug#891227: asterisk: CVE-2018-7284: AST-2018-004: Crash when receiving SUBSCRIBE request

Salvatore Bonaccorso carnil at debian.org
Mon Feb 26 07:17:14 UTC 2018


Hi Tzafrir,

Sorry for the lack of earlier reply, cc'ing the security team alias.

On Sat, Feb 24, 2018 at 12:39:38PM +0100, Tzafrir Cohen wrote:
> On Sat, Feb 24, 2018 at 07:38:41AM +0100, Tzafrir Cohen wrote:
> > Hi,
> > 
> > On Fri, Feb 23, 2018 at 04:04:52PM +0100, Salvatore Bonaccorso wrote:
> > > Source: asterisk
> > > Version: 1:13.18.5~dfsg-1
> > > Severity: grave
> > > Tags: patch security upstream
> > 
> > 
> > > [0] https://security-tracker.debian.org/tracker/CVE-2018-7284
> > >     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7284
> > > [1] http://downloads.asterisk.org/pub/security/AST-2018-004.html
> > > 
> > > Please adjust the affected versions in the BTS as needed.
> > 
> > I'm still looking into this. For the record, there were six security
> > advisories reposrted by the Asterisk project for the recent release:
> > 
> >     - AST-2018-001 CVE-2018-7285: (Does not apply)
> >     - AST-2018-002: Crash when given an invalid SDP media format description
> >     - AST-2018-003: Crash with an invalid SDP fmtp attribute
> 
> Those two are fixed in pjproject (specifically in 2.7.2). And probably
> need to be backported to Stretch as well.

And I think those two are missing CVEs. I'm going to request two. I'm
though not sure if they would warrant a DSA.

For CVE-2018-7285 we reached same conclusion, that it only applies to
15.x.

> 
> >     - AST-2018-004 CVE-2018-7284: Crash when receiving SUBSCRIBE request
> >       (Closes: #891227)
> >     - AST-2018-005 CVE-2018-7286: Crash when large numbers of TCP connections
> >       are closed suddenly (Closes: #891227)
> 
> Those two only apply to pjsip-related code. Thus they don't apply to
> oldstable. AST-004 patch seems to apply as-is to Stretch. AST-005 patch
> may require more work.

Alright, thanks for working on it!

> >     - AST-2018-006 CVE-2018-7287: WebSocket frames with 0 sized payload causes
> >       DoS
> 
> Only applies to 15. I missed that.

Ack.

Regards,
Salvatore



More information about the Pkg-voip-maintainers mailing list