Bug#1068296: asterisk: The res_rtp_asterisk DTLS check against ICE candidates fails when it shouldn't
Oleksandr Kozmenko
support at qualityunit.com
Wed Apr 3 08:19:39 BST 2024
Package: asterisk
Version: 1:16.28.0~dfsg-0+deb11u4
Severity: important
Hello, dear Asterisk maintainers.
This is basically a copy of:
<https://github.com/asterisk/asterisk/issues/503>
The rtp->ice\_active\_remote\_candidates container used to validate the source of incoming DTLS packets doesn't contain peer reflexive candidates discovered during negotiation. This is causing the check to fail where it shouldn't.
```
\[2024-03-29 21:15:09.908\] WARNING\[1866370\]\[C-00000005\]: res\_rtp\_asterisk.c:3189 \_\_rtp\_recvfrom: 1711746909.20: DTLS packet from 176.98.71.191:51192 dropped. Source not in ICE active candidate list.
```
Bug was introduced as fix for CVE-2023-49786, I see it from the diff in
https://release.debian.org/proposed-updates/bullseye\_diffs/asterisk\_16.28.0~dfsg-0+deb11u4.debdiff
Fix for the bug was introduced in 20.5.2, in unstable repo, but since this is basically
a regression, I believe it should be fixed in 16.28.0 too. So, what I see as a proper solution is cherry-picking:
<https://github.com/gtjoseph/asterisk/commit/041122c85ddf8609ce3ccb7920de4b3f3cd1ac6e>
```
$ uname -a
Linux prod-asterisk 5.10.0-28-cloud-amd64 #1 SMP Debian 5.10.209-2 (2024-01-31) x86\_64 GNU/Linux
```
Regards,
**Oleksandr Kozmenko**
**Server Administrator**
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-voip-maintainers/attachments/20240403/694b74fc/attachment.htm>
More information about the Pkg-voip-maintainers
mailing list