Date: Fri, 16 Mar 2012 11:57:15 -0600 From: Kurt Seifried <kseifried@...hat.com> To: oss-security@...ts.openwall.com CC: Jan Lieskovsky <jlieskov@...hat.com>, "Steven M. Christey" <coley@...us.mitre.org>, Matt Jordan <mjordan@...ium.com> Subject: Re: CVE Request -- Asterisk: AST-2012-002 and AST-2012-003 flaws On 03/16/2012 05:47 AM, Jan Lieskovsky wrote: > Hello Kurt, Steve, vendors, > > 1) AST-2012-002: > > An out-of stack-based buffer write flaw was found in the way the Miliwatt > application of the Asterisk, open source telephony toolkit, performed > generation of constant audio tone at 1000Hz (the 'o' option) from certain, > provided audio packets, when the 'internal_timing' Asterisk > configuration file > option was disabled. In this configuration, a remote attacker could > provide a > specially-crafted audio packet file, which once processed by the Miliwatt > application would lead to that application crash, or, potentially arbitrary > code execution with the privileges of the user running the application. > > Upstream security advisory: >  http://downloads.asterisk.org/pub/security/AST-2012-002.pdf > > Asterisk v184.108.40.206 announcement: >  http://www.asterisk.org/node/51797 > > Upstream patch against the v1.8 branch: >  http://downloads.asterisk.org/pub/security/AST-2012-002-1.8.diff > > References: >  https://bugs.gentoo.org/show_bug.cgi?id=408431 >  https://bugzilla.redhat.com/show_bug.cgi?id=804038 Please use CVE-2012-1183 for Asterisk AST-2012-002 > 2) AST-2012-003: > > A stack-based buffer overflow flaw was found in the way Asterisk Manager > Interface of Asterisk, open source telephony toolkit, performed > processing of > certain HTTP Digest Authentication headers. A remote attacker, > attempting to > connect to the HTTP session could send a HTTP Digest Authentication > header with > specially-crafted values for certain fields, which once processed by the > Asterisk parse digest authorization header functionality would lead to > asterisk > crash, or, potentially arbitrary code execution with the privileges of > the user > running the application. > > Upstream security advisory: >  http://downloads.asterisk.org/pub/security/AST-2012-003.pdf > > Asterisk v220.127.116.11 announcement: >  http://www.asterisk.org/node/51797 > > Upstream patch against the v1.8 branch: >  http://downloads.asterisk.org/pub/security/AST-2012-003-1.8.diff > > References: >  https://bugs.gentoo.org/show_bug.cgi?id=408431 >  https://bugzilla.redhat.com/show_bug.cgi?id=804042 > > Could you allocate two ids for these issues? Please use CVE-2012-1184 for Asterisk AST-2012-003 > Thank you && Regards, Jan. > -- > Jan iankko Lieskovsky / Red Hat Security Response Team > > P.S.: Cc-ed Matt Jordan of the Asterisk team, so once the ids are > assigned, he > can update the advisories. -- Kurt Seifried Red Hat Security Response Team (SRT)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ