Re: CVE Request -- Asterisk: AST-2012-002 and AST-2012-003 flaws

[Kurt Seifried <kseifried () redhat com>]

On 03/16/2012 05:47 AM, Jan Lieskovsky wrote:
> Hello Kurt, Steve, vendors,
>
> 1) AST-2012-002:
>
> An out-of stack-based buffer write flaw was found in the way the Miliwatt
> application of the Asterisk, open source telephony toolkit, performed
> generation of constant audio tone at 1000Hz (the 'o' option) from certain,
> provided audio packets, when the 'internal_timing' Asterisk
> configuration file
> option was disabled. In this configuration, a remote attacker could
> provide a
> specially-crafted audio packet file, which once processed by the Miliwatt
> application would lead to that application crash, or, potentially arbitrary
> code execution with the privileges of the user running the application.
>
> Upstream security advisory:
> [1] http://downloads.asterisk.org/pub/security/AST-2012-002.pdf
>
> Asterisk v1.8.10.1 announcement:
> [2] http://www.asterisk.org/node/51797
>
> Upstream patch against the v1.8 branch:
> [3] http://downloads.asterisk.org/pub/security/AST-2012-002-1.8.diff
>
> References:
> [4] https://bugs.gentoo.org/show_bug.cgi?id=408431
> [5] https://bugzilla.redhat.com/show_bug.cgi?id=804038

Please use CVE-2012-1183 for Asterisk AST-2012-002


> 2) AST-2012-003:
>
> A stack-based buffer overflow flaw was found in the way Asterisk Manager
> Interface of Asterisk, open source telephony toolkit, performed
> processing of
> certain HTTP Digest Authentication headers. A remote attacker,
> attempting to
> connect to the HTTP session could send a HTTP Digest Authentication
> header with
> specially-crafted values for certain fields, which once processed by the
> Asterisk parse digest authorization header functionality would lead to
> asterisk
> crash, or, potentially arbitrary code execution with the privileges of
> the user
> running the application.
>
> Upstream security advisory:
> [1] http://downloads.asterisk.org/pub/security/AST-2012-003.pdf
>
> Asterisk v1.8.10.1 announcement:
> [2] http://www.asterisk.org/node/51797
>
> Upstream patch against the v1.8 branch:
> [3] http://downloads.asterisk.org/pub/security/AST-2012-003-1.8.diff
>
> References:
> [4] https://bugs.gentoo.org/show_bug.cgi?id=408431
> [5] https://bugzilla.redhat.com/show_bug.cgi?id=804042
>
> Could you allocate two ids for these issues?


Please use CVE-2012-1184 for Asterisk AST-2012-003


> Thank you && Regards, Jan.
> -- 
> Jan iankko Lieskovsky / Red Hat Security Response Team
>
> P.S.: Cc-ed Matt Jordan of the Asterisk team, so once the ids are
> assigned, he
>       can update the advisories.


-- 
Kurt Seifried Red Hat Security Response Team (SRT)