Bug 1187120 (CVE-2015-1558)

Summary: CVE-2015-1558 asterisk: file descriptor leak when incompatible codecs are offered (AST-2015-001)
Product: [Other] Security Response Reporter: Vasyl Kaigorodov <vkaigoro>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: itamar, jeff, lmadsen, rbryant
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: asterisk 12.8.1, asterisk 13.1.1 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-20 10:50:11 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Vasyl Kaigorodov 2015-01-29 11:42:53 UTC 
Asterisk may be configured to only allow specific audio or video codecs to be used when communicating with a particular endpoint. When an endpoint sends an SDP offer that only lists codecs not allowed by Asterisk, the offer is rejected. However, in this case, RTP ports that are allocated in the process are not reclaimed.

This issue only affects the PJSIP channel driver in Asterisk. Users of the chan_sip channel driver are not affected.

As the resources are allocated after authentication, this issue only affects communications with authenticated endpoints.

See also:
http://seclists.org/fulldisclosure/2015/Jan/116