Bug 826474 (CVE-2012-2947)

Summary: CVE-2012-2947 asterisk: Remote crash in IAX2 channel driver (AST-2012-007)
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: itamar, jeff, lmadsen, rbryant
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-19 21:53:32 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 826478, 826479    
Bug Blocks:    

Description Jan Lieskovsky 2012-05-30 09:52:00 UTC 
A denial of service flaw was found in the way Inter-Asterisk eXchange Version 2 (IAX2) channel driver of Asterisk, an open source telephony toolkit, processed established calls, being placed on hold state without a suggested music class. When the mohinterpret=passthrough setting was enabled, a particular call was established and that call was placed on hold state without corresponding music-on-hold class name, Asterisk would dereference invalid pointer for music-on-hold class name, leading to asterisk executable crash.

References:
[1] http://downloads.asterisk.org/pub/security/AST-2012-007.html
[2] https://bugs.gentoo.org/show_bug.cgi?id=418189

Upstream patch (against the v1.8.x branch):
[3] https://code.asterisk.org/code/rdiff/asterisk/branches/1.8/channels/chan_iax2.c?r1=366880&r2=367781&u&N

Upstream ticket:
[4] https://issues.asterisk.org/jira/browse/ASTERISK-19597

Important: Please note the patches listed in AST-2012-007 advisory [1]:
           http://downloads.asterisk.org/pub/security/AST-2012-006-1.8.diff
           http://downloads.asterisk.org/pub/security/AST-2012-006-1.8.diff
           http://downloads.asterisk.org/pub/security/AST-2012-006-1.8.diff

being wrong (they are obviously result of advisory copy && paste issue, and
are valid for previous AST-2012-006 case). Right patch is in [3] (for 1.8.x branch).
Comment 1 Jan Lieskovsky 2012-05-30 10:00:29 UTC 
This issue affects the versions of the asterisk package, as shipped with Fedora release of 15 and 16. Please schedule an update.

--

This issue affects the version of the asterisk package, as shipped with Fedora EPEL 6. Please schedule an update.
Comment 2 Jan Lieskovsky 2012-05-30 10:01:59 UTC 
Created asterisk tracking bugs for this issue

Affects: fedora-all [bug 826478]
Affects: epel-6 [bug 826479]
Comment 3 Jan Lieskovsky 2012-05-30 10:03:40 UTC 
Request to upstream to update AST-2012-007 patch links:
[5] http://www.openwall.com/lists/oss-security/2012/05/30/3
Comment 4 Fedora Update System 2012-06-10 01:36:17 UTC 
asterisk-10.4.2-1.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 5 Fedora Update System 2012-06-15 23:53:27 UTC 
asterisk-1.8.12.2-1.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 Fedora Update System 2012-06-15 23:54:09 UTC 
asterisk-1.8.12.2-1.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2012-06-16 18:01:50 UTC 
asterisk-1.8.12.2-1.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.