Red Hat Bugzilla – Bug 516990
CVE-2009-2726 asterisk: Remote Crash Vulnerability in SIP channel driver (AST-2009-005)
Last modified: 2009-10-27 14:21:09 EDT
A remote DoS (stack memory exhaustion) flaw was discovered in asterisk. Quoting upstream security advisory for further details:
On certain implementations of libc, the scanf family of functions uses an
unbounded amount of stack memory to repeatedly allocate string buffers
prior to conversion to the target type. Coupled with Asterisk's allocation
of thread stack sizes that are smaller than the default, an attacker may
exhaust stack memory in the SIP stack network thread by presenting
excessively long numeric strings in various fields.
Note that while this potential vulnerability has existed in Asterisk for a
very long time, it is only potentially exploitable in 1.6.1 and above,
since those versions are the first that have allowed SIP packets to exceed
1500 bytes total, which does not permit strings that are large enough to
crash Asterisk. (The number strings presented to us by the security
researcher were approximately 32,000 bytes long.)
Additionally note that while this can crash Asterisk, execution of
arbitrary code is not possible with this vector.
Upstream patches for various versions are linked from upstream advisory.
asterisk-126.96.36.199-1.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
Fixed asterisk packages are now in all current Fedora versions.