Bug 670777 (AST-2011-001, CVE-2011-0495) - CVE-2011-0495 Asterisk: Stack-based buffer overflow by forming an outgoing SIP request with specially-crafted caller ID information (AST-2011-001)
Summary: CVE-2011-0495 Asterisk: Stack-based buffer overflow by forming an outgoing SI...
Keywords:
Status: CLOSED ERRATA
Alias: AST-2011-001, CVE-2011-0495
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
: 670648 (view as bug list)
Depends On: 670779
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-01-19 11:00 UTC by Jan Lieskovsky
Modified: 2019-09-29 12:42 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-03-15 18:20:08 UTC
Embargoed:

Attachments (Terms of Use)

Description Jan Lieskovsky 2011-01-19 11:00:31 UTC 
A stack-based buffer overflow was found in the way Asterisk,
an open source telephony toolkit, encoded text strings to
their URI-encoded version, when forming an outgoing SIP
request. A remote, authenticated attacker could use this
flaw to cause asterisk daemon to crash (denial of service) or,
potentially, execute arbitrary code with the privileges of
the user running asterisk via a specially-crafted caller
ID information provided to Asterisk's URIs encoding routine.

References:
[1] http://downloads.asterisk.org/pub/security/AST-2011-001.html
[2] http://seclists.org/fulldisclosure/2011/Jan/297
[3] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=610487

Upstream changesets:
[4] http://downloads.asterisk.org/pub/security/AST-2011-001-1.4.diff
    (against v1.4 branch)
[5] http://downloads.asterisk.org/pub/security/AST-2011-001-1.6.1.diff
    (against v1.6.1 branch)
[6] http://downloads.asterisk.org/pub/security/AST-2011-001-1.6.2.diff
    (against v1.6.2 branch)
[7] http://downloads.asterisk.org/pub/security/AST-2011-001-1.8.diff
    (against v1.8 branch)
Comment 1 Jan Lieskovsky 2011-01-19 11:06:09 UTC 
This issue affects the versions of the asterisk package, as shipped
with Fedora release of 13 and 14.

This issue affects the version of the asterisk package, as present
within EPEL-6 repository.

Please fix.
Comment 2 Jan Lieskovsky 2011-01-19 11:07:06 UTC 
Created asterisk tracking bugs for this issue

Affects: fedora-all [bug 670779]
Comment 3 Jan Lieskovsky 2011-01-19 11:15:25 UTC 
CVE Request:
[8] http://www.openwall.com/lists/oss-security/2011/01/19/2
Comment 4 Jan Lieskovsky 2011-01-19 13:05:18 UTC 
The CVE identifier of CVE-2011-0495 has been assigned to this issue:
[9] http://www.openwall.com/lists/oss-security/2011/01/19/3
Comment 5 Vincent Danen 2011-01-20 18:46:20 UTC 
The CVE description from MITRE indicates fixed versions and some further details:

Stack-based buffer overflow in the ast_uri_encode function in main/utils.c in Asterisk Open Source before 1.4.38.1, 1.4.39.1, 1.6.1.21, 1.6.2.15.1, 1.6.2.16.1, 1.8.1.2, 1.8.2.; and Business Edition before C.3.6.2; when running in pedantic mode allows remote authenticated users to execute arbitrary code via crafted caller ID data in vectors involving the (1) SIP channel driver, (2) URIENCODE dialplan function, or (3) AGI dialplan function.
Comment 6 Vincent Danen 2011-03-15 18:12:36 UTC 
*** Bug 670648 has been marked as a duplicate of this bug. ***
Comment 7 Vincent Danen 2011-03-15 18:20:08 UTC 
Current Asterisk in Fedora should correct this:

Fedora-13: asterisk-1.6.2.17-1.fc13
Fedora-14: asterisk-1.6.2.17-1.fc14
Fedora-15: asterisk-1.8.3-1.fc15
Fedora-Rawhide: asterisk-1.8.3-1.fc16

and in EPEL:

EPEL-6-testing: asterisk-1.8.3-1.el6

These versions also fix AST-2011-002 (CVE-2011-1147)
Note You need to log in before you can comment on or make changes to this bug.