Bug 783487 - (AST-2012-001, CVE-2012-0885) CVE-2012-0885 asterisk: Remote DoS while processing crypto line for media stream with non-existing RTP
CVE-2012-0885 asterisk: Remote DoS while processing crypto line for media str...
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On: 783490 783491
  Show dependency treegraph
Reported: 2012-01-20 10:43 EST by Jan Lieskovsky
Modified: 2012-08-07 03:44 EDT (History)
3 users (show)

See Also:
Fixed In Version: asterisk, asterisk 10.0.1
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2012-08-07 03:44:58 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Jan Lieskovsky 2012-01-20 10:43:48 EST
A denial of service flaw was found in the way asterisk processed certain requests to negotiate secure video stream, when the res_srtp Asterisk module has been loaded and video support has not been enabled. A remote attacker could provide a specially-crafted media stream negotiation request, which once processed by Asterisk would lead to asterisk daemon crash by processing crypto line for such media stream.

[1] http://downloads.asterisk.org/pub/security/AST-2012-001.html
[2] https://issues.asterisk.org/jira/browse/ASTERISK-19202

Upstream patch against the v1.8.x branch:
[3] http://downloads.asterisk.org/pub/security/AST-2012-001-1.8.diff

Upstream patch against the v1.10.x branch:
[4] http://downloads.asterisk.org/pub/security/AST-2012-001-10.diff
Comment 1 Jan Lieskovsky 2012-01-20 10:48:06 EST
This issue affects the versions of the asterisk package, as shipped with Fedora release of 15 and 16. Please schedule an update.


This issue affects the version of the asterisk package, as shipped with Fedora EPEL 6 release. Please schedule an update.
Comment 2 Jan Lieskovsky 2012-01-20 10:48:52 EST
CVE Request:
[5] http://www.openwall.com/lists/oss-security/2012/01/20/16
Comment 3 Jan Lieskovsky 2012-01-20 10:49:45 EST
Created asterisk tracking bugs for this issue

Affects: fedora-all [bug 783490]
Affects: epel-6 [bug 783491]
Comment 4 Jan Lieskovsky 2012-01-20 11:03:40 EST
The CVE identifier of CVE-2012-0885 has been assigned to this issue:
[6] http://www.openwall.com/lists/oss-security/2012/01/20/18

Note You need to log in before you can comment on or make changes to this bug.