Bug 783487 (AST-2012-001, CVE-2012-0885) - CVE-2012-0885 asterisk: Remote DoS while processing crypto line for media stream with non-existing RTP
Summary: CVE-2012-0885 asterisk: Remote DoS while processing crypto line for media str...
Alias: AST-2012-001, CVE-2012-0885
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 783490 783491
TreeView+ depends on / blocked
Reported: 2012-01-20 15:43 UTC by Jan Lieskovsky
Modified: 2019-09-29 12:50 UTC (History)
3 users (show)

Fixed In Version: asterisk, asterisk 10.0.1
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2012-08-07 07:44:58 UTC

Attachments (Terms of Use)

Description Jan Lieskovsky 2012-01-20 15:43:48 UTC
A denial of service flaw was found in the way asterisk processed certain requests to negotiate secure video stream, when the res_srtp Asterisk module has been loaded and video support has not been enabled. A remote attacker could provide a specially-crafted media stream negotiation request, which once processed by Asterisk would lead to asterisk daemon crash by processing crypto line for such media stream.

[1] http://downloads.asterisk.org/pub/security/AST-2012-001.html
[2] https://issues.asterisk.org/jira/browse/ASTERISK-19202

Upstream patch against the v1.8.x branch:
[3] http://downloads.asterisk.org/pub/security/AST-2012-001-1.8.diff

Upstream patch against the v1.10.x branch:
[4] http://downloads.asterisk.org/pub/security/AST-2012-001-10.diff

Comment 1 Jan Lieskovsky 2012-01-20 15:48:06 UTC
This issue affects the versions of the asterisk package, as shipped with Fedora release of 15 and 16. Please schedule an update.


This issue affects the version of the asterisk package, as shipped with Fedora EPEL 6 release. Please schedule an update.

Comment 2 Jan Lieskovsky 2012-01-20 15:48:52 UTC
CVE Request:
[5] http://www.openwall.com/lists/oss-security/2012/01/20/16

Comment 3 Jan Lieskovsky 2012-01-20 15:49:45 UTC
Created asterisk tracking bugs for this issue

Affects: fedora-all [bug 783490]
Affects: epel-6 [bug 783491]

Comment 4 Jan Lieskovsky 2012-01-20 16:03:40 UTC
The CVE identifier of CVE-2012-0885 has been assigned to this issue:
[6] http://www.openwall.com/lists/oss-security/2012/01/20/18

Note You need to log in before you can comment on or make changes to this bug.