The following flaw was found in Asterisk:
If no UDPTL packets are lost there is no problem. However, a lost packet causes Asterisk to use the available error correcting redundancy packets. If those redundancy packets have zero length then Asterisk uses an uninitialized buffer pointer and length value which can cause invalid memory accesses later when the packet is copied.
Created asterisk tracking bugs for this issue:
Affects: fedora-all [bug 1306619]
Affects: epel-6 [bug 1306620]
This has been corrected in Rawhide with the 13.7.2 release, and also pushed to the Fedora 23 and Fedora 22 testing-updates repositories.
I'm working on updating the EPEL 6 package now.
CVE assignment information from upstream: