A flaw was discovered in Asterisk 13.x, 14.x, 15.x and 13.18. When processing a SUBSCRIBE request the res_pjsip_pubsub module stores the accepted formats present in the Accept headers of the request. This code did not limit the number of headers it processed despite having a fixed limit of 32. If more than 32 Accept headers were present the code would write outside of its memory and cause a crash.
http://downloads.asterisk.org/pub/security/AST-2018-004-13.diff [Asterisk 13]
http://downloads.asterisk.org/pub/security/AST-2018-004-14.diff [Asterisk 14]
http://downloads.asterisk.org/pub/security/AST-2018-004-15.diff [Asterisk 15]
http://downloads.asterisk.org/pub/security/AST-2018-004-13.18.diff [Certified Asterisk 13.18]
Created asterisk tracking bugs for this issue:
Affects: epel-6 [bug 1548131]
Affects: fedora-all [bug 1548132]
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.