ASTERWEB Blog

28Mag/17Off

AST-2017-003: Crash in PJSIP multi-part body parser

               Asterisk Project Security Advisory - AST-2017-003


         Product        Asterisk

         Summary        Crash in PJSIP multi-part body parser

    Nature of Advisory  Remote Crash

      Susceptibility    Remote Unauthenticated Sessions

         Severity       Critical

      Exploits Known    No

       Reported On      13 April, 2017

       Reported By      Sandro Gauci

        Posted On

     Last Updated On    April 13, 2017

     Advisory Contact   Mark Michelson <mark DOT michelson AT digium DOT

                        com>

         CVE Name       


    Description  The multi-part body parser in PJSIP contains a logical

                 error that can make certain multi-part body parts attempt

                 to read memory from outside the allowed boundaries. A

                 specially-crafted packet can trigger these invalid reads

                 and potentially induce a crash.                              


                 The issue is within the PJSIP project and not in Asterisk.

                 Therefore, the problem can be fixed without upgrading

                 Asterisk. However, we will be releasing a new version of

                 Asterisk where the bundled version of PJSIP has been

                 updated to have the bug patched.                             


                 If you are using Asterisk with chan_sip, this issue does

                 not affect you.                                              


    Resolution  We have submitted the error report to the PJProject

                maintainers and have coordinated a release...........         


                               Affected Versions

                         Product                       Release

                                                       Series

                  Asterisk Open Source                  11.x    Unaffected

                  Asterisk Open Source                  13.x    All versions

                  Asterisk Open Source                  14.x    All versions

                   Certified Asterisk                   13.13   All versions  


                                  Corrected In

                            Product                              Release

                     Asterisk Open Source                    13.15.1, 14.4.1

                      Certified Asterisk                       13.13-cert4    


                                    Patches

                 SVN URL                              Revision                


    Links  https://issues.asterisk.org/jira/browse/ASTERISK-26939             


    Asterisk Project Security Advisories are posted at

    http://www.asterisk.org/security                                          


    This document may be superseded by later versions; if so, the latest

    version will be posted at

    http://downloads.digium.com/pub/security/AST-2017-003.pdf and

    http://downloads.digium.com/pub/security/AST-2017-003.html                


                                Revision History

         Date           Editor                   Revisions Made

    13 April, 2017  Mark Michelson  Initial advisory created                  


               Asterisk Project Security Advisory - AST-2017-003

              Copyright (c) 2017 Digium, Inc. All Rights Reserved.

  Permission is hereby granted to distribute and publish this advisory in its

                           original, unaltered form.

Inserito in: Asterisk, Asterisk - Sicurezza Disabilita commenti
Commenti (0) Trackback (0)

Spiacenti, il modulo dei commenti è chiuso per ora.

Ancora nessun trackback.

» «

Pagine

Categorie

Blogroll

Archivio

Meta