AST-2009-002: Remote Crash Vulnerability in SIP channel driver

           Asterisk Project Security Advisory - AST-2009-002

±-----------------------------------------------------------------------+
| Product | Asterisk |
|---------------------±-------------------------------------------------|
| Summary | Remote Crash Vulnerability in SIP channel driver |
|---------------------±-------------------------------------------------|
| Nature of Advisory | Denial of Service |
|---------------------±-------------------------------------------------|
| Susceptibility | Remote Authenticated Sessions |
|---------------------±-------------------------------------------------|
| Severity | Moderate |
|---------------------±-------------------------------------------------|
| Exploits Known | No |
|---------------------±-------------------------------------------------|
| Reported On | February 6, 2009 |
|---------------------±-------------------------------------------------|
| Reported By | bugs.digium.com user klaus3000 |
|---------------------±-------------------------------------------------|
| Posted On | March 10, 2009 |
|---------------------±-------------------------------------------------|
| Last Updated On | March 10, 2009 |
|---------------------±-------------------------------------------------|
| Advisory Contact | Joshua Colp <[email protected]> |
|---------------------±-------------------------------------------------|
| CVE Name | |
±-----------------------------------------------------------------------+

±-----------------------------------------------------------------------+
| Description | When configured with pedantic=yes the SIP channel driver |
| | performs extra request URI checking on an INVITE |
| | received as a result of a SIP spiral. As part of this |
| | extra checking the headers from the outgoing SIP INVITE |
| | sent and the received SIP INVITE are compared. The code |
| | incorrectly assumes that the string for each header |
| | passed in will be non-NULL in all cases. This is |
| | incorrect because if no headers are present the value |
| | passed in will be NULL. |
| | |
| | The values passed into the code are now checked to be |
| | non-NULL before being compared. |
±-----------------------------------------------------------------------+

±-----------------------------------------------------------------------+
| Resolution | Upgrade to revision 174082 of the 1.4 branch, 174085 of |
| | the 1.6.0 branch, 174086 of the 1.6.1 branch, or one of |
| | the releases noted below. |
| | |
| | The pedantic option in the SIP channel driver can also be |
| | turned off to prevent this issue from occurring. |
±-----------------------------------------------------------------------+

±-----------------------------------------------------------------------+

±-----------------------------------------------------------------------+

±-----------------------------------------------------------------------+

±-----------------------------------------------------------------------+
| Links | http://bugs.digium.com/view.php?id=14417 |
| | |
| | http://bugs.digium.com/view.php?id=13547 |
±-----------------------------------------------------------------------+

±-----------------------------------------------------------------------+
| Asterisk Project Security Advisories are posted at |
| http://www.asterisk.org/security |
| |
| This document may be superseded by later versions; if so, the latest |
| version will be posted at |
| http://downloads.digium.com/pub/security/AST-2009-002.pdf and |
| http://downloads.digium.com/pub/security/AST-2009-002.html |
±-----------------------------------------------------------------------+

±-----------------------------------------------------------------------+

           Asterisk Project Security Advisory - AST-2009-002
          Copyright (c) 2009 Digium, Inc. All Rights Reserved.

Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.