Debian Bug report logs - #675210
asterisk: AST-2012-008 (CVE-2012-2948): remote crash issue in chan_skinny

version graph

Package: asterisk; Maintainer for asterisk is Debian VoIP Team <>; Source for asterisk is src:asterisk.

Reported by: Tzafrir Cohen <>

Date: Wed, 30 May 2012 14:39:01 UTC

Severity: grave

Tags: patch, security, upstream

Found in version asterisk/1:

Fixed in versions 1:, asterisk/1:

Done: Tzafrir Cohen <>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to,,, Debian VoIP Team <>:
Bug#675210; Package asterisk. (Wed, 30 May 2012 14:39:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Tzafrir Cohen <>:
New Bug report received and forwarded. Copy sent to,, Debian VoIP Team <>. (Wed, 30 May 2012 14:39:04 GMT) Full text and rfc822 format available.

Message #5 received at (full text, mbox):

From: Tzafrir Cohen <>
To: Debian Bug Tracking System <>
Subject: asterisk: AST-2012-008 (CVE-2012-2948): remote crash issue in chan_skinny
Date: Wed, 30 May 2012 17:36:04 +0300
Package: asterisk
Version: 1:
Severity: grave
Tags: upstream patch security
Justification: user security hole

When a skinny session is unregistered, the corresponding device pointer
is set to NULL in the channel private data.  If the client was not in
the on-hook state at the time the connection was closed, the device
pointer can later be dereferenced if a message or channel event attempts
to use a line's pointer to said device.

The patches prevent this from occurring by checking the line's pointer
in message handlers and channel callbacks that can fire after an
unregistration attempt.

Expliting this requires an established Skinny session, which implies a
configured Skinny (SCCP) device. If you have no idea what this means,
you don't have one.

For Wheezy and Sid, is to be used. For Squeeze, Upstream's
patch has been adapted and is included in the pkg-voip SVN.

-- System Information:
Debian Release: wheezy/sid
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=he_IL.UTF-8, LC_CTYPE=he_IL.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Reply sent to Debian FTP Masters <>:
You have taken responsibility. (Tue, 05 Jun 2012 09:19:57 GMT) Full text and rfc822 format available.

Notification sent to Tzafrir Cohen <>:
Bug acknowledged by developer. (Tue, 05 Jun 2012 09:20:03 GMT) Full text and rfc822 format available.

Message #10 received at (full text, mbox):

From: Debian FTP Masters <>
Subject: asterisk_1.8.13.0~dfsg-1_amd64.changes ACCEPTED into unstable
Date: Tue, 5 Jun 2012 11:47:14 +0300
Version: 1:

(There has been a typo in the changelog. s/#67521/#675210/. Manually

  to main/a/asterisk/asterisk-config_1.8.13.0~dfsg-1_all.deb
  to main/a/asterisk/asterisk-dahdi_1.8.13.0~dfsg-1_amd64.deb
  to main/a/asterisk/asterisk-dbg_1.8.13.0~dfsg-1_amd64.deb
  to main/a/asterisk/asterisk-dev_1.8.13.0~dfsg-1_all.deb
  to main/a/asterisk/asterisk-doc_1.8.13.0~dfsg-1_all.deb
  to main/a/asterisk/asterisk-mobile_1.8.13.0~dfsg-1_amd64.deb
  to main/a/asterisk/asterisk-modules_1.8.13.0~dfsg-1_amd64.deb
  to main/a/asterisk/asterisk-mp3_1.8.13.0~dfsg-1_amd64.deb
  to main/a/asterisk/asterisk-mysql_1.8.13.0~dfsg-1_amd64.deb
  to main/a/asterisk/asterisk-ooh323_1.8.13.0~dfsg-1_amd64.deb
  to main/a/asterisk/asterisk-voicemail-imapstorage_1.8.13.0~dfsg-1_amd64.deb
  to main/a/asterisk/asterisk-voicemail-odbcstorage_1.8.13.0~dfsg-1_amd64.deb
  to main/a/asterisk/asterisk-voicemail_1.8.13.0~dfsg-1_amd64.deb
  to main/a/asterisk/asterisk_1.8.13.0~dfsg-1.debian.tar.gz
  to main/a/asterisk/asterisk_1.8.13.0~dfsg-1.dsc
  to main/a/asterisk/asterisk_1.8.13.0~dfsg-1_amd64.deb
  to main/a/asterisk/asterisk_1.8.13.0~dfsg.orig.tar.gz

asterisk (1: unstable; urgency=high
  * New upstream release.
    - AST-2012-007 (CVE-2012-2947): Fix IAX receiving HOLD without
      suggested MOH class crash (Closes: #675204).
    - AST-2012-008 (CVE-2012-2948): remote crash issue in chan_skinny
      (Closes: #67521).
    - Patch gmime2.6 removed: merged upstream.
    - Patch sparc32_disable removed: hacks removed from Upstream Makefile.
  * Also pass LDFLAGS to menuselect (Closes: #664086 for real).
  * Fully strip-out the ilbc code (Closes: #665938, #665937).
    - Patch ilbc_disable to fix the build.
  * Patch httpd_port: Fix port number of Asterisk httpd.
  * While we're at it: Closes: #606959, which is a non-issue.

Override entries for your package:
asterisk-config_1.8.13.0~dfsg-1_all.deb - optional comm
asterisk-dahdi_1.8.13.0~dfsg-1_amd64.deb - optional comm
asterisk-dbg_1.8.13.0~dfsg-1_amd64.deb - extra debug
asterisk-dev_1.8.13.0~dfsg-1_all.deb - extra devel
asterisk-doc_1.8.13.0~dfsg-1_all.deb - extra doc
asterisk-mobile_1.8.13.0~dfsg-1_amd64.deb - optional comm
asterisk-modules_1.8.13.0~dfsg-1_amd64.deb - optional libs
asterisk-mp3_1.8.13.0~dfsg-1_amd64.deb - optional comm
asterisk-mysql_1.8.13.0~dfsg-1_amd64.deb - optional comm
asterisk-ooh323_1.8.13.0~dfsg-1_amd64.deb - optional comm
asterisk-voicemail-imapstorage_1.8.13.0~dfsg-1_amd64.deb - optional comm
asterisk-voicemail-odbcstorage_1.8.13.0~dfsg-1_amd64.deb - optional comm
asterisk-voicemail_1.8.13.0~dfsg-1_amd64.deb - optional comm
asterisk_1.8.13.0~dfsg-1.dsc - source comm
asterisk_1.8.13.0~dfsg-1_amd64.deb - optional comm

Announcing to
Closing bugs: 606959 664086 665937 665938 675204 67521 

Thank you for your contribution to Debian.

Pkg-voip-maintainers mailing list

Reply sent to Tzafrir Cohen <>:
You have taken responsibility. (Tue, 12 Jun 2012 21:19:42 GMT) Full text and rfc822 format available.

Notification sent to Tzafrir Cohen <>:
Bug acknowledged by developer. (Tue, 12 Jun 2012 21:19:44 GMT) Full text and rfc822 format available.

Message #15 received at (full text, mbox):

From: Tzafrir Cohen <>
Subject: Bug#675210: fixed in asterisk 1:
Date: Tue, 12 Jun 2012 21:02:18 +0000
Source: asterisk
Source-Version: 1:

We believe that the bug you reported is fixed in the latest version of
asterisk, which is due to be installed in the Debian FTP archive:

  to main/a/asterisk/asterisk-config_1.6.2.9-2+squeeze6_all.deb
  to main/a/asterisk/asterisk-dbg_1.6.2.9-2+squeeze6_amd64.deb
  to main/a/asterisk/asterisk-dev_1.6.2.9-2+squeeze6_all.deb
  to main/a/asterisk/asterisk-doc_1.6.2.9-2+squeeze6_all.deb
  to main/a/asterisk/asterisk-h323_1.6.2.9-2+squeeze6_amd64.deb
  to main/a/asterisk/asterisk-sounds-main_1.6.2.9-2+squeeze6_all.deb
  to main/a/asterisk/asterisk_1.6.2.9-2+squeeze6.debian.tar.gz
  to main/a/asterisk/asterisk_1.6.2.9-2+squeeze6.dsc
  to main/a/asterisk/asterisk_1.6.2.9-2+squeeze6_amd64.deb

A summary of the changes between this version and the previous one is

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
Tzafrir Cohen <> (supplier of updated asterisk package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing

Hash: SHA1

Format: 1.8
Date: Wed, 30 May 2012 15:01:36 +0300
Source: asterisk
Binary: asterisk asterisk-h323 asterisk-doc asterisk-dev asterisk-dbg asterisk-sounds-main asterisk-config
Architecture: source all amd64
Version: 1:
Distribution: stable-security
Urgency: high
Maintainer: Debian VoIP Team <>
Changed-By: Tzafrir Cohen <>
 asterisk   - Open Source Private Branch Exchange (PBX)
 asterisk-config - Configuration files for Asterisk
 asterisk-dbg - Debugging symbols for Asterisk
 asterisk-dev - Development files for Asterisk
 asterisk-doc - Source code documentation for Asterisk
 asterisk-h323 - H.323 protocol support for Asterisk
 asterisk-sounds-main - Core Sound files for Asterisk (English)
Closes: 675204 675210
 asterisk (1: stable-security; urgency=high
   * Patch AST-2012-007 (CVE-2012-2947): Fix IAX receiving HOLD without
     suggested MOH class crash (Closes: #675204).
   * Patch AST-2012-008 (CVE-2012-2948): remote crash issue in chan_skinny
     (Closes: #675210).
     - Patch skinny_fix_16040: A minor bugfix required to cleanly apply it.
 45c59cf0bd3f86240a30690d8eb44f8971e10346 2219 asterisk_1.6.2.9-2+squeeze6.dsc
 75e9f5ca7ed7b8d4eb62e11ebbef495eb44f0636 98744 asterisk_1.6.2.9-2+squeeze6.debian.tar.gz
 8d88ca05e6a7be49aa283731edae7f6b3bdad42c 1704762 asterisk-doc_1.6.2.9-2+squeeze6_all.deb
 ddacbb42b188bba897a6db33ee65b00e8f5bf3e0 636142 asterisk-dev_1.6.2.9-2+squeeze6_all.deb
 2a48b6e28f02e3805bc0ec2d5653050182435d7e 2187506 asterisk-sounds-main_1.6.2.9-2+squeeze6_all.deb
 560c0dbd7123885a344bc615c5e7109691b1404a 717006 asterisk-config_1.6.2.9-2+squeeze6_all.deb
 23a236a841b26a6a27f6f23e84053182aa84039b 3600730 asterisk_1.6.2.9-2+squeeze6_amd64.deb
 af837a09ce3a6b48cda778320729a7901b0f68ae 533866 asterisk-h323_1.6.2.9-2+squeeze6_amd64.deb
 abfb6b623b7c878a1be0d78900f82096f1606e28 20343096 asterisk-dbg_1.6.2.9-2+squeeze6_amd64.deb
 10de1b70bd92a65385670f54947270de605f74ca8879163d18571a77d9e0a7fb 2219 asterisk_1.6.2.9-2+squeeze6.dsc
 3e17105321b621fdcba88a8a19dd81eaccbdea478e5db9b33cf07d9f057c52ff 98744 asterisk_1.6.2.9-2+squeeze6.debian.tar.gz
 b9be45b78373ed877eb2f659c9e771865db6c90d3a663db9b659a3b5e616ba90 1704762 asterisk-doc_1.6.2.9-2+squeeze6_all.deb
 87f4f228514f1aae6c2348545b855cc0d5f23aa232c795adfcd84171b21f5f07 636142 asterisk-dev_1.6.2.9-2+squeeze6_all.deb
 50d07b4a462c0d4dfbcc60ffea694f5b2c89adc0384b25c754181ff30e34144b 2187506 asterisk-sounds-main_1.6.2.9-2+squeeze6_all.deb
 3c804bf441c1248e30a4e649f01e3e7f7a0e7dd2d1ca686a9fe882477a848cd2 717006 asterisk-config_1.6.2.9-2+squeeze6_all.deb
 05f27a6206f76cbf29d0b42963969051f672bf1e2b1b635590cca68de902e5df 3600730 asterisk_1.6.2.9-2+squeeze6_amd64.deb
 ef85d00155d30e3ecde3b2b1b36325bbe6006ba34d8ffe948343498ab7775cf2 533866 asterisk-h323_1.6.2.9-2+squeeze6_amd64.deb
 166dbe2e530ddc4be4720303ec5fc3de58aeb17efc46df64c85c7d9f6459d22c 20343096 asterisk-dbg_1.6.2.9-2+squeeze6_amd64.deb
 5c3faa85d86a7807ed2dbdb5f4e2d4ec 2219 comm optional asterisk_1.6.2.9-2+squeeze6.dsc
 f3488ef325fbd3708b30bdb1b966ce59 98744 comm optional asterisk_1.6.2.9-2+squeeze6.debian.tar.gz
 1abc71c22edbcb17a3c69cb79c4ae060 1704762 doc extra asterisk-doc_1.6.2.9-2+squeeze6_all.deb
 07213793076639f0d0f8daa8e35f7cb1 636142 devel extra asterisk-dev_1.6.2.9-2+squeeze6_all.deb
 bb87d64c78b4ce28e29cb8fa73228faf 2187506 comm optional asterisk-sounds-main_1.6.2.9-2+squeeze6_all.deb
 403a68f50900a24b5e26c9c5c00987e6 717006 comm optional asterisk-config_1.6.2.9-2+squeeze6_all.deb
 6f7cb2e22708485c7cc9f7de1a157cd8 3600730 comm optional asterisk_1.6.2.9-2+squeeze6_amd64.deb
 9c136b3acae571cd67b75ba76df96344 533866 comm optional asterisk-h323_1.6.2.9-2+squeeze6_amd64.deb
 8c16c4b53d552938546378ff9732353f 20343096 debug extra asterisk-dbg_1.6.2.9-2+squeeze6_amd64.deb

Version: GnuPG v1.4.10 (GNU/Linux)


Bug archived. Request was from Debbugs Internal Request <> to (Wed, 11 Jul 2012 07:36:26 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.

Debian bug tracking system administrator <>. Last modified: Mon Apr 21 09:52:44 2014; Machine Name:

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.