Gentoo Logo

Asterisk: Multiple vulnerabilities


1.  Gentoo Linux Security Advisory

Version Information

Advisory Reference GLSA 200802-11 / asterisk
Release Date February 26, 2008
Latest Revision February 26, 2008: 01
Impact high
Exploitable remote
Package Vulnerable versions Unaffected versions Architecture(s)
net-misc/asterisk < revision >= 1.2.17-r1, >= All supported architectures

Related bugreports: #185713


Multiple vulnerabilities have been found in Asterisk.

2.  Impact Information


Asterisk is an open source telephony engine and tool kit.


Multiple vulnerabilities have been found in Asterisk:

  • Russel Bryant reported a stack buffer overflow in the IAX2 channel driver (chan_iax2) when bridging calls between chan_iax2 and any channel driver that uses RTP for media (CVE-2007-3762).
  • Chris Clark and Zane Lackey (iSEC Partners) reported a NULL pointer dereference in the IAX2 channel driver (chan_iax2) (CVE-2007-3763).
  • Will Drewry (Google Security) reported a vulnerability in the Skinny channel driver (chan_skinny), resulting in an overly large memcpy (CVE-2007-3764).
  • Will Drewry (Google Security) reported a vulnerability in the IAX2 channel driver (chan_iax2), that does not correctly handle unauthenticated transactions using a 3-way handshake (CVE-2007-4103).


By sending a long voice or video RTP frame, a remote attacker could possibly execute arbitrary code on the target machine. Sending specially crafted LAGRQ or LAGRP frames containing information elements of IAX frames, or a certain data length value in a crafted packet, or performing a flood of calls not completing a 3-way handshake, could result in a Denial of Service.

3.  Resolution Information


There is no known workaround at this time.


All Asterisk users should upgrade to the latest version:

Code Listing 3.1: Resolution

# emerge --sync
# emerge --ask --oneshot --verbose ">=net-misc/asterisk-1.2.17-r1"

4.  References


Page updated February 26, 2008

Summary: This is a Gentoo Linux Security Advisory

Security Team
Contact Address

Donate to support our development efforts.

Copyright 2001-2015 Gentoo Foundation, Inc. Questions, Comments? Contact us.