On Sat, Dec 10, 2016 at 03:52:26PM +0100, Salvatore Bonaccorso wrote: > Source: asterisk > Version: 1:13.12.2~dfsg-1 > Severity: grave > Tags: security upstream patch > Forwarded: https://issues.asterisk.org/jira/browse/ASTERISK-26579 > > Hi > > AST-2016-008 was announced at > > http://downloads.asterisk.org/pub/security/AST-2016-008.html > > referencing patches as well for the 13.x release series. > > https://issues.asterisk.org/jira/browse/ASTERISK-26579
The patch does not seem to apply to the Debian package due to
opus.patch. It seems however that the original issue likewise doesn't,
as the code from opus.patch uses a different parsing of the Opus SDP
headers.
Attached a sipp scenario that crashes an unpatched upstream asterisk
13.13.0:
sipp 127.0.0.1:5060 -sf SDP.xml -m 1
If anyone wants to give a second look to opus.patch (and maybe also
amr.patch . vp8.patch looks more self-contained). The relevant upstream
code must have had some extra checks at this point.
Could someone else please double-check before closing this one?
(But yes, there's still AST-2016-009 in another open bug)
--
Tzafrir Cohen
icq#16849755 jabber:tzafrir.co...@xorcom.com
+972-50-7952406 mailto:tzafrir.co...@xorcom.com
http://www.xorcom.com
sipp-AST-2016-008.xml
Description: XML document
