Jim Rosenberg
2004-Feb-25 15:01 UTC
[Asterisk-Users] Patching Asterisk for OpenH323 ASN.1 Vulnerabilities
I need to know how to get Asterisk patched for the recent vulnerabilities in various H.323 implementations due to integer overlows in ASN.1 parsing. I'm quite new to this world of Asterisk, H.323, SIP, and VoIP, so please bear with me if I garble something. The consensus in the Asterisk community seems to be that (somehow) Asterisk is not vulnerable to these security holes, which many experts consider quite serious. I am frankly having a lot of trouble understanding where this bliss is coming from. From my reading on this, it looks to me as though the developers of OpenH323 have acknowledged that their code ***IS*** vulnerable, and have published a patch. Please see http://www.openh323.org/pipermail/openh323/2004-January/065237.html This suggests that to have fixed H.323 code, one needs the following code versions: Version CVS tag PWLib 1.6.0 v1_6_0 OpenH323 1.13.0 v1_13_0 In particular, the "recommended" versions of PWLib and OpenH323 that you will get from following the "default" instructions for building Asterisk will ***NOT*** be patched. I tried downloading the above versions, and Asterisk does not build with these versions. Is there a version of Asterisk I need to check out of CVS to get patched versions of H.323 to build? How does one incorporate these fixes into Asterisk??? ASN.1 is a swamp. There have been many holes of this kind, and I fear there will be many more in the future. The Asterisk community has to be prepared to react quickly when a patch is released from OpenH323. -T.i.A., Jim
Adam Hart
2004-Feb-25 15:13 UTC
[Asterisk-Users] Patching Asterisk for OpenH323 ASN.1 Vulnerabilities
> The consensus in the Asterisk community seems to be that (somehow)Asterisk> is not vulnerable to these security holes, which many experts consider > quite serious. I am frankly having a lot of trouble understanding where > this bliss is coming from. From my reading on this, it looks to me as > though the developers of OpenH323 have acknowledged that their code > ***IS*** vulnerable, and have published a patch.Yes, asterisk is vulnerable if you have H.323 running.> I tried downloading the above versions, and Asterisk does not build with > these versions. Is there a version of Asterisk I need to check out of CVS > to get patched versions of H.323 to build? How does one incorporate these > fixes into Asterisk??? >What happens when you try and compile asterisk with the latest version of OpenH323, it's been a few months since i've done it but it used to work.