AST-2014-005: Remote Crash in PJSIP Channel Driver's Publish/Subscribe Framework

           Asterisk Project Security Advisory - AST-2014-005

     Product        Asterisk                                              
     Summary        Remote Crash in PJSIP Channel Driver's                
                    Publish/Subscribe Framework                           
Nature of Advisory  Denial of Service                                     
  Susceptibility    Remote Unauthenticated Sessions                       
     Severity       Moderate                                              
  Exploits Known    No                                                    
   Reported On      March 17, 2014                                        
   Reported By      John Bigelow <jbigelow AT digium DOT com>             
    Posted On       June 12, 2014                                         
 Last Updated On    June 12, 2014                                         
 Advisory Contact   Kevin Harwell <kharwell AT digium DOT com>            
     CVE Name       CVE-2014-4045                                         

Description  A remotely exploitable crash vulnerability exists in the     
             PJSIP channel driver's pub/sub framework. If an attempt is   
             made to unsubscribe when not currently subscribed and the    
             endpoint's "sub_min_expiry" is set to zero, Asterisk tries   
             to create an expiration timer with zero seconds, which is    
             not allowed, so an assertion raised.                         

Resolution  Upgrade to a version with the patch integrated, apply the     
            patch, or make sure the "sub_min_expiry" endpoint             
            configuration option is greater than zero.                    

                           Affected Versions
             Product               Release Series  
      Asterisk Open Source              12.x       All                    

                              Corrected In    
                  Product                              Release            
         Asterisk Open Source 12.x                      12.3.1            

                                Patches                        
                           SVN URL                              Revision  

http://downloads.asterisk.org/pub/security/AST-2014-005-12.diff Asterisk
12

   Links     https://issues.asterisk.org/jira/browse/ASTERISK-23489       

Asterisk Project Security Advisories are posted at                        
http://www.asterisk.org/security                                          
                                                                          
This document may be superseded by later versions; if so, the latest      
version will be posted at                                                 
http://downloads.digium.com/pub/security/AST-2014-005.pdf and             
http://downloads.digium.com/pub/security/AST-2014-005.html                

                            Revision History
      Date                  Editor                 Revisions Made         
April 14, 2014     Kevin Harwell             Document Creation            
June 12, 2014      Matt Jordan               Added CVE                    

           Asterisk Project Security Advisory - AST-2014-005
          Copyright (c) 2014 Digium, Inc. All Rights Reserved.

Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.