FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

asterisk -- Remote Crash Vulnerability in chan_sip channel driver

Affected packages
asterisk13 < 13.27.1
asterisk15 < 15.7.3
asterisk16 < 16.4.1

Details

VuXML ID e9d2e981-a46d-11e9-bed9-001999f8d30b
Discovery 2019-06-28
Entry 2019-07-12

The Asterisk project reports:

When T.38 faxing is done in Asterisk a T.38 reinvite may be sent to an endpoint to switch it to T.38. If the endpoint responds with an improperly formatted SDP answer including both a T.38 UDPTL stream and an audio or video stream containing only codecs not allowed on the SIP peer or user a crash will occur. The code incorrectly assumes that there will be at least one common codec when T.38 is also in the SDP answer.

References

CVE Name CVE-2019-13161
URL https://downloads.asterisk.org/pub/security/AST-2019-003.html