[Asterisk-Users] Patching Asterisk for OpenH323 ASN.1 Vulnerabilities

Jim Rosenberg jr at amanue.com
Wed Feb 25 15:01:11 MST 2004


I need to know how to get Asterisk patched for the recent vulnerabilities
in various H.323 implementations due to integer overlows in ASN.1 parsing.
I'm quite new to this world of Asterisk, H.323, SIP, and VoIP, so please 
bear with me if I garble something.

The consensus in the Asterisk community seems to be that (somehow) Asterisk
is not vulnerable to these security holes, which many experts consider
quite serious. I am frankly having a lot of trouble understanding where
this bliss is coming from. From my reading on this, it looks to me as
though the developers of OpenH323 have acknowledged that their code
***IS*** vulnerable, and have published a patch. Please see

http://www.openh323.org/pipermail/openh323/2004-January/065237.html

This suggests that to have fixed H.323 code, one needs the following code
versions:

                        Version       CVS tag
        PWLib           1.6.0         v1_6_0
        OpenH323        1.13.0        v1_13_0

In particular, the "recommended" versions of PWLib and OpenH323 that you
will get from following the "default" instructions for building Asterisk
will ***NOT*** be patched.

I tried downloading the above versions, and Asterisk does not build with
these versions. Is there a version of Asterisk I need to check out of CVS
to get patched versions of H.323 to build? How does one incorporate these
fixes into Asterisk???

ASN.1 is a swamp. There have been many holes of this kind, and I fear there
will be many more in the future. The Asterisk community has to be prepared
to react quickly when a patch is released from OpenH323.

-T.i.A., Jim



More information about the asterisk-users mailing list