[Pkg-voip-commits] r2111 - in asterisk/trunk/debian: . patches
Mark Purcell
msp at costa.debian.org
Thu Jul 27 07:09:15 UTC 2006
Author: msp
Date: 2006-07-27 07:09:13 +0000 (Thu, 27 Jul 2006)
New Revision: 2111
Added:
asterisk/trunk/debian/patches/patch.CVE-2006-2898.dpatch
Modified:
asterisk/trunk/debian/changelog
Log:
* IAX2 channel driver security patch [CVE-2006-2898]
Modified: asterisk/trunk/debian/changelog
===================================================================
--- asterisk/trunk/debian/changelog 2006-07-26 21:17:11 UTC (rev 2110)
+++ asterisk/trunk/debian/changelog 2006-07-27 07:09:13 UTC (rev 2111)
@@ -1,8 +1,8 @@
-asterisk (1:1.2.10.dfsg-2) UNRELEASED; urgency=low
+asterisk (1:1.2.10.dfsg-2) unstable; urgency=high
- * NOT RELEASED YET
+ * IAX2 channel driver security patch [CVE-2006-2898]
- -- Mark Purcell <msp at debian.org> Mon, 17 Jul 2006 22:51:59 +0100
+ -- Mark Purcell <msp at debian.org> Thu, 27 Jul 2006 08:08:54 +0100
asterisk (1:1.2.10.dfsg-1) unstable; urgency=low
Added: asterisk/trunk/debian/patches/patch.CVE-2006-2898.dpatch
===================================================================
--- asterisk/trunk/debian/patches/patch.CVE-2006-2898.dpatch 2006-07-26 21:17:11 UTC (rev 2110)
+++ asterisk/trunk/debian/patches/patch.CVE-2006-2898.dpatch 2006-07-27 07:09:13 UTC (rev 2111)
@@ -0,0 +1,40 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 99_CVE-2006-2898.dpatch by Joey Schulze <joey at debian.org>
+##
+## DP: Bug in the IAX2 channel allows remote attackers to craft
+## DP: a denial of service.
+
+ at DPATCH@
+--- asterisk-1.0.7.dfsg.1.orig/channels/chan_iax2.c 2005-03-18 18:30:05.000000000 +0100
+ ++ asterisk-1.0.7.dfsg.1/channels/chan_iax2.c 2006-06-07 08:17:19.000000000 +0200
+@@ -5064,10 +5064,20 @@ static int socket_read(int *id, int fd,
+ return 1;
+ }
+ if ((vh->zeros == 0) && (ntohs(vh->callno) & 0x8000)) {
++ if (res < sizeof(*vh)) {
++ ast_log(LOG_WARNING, "Rejecting packet from '%s.%d' that is flagged as a mini video frame but is too short\n", ast_inet_ntoa(iabuf, sizeof(iabuf), sin.sin_addr), ntohs(sin.sin_port));
++ return 1;
++
++ }
+ /* This is a video frame, get call number */
+ fr.callno = find_callno(ntohs(vh->callno) & ~0x8000, dcallno, &sin, new, 1);
+ minivid = 1;
+- } else if (meta->zeros == 0) {
++ } else if ((meta->zeros == 0) && !(ntohs(meta->metacmd) & 0x8000)) {
++ if (res < sizeof(*meta)) {
++ ast_log(LOG_WARNING, "Rejecting packet from '%s.%d' that is flagged as a meta frame but is too short\n", ast_inet_ntoa(iabuf, sizeof(iabuf), sin.sin_addr), ntohs(sin.sin_port));
++ return 1;
++
++ }
+ /* This is a meta header */
+ switch(meta->metacmd) {
+ case IAX_META_TRUNK:
+@@ -5164,7 +5174,7 @@ static int socket_read(int *id, int fd,
+ if (iaxdebug)
+ iax_showframe(NULL, fh, 1, &sin, res - sizeof(struct ast_iax2_full_hdr));
+ #endif
+- if (ntohs(mh->callno) & IAX_FLAG_FULL) {
++ if ((res >= sizeof(*fh)) && ntohs(mh->callno) & IAX_FLAG_FULL) {
+ /* Get the destination call number */
+ dcallno = ntohs(fh->dcallno) & ~IAX_FLAG_RETRANS;
+ /* Retrieve the type and subclass */
More information about the Pkg-voip-commits
mailing list