[Pkg-voip-commits] r4024 - in asterisk/branches/etch/debian: . patches
paravoid at alioth.debian.org
paravoid at alioth.debian.org
Thu Aug 16 03:51:01 UTC 2007
Author: paravoid
Date: 2007-08-16 03:51:01 +0000 (Thu, 16 Aug 2007)
New Revision: 4024
Added:
asterisk/branches/etch/debian/patches/ASA-2007-011.dpatch
asterisk/branches/etch/debian/patches/ASA-2007-012.dpatch
asterisk/branches/etch/debian/patches/ASA-2007-014.dpatch
asterisk/branches/etch/debian/patches/ASA-2007-015.dpatch
asterisk/branches/etch/debian/patches/ASA-2007-016.dpatch
Modified:
asterisk/branches/etch/debian/changelog
asterisk/branches/etch/debian/patches/00list
Log:
* Multiple upstream security fixes:
- channels/chan_sip.c: Only try to handle a response if it has a response
code. (ASA-2007-011, CVE-2007-1594)
- manager.c: Don't crash if a manager connection provides a username that
exists in manager.conf but does not have a password, and also requests
MD5 authentication. (ASA-2007-012, CVE-2007-2294)
- channels/iax2-parser.h, channels/chan_iax2.c, channels/iax2-parser.c:
Ensure that when encoding the contents of an ast_frame into an iax_frame,
that the size of the destination buffer is known in the iax_frame so that
code won't write past the end of the allocated buffer when sending
outgoing frames. (ASA-2007-014, CVE-2007-3762)
- channels/chan_iax2.c: After parsing information elements in IAX frames,
set the data length to zero, so that code later on does not think it has
data to copy. (ASA-2007-015, CVE-2007-3763)
- channels/chan_skinny.c: Properly check for the length in the skinny packet
to prevent an invalid memcpy. (ASA-2007-016, CVE-2007-3764)
Modified: asterisk/branches/etch/debian/changelog
===================================================================
--- asterisk/branches/etch/debian/changelog 2007-08-16 03:20:17 UTC (rev 4023)
+++ asterisk/branches/etch/debian/changelog 2007-08-16 03:51:01 UTC (rev 4024)
@@ -1,3 +1,24 @@
+asterisk (1:1.2.13~dfsg-2etch1) stable-security; urgency=high
+
+ * Multiple upstream security fixes:
+ - channels/chan_sip.c: Only try to handle a response if it has a response
+ code. (ASA-2007-011, CVE-2007-1594)
+ - manager.c: Don't crash if a manager connection provides a username that
+ exists in manager.conf but does not have a password, and also requests
+ MD5 authentication. (ASA-2007-012, CVE-2007-2294)
+ - channels/iax2-parser.h, channels/chan_iax2.c, channels/iax2-parser.c:
+ Ensure that when encoding the contents of an ast_frame into an iax_frame,
+ that the size of the destination buffer is known in the iax_frame so that
+ code won't write past the end of the allocated buffer when sending
+ outgoing frames. (ASA-2007-014, CVE-2007-3762)
+ - channels/chan_iax2.c: After parsing information elements in IAX frames,
+ set the data length to zero, so that code later on does not think it has
+ data to copy. (ASA-2007-015, CVE-2007-3763)
+ - channels/chan_skinny.c: Properly check for the length in the skinny packet
+ to prevent an invalid memcpy. (ASA-2007-016, CVE-2007-3764)
+
+ -- Faidon Liambotis <paravoid at debian.org> Thu, 16 Aug 2007 06:50:18 +0300
+
asterisk (1:1.2.13~dfsg-2) unstable; urgency=low
[ Tzafrir Cohen ]
Modified: asterisk/branches/etch/debian/patches/00list
===================================================================
--- asterisk/branches/etch/debian/patches/00list 2007-08-16 03:20:17 UTC (rev 4023)
+++ asterisk/branches/etch/debian/patches/00list 2007-08-16 03:51:01 UTC (rev 4024)
@@ -1,4 +1,9 @@
patch.CVE-2006-2898.dpatch
+ASA-2007-011.dpatch
+ASA-2007-012.dpatch
+ASA-2007-014.dpatch
+ASA-2007-015.dpatch
+ASA-2007-016.dpatch
# ukcid probably conflicts with bristuff
ukcid
option_detach
Added: asterisk/branches/etch/debian/patches/ASA-2007-011.dpatch
===================================================================
--- asterisk/branches/etch/debian/patches/ASA-2007-011.dpatch (rev 0)
+++ asterisk/branches/etch/debian/patches/ASA-2007-011.dpatch 2007-08-16 03:51:01 UTC (rev 4024)
@@ -0,0 +1,40 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## ASA-2007-011.dpatch by Faidon Liambotis <paravoid at debian.org>
+##
+## DP: channels/chan_sip.c: Only try to handle a response if it has a response code.
+## DP: r59194 in upstream's SVN
+## DP: Security fix, ASA-2007-011, CVE-2007-1594
+
+ at DPATCH@
+Index: channels/chan_sip.c
+===================================================================
+--- a/channels/chan_sip.c (revision 59193)
++++ b/channels/chan_sip.c (revision 59194)
+@@ -11295,17 +11295,17 @@
+ /* ignore means "don't do anything with it" but still have to
+ respond appropriately */
+ ignore=1;
++ } else if (e) {
++ e = ast_skip_blanks(e);
++ if (sscanf(e, "%d %n", &respid, &len) != 1) {
++ ast_log(LOG_WARNING, "Invalid response: '%s'\n", e);
++ } else {
++ /* More SIP ridiculousness, we have to ignore bogus contacts in 100 etc responses */
++ if ((respid == 200) || ((respid >= 300) && (respid <= 399)))
++ extract_uri(p, req);
++ handle_response(p, respid, e + len, req, ignore, seqno);
++ }
+ }
+-
+- e = ast_skip_blanks(e);
+- if (sscanf(e, "%d %n", &respid, &len) != 1) {
+- ast_log(LOG_WARNING, "Invalid response: '%s'\n", e);
+- } else {
+- /* More SIP ridiculousness, we have to ignore bogus contacts in 100 etc responses */
+- if ((respid == 200) || ((respid >= 300) && (respid <= 399)))
+- extract_uri(p, req);
+- handle_response(p, respid, e + len, req, ignore, seqno);
+- }
+ return 0;
+ }
+
Added: asterisk/branches/etch/debian/patches/ASA-2007-012.dpatch
===================================================================
--- asterisk/branches/etch/debian/patches/ASA-2007-012.dpatch (rev 0)
+++ asterisk/branches/etch/debian/patches/ASA-2007-012.dpatch 2007-08-16 03:51:01 UTC (rev 4024)
@@ -0,0 +1,24 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## ASA-2007-012.dpatch by Faidon Liambotis <paravoid at debian.org>
+##
+## DP: manager.c: Don't crash if a manager connection provides a username
+## DP: that exists in manager.conf but does not have a password, and also
+## DP: requests MD5 authentication.
+## DP: r61786 in upstream's SVN
+## DP: Security fix, ASA-2007-012, CVE-2007-2294
+
+ at DPATCH@
+Index: manager.c
+===================================================================
+--- a/manager.c (revision 61785)
++++ b/manager.c (revision 61786)
+@@ -533,7 +533,8 @@
+ } else if (ha)
+ ast_free_ha(ha);
+ if (!strcasecmp(authtype, "MD5")) {
+- if (!ast_strlen_zero(key) && s->challenge) {
++ if (!ast_strlen_zero(key) &&
++ !ast_strlen_zero(s->challenge) && !ast_strlen_zero(password)) {
+ int x;
+ int len=0;
+ char md5key[256] = "";
Added: asterisk/branches/etch/debian/patches/ASA-2007-014.dpatch
===================================================================
--- asterisk/branches/etch/debian/patches/ASA-2007-014.dpatch (rev 0)
+++ asterisk/branches/etch/debian/patches/ASA-2007-014.dpatch 2007-08-16 03:51:01 UTC (rev 4024)
@@ -0,0 +1,84 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## ASA-2007-014.dpatch by Faidon Liambotis <paravoid at debian.org>
+##
+## DP: Ensure that when encoding the contents of an ast_frame into an
+## DP: iax_frame, that the size of the destination buffer is known in the
+## DP: iax_frame so that code won't write past the end of the allocated
+## DP: buffer when sending outgoing frames.
+## DP: r75444 in upstream's SVN
+## DP: Security fix, ASA-2007-014, CVE-2007-3762
+
+ at DPATCH@
+Index: channels/iax2-parser.h
+===================================================================
+--- a/channels/iax2-parser.h (revision 75443)
++++ b/channels/iax2-parser.h (revision 75444)
+@@ -119,6 +119,8 @@
+ struct iax_frame *prev;
+ /* Actual, isolated frame header */
+ struct ast_frame af;
++ /* Amount of data _allocated_ for afdata */
++ size_t afdatalen;
+ unsigned char unused[AST_FRIENDLY_OFFSET];
+ unsigned char afdata[0]; /* Data for frame */
+ };
+Index: channels/chan_iax2.c
+===================================================================
+--- a/channels/chan_iax2.c (revision 75443)
++++ b/channels/chan_iax2.c (revision 75444)
+@@ -4020,7 +4020,9 @@
+ int sendmini=0;
+ unsigned int lastsent;
+ unsigned int fts;
+-
++
++ frb.fr2.afdatalen = sizeof(frb.buffer);
++
+ if (!pvt) {
+ ast_log(LOG_WARNING, "No private structure for packet?\n");
+ return -1;
+@@ -6435,7 +6437,8 @@
+ /* allocate an iax_frame with 4096 bytes of data buffer */
+ fr = alloca(sizeof(*fr) + 4096);
+ fr->callno = 0;
+-
++ fr->afdatalen = 4096; /* From alloca() above */
++
+ res = recvfrom(fd, buf, sizeof(buf), 0,(struct sockaddr *) &sin, &len);
+ if (res < 0) {
+ if (errno != ECONNREFUSED)
+Index: channels/iax2-parser.c
+===================================================================
+--- a/channels/iax2-parser.c (revision 75443)
++++ b/channels/iax2-parser.c (revision 75444)
+@@ -904,13 +904,20 @@
+ fr->af.delivery.tv_usec = 0;
+ fr->af.data = fr->afdata;
+ if (fr->af.datalen) {
++ size_t copy_len = fr->af.datalen;
++ if (copy_len > fr->afdatalen) {
++ ast_log(LOG_ERROR, "Losing frame data because destination buffer size '%d' bytes not big enough for '%d' bytes in the frame\n",
++ (int) fr->afdatalen, (int) fr->af.datalen);
++ copy_len = fr->afdatalen;
++ }
+ #if __BYTE_ORDER == __LITTLE_ENDIAN
+ /* We need to byte-swap slinear samples from network byte order */
+ if ((fr->af.frametype == AST_FRAME_VOICE) && (fr->af.subclass == AST_FORMAT_SLINEAR)) {
+- ast_swapcopy_samples(fr->af.data, f->data, fr->af.samples);
++ /* 2 bytes / sample for SLINEAR */
++ ast_swapcopy_samples(fr->af.data, f->data, copy_len / 2);
+ } else
+ #endif
+- memcpy(fr->af.data, f->data, fr->af.datalen);
++ memcpy(fr->af.data, f->data, copy_len);
+ }
+ }
+
+@@ -919,6 +926,7 @@
+ struct iax_frame *fr;
+ fr = malloc((int)sizeof(struct iax_frame) + datalen);
+ if (fr) {
++ fr->afdatalen = datalen;
+ fr->direction = direction;
+ fr->retrans = -1;
+ frames++;
Added: asterisk/branches/etch/debian/patches/ASA-2007-015.dpatch
===================================================================
--- asterisk/branches/etch/debian/patches/ASA-2007-015.dpatch (rev 0)
+++ asterisk/branches/etch/debian/patches/ASA-2007-015.dpatch 2007-08-16 03:51:01 UTC (rev 4024)
@@ -0,0 +1,21 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## ASA-2007-015.dpatch by Faidon Liambotis <paravoid at debian.org>
+##
+## DP: After parsing information elements in IAX frames, set the data length
+## DP: to zero, so that code later on does not think it has data to copy.
+## DP: r75440 in upstream's SVN
+## DP: Security fix, ASA-2007-015, CVE-2007-3763
+
+ at DPATCH@
+Index: channels/chan_iax2.c
+===================================================================
+--- a/channels/chan_iax2.c (revision 75439)
++++ b/channels/chan_iax2.c (revision 75440)
+@@ -6811,6 +6811,7 @@
+ return 1;
+ }
+ f.data = NULL;
++ f.datalen = 0;
+ } else
+ f.data = buf + sizeof(*fh);
+ } else {
Added: asterisk/branches/etch/debian/patches/ASA-2007-016.dpatch
===================================================================
--- asterisk/branches/etch/debian/patches/ASA-2007-016.dpatch (rev 0)
+++ asterisk/branches/etch/debian/patches/ASA-2007-016.dpatch 2007-08-16 03:51:01 UTC (rev 4024)
@@ -0,0 +1,22 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## ASA-2007-016.dpatch by Faidon Liambotis <paravoid at debian.org>
+##
+## DP: chan_skinny: Properly check for the length in the skinny packet to
+## DP: prevent an invalid memcpy.
+## DP: r75449 in upstream's SVN
+## DP: Security fix, ASA-2007-016, CVE-2007-3764
+
+ at DPATCH@
+Index: channels/chan_skinny.c
+===================================================================
+--- a/channels/chan_skinny.c (revision 75448)
++++ b/channels/chan_skinny.c (revision 75449)
+@@ -2862,7 +2862,7 @@
+ return -1;
+ }
+ dlen = letohl(*(int *)s->inbuf);
+- if (dlen < 0) {
++ if (dlen < 4) {
+ ast_log(LOG_WARNING, "Skinny Client sent invalid data.\n");
+ return -1;
+ }
More information about the Pkg-voip-commits
mailing list