[Pkg-voip-commits] r4174 - in asterisk/branches/etch/debian: . patches
paravoid at alioth.debian.org
paravoid at alioth.debian.org
Tue Aug 21 02:40:25 UTC 2007
Author: paravoid
Date: 2007-08-21 02:40:25 +0000 (Tue, 21 Aug 2007)
New Revision: 4174
Added:
asterisk/branches/etch/debian/patches/CVE-2007-2488.dpatch
Modified:
asterisk/branches/etch/debian/changelog
asterisk/branches/etch/debian/patches/00list
Log:
- channels/chan_iax2.c: if a text frame is sent with no terminating NULL
through a bridged IAX connection, the remote end will receive garbage
characters tacked onto the end. (CVE-2007-2488)
Modified: asterisk/branches/etch/debian/changelog
===================================================================
--- asterisk/branches/etch/debian/changelog 2007-08-20 21:18:37 UTC (rev 4173)
+++ asterisk/branches/etch/debian/changelog 2007-08-21 02:40:25 UTC (rev 4174)
@@ -14,6 +14,9 @@
- channels/chan_iax2.c: After parsing information elements in IAX frames,
set the data length to zero, so that code later on does not think it has
data to copy. (ASA-2007-015, CVE-2007-3763)
+ - channels/chan_iax2.c: if a text frame is sent with no terminating NULL
+ through a bridged IAX connection, the remote end will receive garbage
+ characters tacked onto the end. (CVE-2007-2488)
- channels/chan_skinny.c: Properly check for the length in the skinny packet
to prevent an invalid memcpy. (ASA-2007-016, CVE-2007-3764)
* i386 binary packages in etch were unfortunately compiled in an unclean
@@ -21,7 +24,7 @@
Added a build dependency on that package to avoid regressions on a security
upload.
- -- Faidon Liambotis <paravoid at debian.org> Thu, 16 Aug 2007 08:10:44 +0300
+ -- Faidon Liambotis <paravoid at debian.org> Tue, 21 Aug 2007 05:10:05 +0300
asterisk (1:1.2.13~dfsg-2) unstable; urgency=low
Modified: asterisk/branches/etch/debian/patches/00list
===================================================================
--- asterisk/branches/etch/debian/patches/00list 2007-08-20 21:18:37 UTC (rev 4173)
+++ asterisk/branches/etch/debian/patches/00list 2007-08-21 02:40:25 UTC (rev 4174)
@@ -3,6 +3,7 @@
ASA-2007-012.dpatch
ASA-2007-014.dpatch
ASA-2007-015.dpatch
+CVE-2007-2488.dpatch
ASA-2007-016.dpatch
# ukcid probably conflicts with bristuff
ukcid
Added: asterisk/branches/etch/debian/patches/CVE-2007-2488.dpatch
===================================================================
--- asterisk/branches/etch/debian/patches/CVE-2007-2488.dpatch (rev 0)
+++ asterisk/branches/etch/debian/patches/CVE-2007-2488.dpatch 2007-08-21 02:40:25 UTC (rev 4174)
@@ -0,0 +1,28 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## CVE-2007-2488.dpatch by Faidon Liambotis <paravoid at debian.org>
+##
+## DP: chan_iax2: if a text frame is sent with no terminating NULL through a
+## DP: bridged IAX connection, the remote end will receive garbage characters
+## DP: tacked onto the end.
+## DP: r62691 in upstream's SVN, fixes issue 9638
+## DP: Security fix, CVE-2007-2488
+
+ at DPATCH@
+Index: channels/chan_iax2.c
+===================================================================
+--- a/channels/chan_iax2.c (revision 62690)
++++ b/channels/chan_iax2.c (revision 62691)
+@@ -6732,6 +6732,13 @@
+ ast_mutex_unlock(&iaxsl[fr->callno]);
+ return 1;
+ }
++ /* Ensure text frames are NULL-terminated */
++ if (f.frametype == AST_FRAME_TEXT && buf[res - 1] != '\0') {
++ if (res < sizeof(buf))
++ buf[res++] = '\0';
++ else /* Trims one character from the text message, but that's better than overwriting the end of the buffer. */
++ buf[res - 1] = '\0';
++ }
+ f.datalen = res - sizeof(*fh);
+
+ /* Handle implicit ACKing unless this is an INVAL, and only if this is
More information about the Pkg-voip-commits
mailing list