[Pkg-voip-commits] r4226 - in asterisk/branches/sarge/debian: . patches

paravoid at alioth.debian.org paravoid at alioth.debian.org
Thu Aug 23 00:36:04 UTC 2007


Author: paravoid
Date: 2007-08-23 00:36:04 +0000 (Thu, 23 Aug 2007)
New Revision: 4226

Added:
   asterisk/branches/sarge/debian/patches/99_CVE-2005-3559.dpatch
   asterisk/branches/sarge/debian/patches/99_CVE-2006-1827.dpatch
Modified:
   asterisk/branches/sarge/debian/changelog
   asterisk/branches/sarge/debian/patches/00list
Log:
* Non-maintainer upload by the Security Team
* Applied upstream patch to fix buffer overflow induced by an undetected
  integer overflow [debian/patches/99_CVE-2006-1827.dpatch]
* Backported upstream patch to fix unauthorised access to recorded
  messages [debian/patches/99_CVE-2005-3559.dpatch]

Modified: asterisk/branches/sarge/debian/changelog
===================================================================
--- asterisk/branches/sarge/debian/changelog	2007-08-23 00:35:15 UTC (rev 4225)
+++ asterisk/branches/sarge/debian/changelog	2007-08-23 00:36:04 UTC (rev 4226)
@@ -1,3 +1,13 @@
+asterisk (1:1.0.7.dfsg.1-2sarge1) stable-security; urgency=high
+
+  * Non-maintainer upload by the Security Team
+  * Applied upstream patch to fix buffer overflow induced by an undetected
+    integer overflow [debian/patches/99_CVE-2006-1827.dpatch]
+  * Backported upstream patch to fix unauthorised access to recorded
+    messages [debian/patches/99_CVE-2005-3559.dpatch]
+
+ -- Martin Schulze <joey at infodrom.org>  Wed, 26 Apr 2006 17:34:21 +0200
+
 asterisk (1:1.0.7.dfsg.1-2) unstable; urgency=low
 
   * Mark Purcell

Modified: asterisk/branches/sarge/debian/patches/00list
===================================================================
--- asterisk/branches/sarge/debian/patches/00list	2007-08-23 00:35:15 UTC (rev 4225)
+++ asterisk/branches/sarge/debian/patches/00list	2007-08-23 00:36:04 UTC (rev 4226)
@@ -12,3 +12,5 @@
 95_conf_sample.dpatch
 98_fpm-sounds.dpatch
 08_debian-zaptel.dpatch
+99_CVE-2005-3559.dpatch
+99_CVE-2006-1827.dpatch

Added: asterisk/branches/sarge/debian/patches/99_CVE-2005-3559.dpatch
===================================================================
--- asterisk/branches/sarge/debian/patches/99_CVE-2005-3559.dpatch	                        (rev 0)
+++ asterisk/branches/sarge/debian/patches/99_CVE-2005-3559.dpatch	2007-08-23 00:36:04 UTC (rev 4226)
@@ -0,0 +1,70 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 99_CVE-2005-3559.dpatch by Joey Schulze <joey at debian.org>
+##
+## DP: Description Directory traversal vulnerability in vmail.cgi in
+## DP: Asterisk 1.0.9 through 1.2.0-beta1 allows remote attackers to
+## DP: access WAV files via a .. (dot dot) in the folder parameter.
+
+ at DPATCH@
+diff -u -p -Nr --exclude CVS asterisk-1.0.7.dfsg.1.orig/contrib/scripts/vmail.cgi asterisk-1.0.7.dfsg.1/contrib/scripts/vmail.cgi
+--- asterisk-1.0.7.dfsg.1.orig/contrib/scripts/vmail.cgi	2004-09-15 07:11:41.000000000 +0200
++++ asterisk-1.0.7.dfsg.1/contrib/scripts/vmail.cgi	2006-04-26 17:31:30.000000000 +0200
+@@ -70,6 +70,19 @@ _EOH
+ 
+ }
+ 
++sub untaint() {
++
++	my($data) = @_;
++
++	if ($data =~ /^([-\@\w.]+)$/) {
++		$data = $1;
++	} else {
++		die "Security violation.";
++	}
++
++	return $data;
++}
++
+ sub check_login()
+ {
+ 	local ($filename, $startcat) = @_;
+@@ -489,14 +502,15 @@ _EOH
+ sub message_audio()
+ {
+ 	my ($forcedownload) = @_;
+-	my $folder = param('folder');
+-	my $msgid = param('msgid');
+-	my $mailbox = param('mailbox');
+-	my $context = param('context');
++	my $folder = &untaint(param('folder'));
++	my $msgid = &untaint(param('msgid'));
++	my $mailbox = &untaint(param('mailbox'));
++	my $context = &untaint(param('context'));
+ 	my $format = param('format');
+ 	if (!$format) {
+ 		$format = &getcookie('format');
+ 	}
++	&untaint($format);
+ 	my $path = "/var/spool/asterisk/voicemail/$context/$mailbox/$folder/msg${msgid}.$format";
+ 
+ 	$msgid =~ /^\d\d\d\d$/ || die("Msgid Liar ($msgid)!");
+@@ -865,6 +879,8 @@ sub message_forward()
+ 	}
+ 	$msgcount = &msgcount($context, $newmbox, "INBOX");
+ 	my $txt;
++	$context = &untaint($context);
++	$newmbox = &untaint($newmbox);
+ 	if ($newmbox ne $mbox) {
+ #		print header;
+ 		foreach $msg (@msgs) {
+@@ -900,6 +916,9 @@ sub message_delete_or_move()
+ 		$context = "default";
+ 	}
+ 	my $passwd = param('password');
++	$context = &untaint($context);
++	$mbox = &untaint($mbox);
++	$folder = &untaint($folder);
+ 	my $msgcount = &msgcount($context, $mbox, $folder);
+ 	my $omsgcount = &msgcount($context, $mbox, $newfolder) if $newfolder;
+ #	print header;

Added: asterisk/branches/sarge/debian/patches/99_CVE-2006-1827.dpatch
===================================================================
--- asterisk/branches/sarge/debian/patches/99_CVE-2006-1827.dpatch	                        (rev 0)
+++ asterisk/branches/sarge/debian/patches/99_CVE-2006-1827.dpatch	2007-08-23 00:36:04 UTC (rev 4226)
@@ -0,0 +1,21 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 99_CVE-2006-1827.dpatch by Joey Schulze <joey at debian.org>
+##
+## DP: Integer signedness error in format_jpeg.c in Asterisk 1.2.6 and
+## DP: earlier allows remote attackers to execute arbitrary code via a length
+## DP: value that passes a length check as a negative number, but triggers a
+## DP: buffer overflow when it is used as an unsigned length.  [CVE-2006-1827]
+
+ at DPATCH@
+diff -u -p -Nr --exclude CVS asterisk-1.0.7.dfsg.1.orig/formats/format_jpeg.c asterisk-1.0.7.dfsg.1/formats/format_jpeg.c
+--- asterisk-1.0.7.dfsg.1.orig/formats/format_jpeg.c	2004-06-22 20:49:00.000000000 +0200
++++ asterisk-1.0.7.dfsg.1/formats/format_jpeg.c	2006-04-26 15:29:52.000000000 +0200
+@@ -42,7 +42,7 @@ static struct ast_frame *jpeg_read_image
+ 	struct ast_frame fr;
+ 	int res;
+ 	char buf[65536];
+-	if (len > sizeof(buf)) {
++	if (len > sizeof(buf) || len < 0) {
+ 		ast_log(LOG_WARNING, "JPEG image too large to read\n");
+ 		return NULL;
+ 	}




More information about the Pkg-voip-commits mailing list