[Pkg-voip-commits] r4226 - in asterisk/branches/sarge/debian: . patches
paravoid at alioth.debian.org
paravoid at alioth.debian.org
Thu Aug 23 00:36:04 UTC 2007
Author: paravoid
Date: 2007-08-23 00:36:04 +0000 (Thu, 23 Aug 2007)
New Revision: 4226
Added:
asterisk/branches/sarge/debian/patches/99_CVE-2005-3559.dpatch
asterisk/branches/sarge/debian/patches/99_CVE-2006-1827.dpatch
Modified:
asterisk/branches/sarge/debian/changelog
asterisk/branches/sarge/debian/patches/00list
Log:
* Non-maintainer upload by the Security Team
* Applied upstream patch to fix buffer overflow induced by an undetected
integer overflow [debian/patches/99_CVE-2006-1827.dpatch]
* Backported upstream patch to fix unauthorised access to recorded
messages [debian/patches/99_CVE-2005-3559.dpatch]
Modified: asterisk/branches/sarge/debian/changelog
===================================================================
--- asterisk/branches/sarge/debian/changelog 2007-08-23 00:35:15 UTC (rev 4225)
+++ asterisk/branches/sarge/debian/changelog 2007-08-23 00:36:04 UTC (rev 4226)
@@ -1,3 +1,13 @@
+asterisk (1:1.0.7.dfsg.1-2sarge1) stable-security; urgency=high
+
+ * Non-maintainer upload by the Security Team
+ * Applied upstream patch to fix buffer overflow induced by an undetected
+ integer overflow [debian/patches/99_CVE-2006-1827.dpatch]
+ * Backported upstream patch to fix unauthorised access to recorded
+ messages [debian/patches/99_CVE-2005-3559.dpatch]
+
+ -- Martin Schulze <joey at infodrom.org> Wed, 26 Apr 2006 17:34:21 +0200
+
asterisk (1:1.0.7.dfsg.1-2) unstable; urgency=low
* Mark Purcell
Modified: asterisk/branches/sarge/debian/patches/00list
===================================================================
--- asterisk/branches/sarge/debian/patches/00list 2007-08-23 00:35:15 UTC (rev 4225)
+++ asterisk/branches/sarge/debian/patches/00list 2007-08-23 00:36:04 UTC (rev 4226)
@@ -12,3 +12,5 @@
95_conf_sample.dpatch
98_fpm-sounds.dpatch
08_debian-zaptel.dpatch
+99_CVE-2005-3559.dpatch
+99_CVE-2006-1827.dpatch
Added: asterisk/branches/sarge/debian/patches/99_CVE-2005-3559.dpatch
===================================================================
--- asterisk/branches/sarge/debian/patches/99_CVE-2005-3559.dpatch (rev 0)
+++ asterisk/branches/sarge/debian/patches/99_CVE-2005-3559.dpatch 2007-08-23 00:36:04 UTC (rev 4226)
@@ -0,0 +1,70 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 99_CVE-2005-3559.dpatch by Joey Schulze <joey at debian.org>
+##
+## DP: Description Directory traversal vulnerability in vmail.cgi in
+## DP: Asterisk 1.0.9 through 1.2.0-beta1 allows remote attackers to
+## DP: access WAV files via a .. (dot dot) in the folder parameter.
+
+ at DPATCH@
+diff -u -p -Nr --exclude CVS asterisk-1.0.7.dfsg.1.orig/contrib/scripts/vmail.cgi asterisk-1.0.7.dfsg.1/contrib/scripts/vmail.cgi
+--- asterisk-1.0.7.dfsg.1.orig/contrib/scripts/vmail.cgi 2004-09-15 07:11:41.000000000 +0200
++++ asterisk-1.0.7.dfsg.1/contrib/scripts/vmail.cgi 2006-04-26 17:31:30.000000000 +0200
+@@ -70,6 +70,19 @@ _EOH
+
+ }
+
++sub untaint() {
++
++ my($data) = @_;
++
++ if ($data =~ /^([-\@\w.]+)$/) {
++ $data = $1;
++ } else {
++ die "Security violation.";
++ }
++
++ return $data;
++}
++
+ sub check_login()
+ {
+ local ($filename, $startcat) = @_;
+@@ -489,14 +502,15 @@ _EOH
+ sub message_audio()
+ {
+ my ($forcedownload) = @_;
+- my $folder = param('folder');
+- my $msgid = param('msgid');
+- my $mailbox = param('mailbox');
+- my $context = param('context');
++ my $folder = &untaint(param('folder'));
++ my $msgid = &untaint(param('msgid'));
++ my $mailbox = &untaint(param('mailbox'));
++ my $context = &untaint(param('context'));
+ my $format = param('format');
+ if (!$format) {
+ $format = &getcookie('format');
+ }
++ &untaint($format);
+ my $path = "/var/spool/asterisk/voicemail/$context/$mailbox/$folder/msg${msgid}.$format";
+
+ $msgid =~ /^\d\d\d\d$/ || die("Msgid Liar ($msgid)!");
+@@ -865,6 +879,8 @@ sub message_forward()
+ }
+ $msgcount = &msgcount($context, $newmbox, "INBOX");
+ my $txt;
++ $context = &untaint($context);
++ $newmbox = &untaint($newmbox);
+ if ($newmbox ne $mbox) {
+ # print header;
+ foreach $msg (@msgs) {
+@@ -900,6 +916,9 @@ sub message_delete_or_move()
+ $context = "default";
+ }
+ my $passwd = param('password');
++ $context = &untaint($context);
++ $mbox = &untaint($mbox);
++ $folder = &untaint($folder);
+ my $msgcount = &msgcount($context, $mbox, $folder);
+ my $omsgcount = &msgcount($context, $mbox, $newfolder) if $newfolder;
+ # print header;
Added: asterisk/branches/sarge/debian/patches/99_CVE-2006-1827.dpatch
===================================================================
--- asterisk/branches/sarge/debian/patches/99_CVE-2006-1827.dpatch (rev 0)
+++ asterisk/branches/sarge/debian/patches/99_CVE-2006-1827.dpatch 2007-08-23 00:36:04 UTC (rev 4226)
@@ -0,0 +1,21 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 99_CVE-2006-1827.dpatch by Joey Schulze <joey at debian.org>
+##
+## DP: Integer signedness error in format_jpeg.c in Asterisk 1.2.6 and
+## DP: earlier allows remote attackers to execute arbitrary code via a length
+## DP: value that passes a length check as a negative number, but triggers a
+## DP: buffer overflow when it is used as an unsigned length. [CVE-2006-1827]
+
+ at DPATCH@
+diff -u -p -Nr --exclude CVS asterisk-1.0.7.dfsg.1.orig/formats/format_jpeg.c asterisk-1.0.7.dfsg.1/formats/format_jpeg.c
+--- asterisk-1.0.7.dfsg.1.orig/formats/format_jpeg.c 2004-06-22 20:49:00.000000000 +0200
++++ asterisk-1.0.7.dfsg.1/formats/format_jpeg.c 2006-04-26 15:29:52.000000000 +0200
+@@ -42,7 +42,7 @@ static struct ast_frame *jpeg_read_image
+ struct ast_frame fr;
+ int res;
+ char buf[65536];
+- if (len > sizeof(buf)) {
++ if (len > sizeof(buf) || len < 0) {
+ ast_log(LOG_WARNING, "JPEG image too large to read\n");
+ return NULL;
+ }
More information about the Pkg-voip-commits
mailing list