[Pkg-voip-commits] r4235 - in asterisk/branches/sarge/debian: . patches

paravoid at alioth.debian.org paravoid at alioth.debian.org
Thu Aug 23 00:46:47 UTC 2007 

Author: paravoid
Date: 2007-08-23 00:46:47 +0000 (Thu, 23 Aug 2007)
New Revision: 4235

Added:
   asterisk/branches/sarge/debian/patches/99_ASA-2007-012.dpatch
Modified:
   asterisk/branches/sarge/debian/changelog
Log:
  - manager.c: Don't crash if a manager connection provides a username that
    exists in manager.conf but does not have a password, and also requests
    MD5 authentication. (ASA-2007-012, CVE-2007-2294)

Modified: asterisk/branches/sarge/debian/changelog
===================================================================
--- asterisk/branches/sarge/debian/changelog	2007-08-23 00:44:00 UTC (rev 4234)
+++ asterisk/branches/sarge/debian/changelog	2007-08-23 00:46:47 UTC (rev 4235)
@@ -4,8 +4,11 @@
   * Multiple upstream security fixes:
     - channels/chan_sip.c: Only try to handle a response if it has a
       response code. (ASA-2007-011, CVE-2007-1594, CVE-2007-2297)
+    - manager.c: Don't crash if a manager connection provides a username that
+      exists in manager.conf but does not have a password, and also requests
+      MD5 authentication. (ASA-2007-012, CVE-2007-2294)
 
- -- Faidon Liambotis <paravoid at debian.org>  Thu, 23 Aug 2007 03:42:27 +0300
+ -- Faidon Liambotis <paravoid at debian.org>  Thu, 23 Aug 2007 03:46:28 +0300
 
 asterisk (1:1.0.7.dfsg.1-2sarge4) stable-security; urgency=high
 

Added: asterisk/branches/sarge/debian/patches/99_ASA-2007-012.dpatch
===================================================================
--- asterisk/branches/sarge/debian/patches/99_ASA-2007-012.dpatch	                        (rev 0)
+++ asterisk/branches/sarge/debian/patches/99_ASA-2007-012.dpatch	2007-08-23 00:46:47 UTC (rev 4235)
@@ -0,0 +1,25 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 99_ASA-2007-012.dpatch by Faidon Liambotis <paravoid at debian.org>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: manager.c: Don't crash if a manager connection provides a username
+## DP: that exists in manager.conf but does not have a password, and also
+## DP: requests MD5 authentication.
+## DP: Backported to v1.0, original is r61786 in upstream's SVN
+## DP: Security fix, ASA-2007-012, CVE-2007-2294
+
+ at DPATCH@
+diff -urNad asterisk-1.0.7.dfsg.1~/manager.c asterisk-1.0.7.dfsg.1/manager.c
+--- asterisk-1.0.7.dfsg.1~/manager.c	2007-08-23 03:04:18.000000000 +0300
++++ asterisk-1.0.7.dfsg.1/manager.c	2007-08-23 03:06:21.000000000 +0300
+@@ -429,7 +429,9 @@
+ 				} else if (ha)
+ 					ast_free_ha(ha);
+ 				if (!strcasecmp(authtype, "MD5")) {
+-					if (key && !ast_strlen_zero(key) && s->challenge) {
++					if (key && !ast_strlen_zero(key) &&
++					    s->challenge && !ast_strlen_zero(challenge) &&
++					    password && !ast_strlen_zero(password)) {
+ 						int x;
+ 						int len=0;
+ 						char md5key[256] = "";


Property changes on: asterisk/branches/sarge/debian/patches/99_ASA-2007-012.dpatch
___________________________________________________________________
Name: svn:executable
   + *

More information about the Pkg-voip-commits mailing list