[Pkg-voip-commits] r4237 - in asterisk/branches/sarge/debian: . patches
paravoid at alioth.debian.org
paravoid at alioth.debian.org
Thu Aug 23 00:48:42 UTC 2007
Author: paravoid
Date: 2007-08-23 00:48:42 +0000 (Thu, 23 Aug 2007)
New Revision: 4237
Added:
asterisk/branches/sarge/debian/patches/99_CVE-2007-2488.dpatch
Modified:
asterisk/branches/sarge/debian/changelog
Log:
- channels/chan_iax2.c: if a text frame is sent with no terminating NULL
through a bridged IAX connection, the remote end will receive garbage
characters tacked onto the end. (CVE-2007-2488)
Modified: asterisk/branches/sarge/debian/changelog
===================================================================
--- asterisk/branches/sarge/debian/changelog 2007-08-23 00:47:39 UTC (rev 4236)
+++ asterisk/branches/sarge/debian/changelog 2007-08-23 00:48:42 UTC (rev 4237)
@@ -12,8 +12,11 @@
that the size of the destination buffer is known in the iax_frame so that
code won't write past the end of the allocated buffer when sending
outgoing frames. (ASA-2007-014, CVE-2007-3762)
+ - channels/chan_iax2.c: if a text frame is sent with no terminating NULL
+ through a bridged IAX connection, the remote end will receive garbage
+ characters tacked onto the end. (CVE-2007-2488)
- -- Faidon Liambotis <paravoid at debian.org> Thu, 23 Aug 2007 03:47:15 +0300
+ -- Faidon Liambotis <paravoid at debian.org> Thu, 23 Aug 2007 03:48:25 +0300
asterisk (1:1.0.7.dfsg.1-2sarge4) stable-security; urgency=high
Added: asterisk/branches/sarge/debian/patches/99_CVE-2007-2488.dpatch
===================================================================
--- asterisk/branches/sarge/debian/patches/99_CVE-2007-2488.dpatch (rev 0)
+++ asterisk/branches/sarge/debian/patches/99_CVE-2007-2488.dpatch 2007-08-23 00:48:42 UTC (rev 4237)
@@ -0,0 +1,27 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 99_CVE-2007-2488.dpatch by Faidon Liambotis <paravoid at debian.org>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: chan_iax2: if a text frame is sent with no terminating NULL through a
+## DP: bridged IAX connection, the remote end will receive garbage characters
+## DP: tacked onto the end.
+## DP: Backported to v1.0, original is r62691 in upstream's SVN
+## DP: Security fix, CVE-2007-2488
+
+ at DPATCH@
+diff -urNad asterisk-1.0.7.dfsg.1~/channels/chan_iax2.c asterisk-1.0.7.dfsg.1/channels/chan_iax2.c
+--- asterisk-1.0.7.dfsg.1~/channels/chan_iax2.c 2007-08-23 03:18:59.000000000 +0300
++++ asterisk-1.0.7.dfsg.1/channels/chan_iax2.c 2007-08-23 03:19:51.000000000 +0300
+@@ -5274,6 +5274,12 @@
+ ast_mutex_unlock(&iaxsl[fr.callno]);
+ return 1;
+ }
++ if (f.frametype == AST_FRAME_TEXT && buf[res - 1] != '\0') {
++ if (res < sizeof(buf))
++ buf[res++] = '\0';
++ else /* Trims one character from the text message, but that's better than overwriting the end of the buffer. */
++ buf[res - 1] = '\0';
++ }
+ f.datalen = res - sizeof(struct ast_iax2_full_hdr);
+
+ /* Handle implicit ACKing unless this is an INVAL, and only if this is
Property changes on: asterisk/branches/sarge/debian/patches/99_CVE-2007-2488.dpatch
___________________________________________________________________
Name: svn:executable
+ *
More information about the Pkg-voip-commits
mailing list