[Pkg-voip-commits] r4237 - in asterisk/branches/sarge/debian: . patches

Thu Aug 23 00:48:42 UTC 2007

Author: paravoid
Date: 2007-08-23 00:48:42 +0000 (Thu, 23 Aug 2007)
New Revision: 4237

Added:
   asterisk/branches/sarge/debian/patches/99_CVE-2007-2488.dpatch
Modified:
   asterisk/branches/sarge/debian/changelog
Log:
  - channels/chan_iax2.c: if a text frame is sent with no terminating NULL
    through a bridged IAX connection, the remote end will receive garbage
    characters tacked onto the end. (CVE-2007-2488)

Modified: asterisk/branches/sarge/debian/changelog
===================================================================

--- asterisk/branches/sarge/debian/changelog	2007-08-23 00:47:39 UTC (rev 4236)
+++ asterisk/branches/sarge/debian/changelog	2007-08-23 00:48:42 UTC (rev 4237)
@@ -12,8 +12,11 @@
       that the size of the destination buffer is known in the iax_frame so that
       code won't write past the end of the allocated buffer when sending
       outgoing frames. (ASA-2007-014, CVE-2007-3762)
+    - channels/chan_iax2.c: if a text frame is sent with no terminating NULL
+      through a bridged IAX connection, the remote end will receive garbage
+      characters tacked onto the end. (CVE-2007-2488)
 
- -- Faidon Liambotis <paravoid at debian.org>  Thu, 23 Aug 2007 03:47:15 +0300
+ -- Faidon Liambotis <paravoid at debian.org>  Thu, 23 Aug 2007 03:48:25 +0300
 
 asterisk (1:1.0.7.dfsg.1-2sarge4) stable-security; urgency=high
 

Added: asterisk/branches/sarge/debian/patches/99_CVE-2007-2488.dpatch
===================================================================
--- asterisk/branches/sarge/debian/patches/99_CVE-2007-2488.dpatch	                        (rev 0)
+++ asterisk/branches/sarge/debian/patches/99_CVE-2007-2488.dpatch	2007-08-23 00:48:42 UTC (rev 4237)
@@ -0,0 +1,27 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 99_CVE-2007-2488.dpatch by Faidon Liambotis <paravoid at debian.org>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: chan_iax2: if a text frame is sent with no terminating NULL through a
+## DP: bridged IAX connection, the remote end will receive garbage characters
+## DP: tacked onto the end.
+## DP: Backported to v1.0, original is r62691 in upstream's SVN
+## DP: Security fix, CVE-2007-2488
+
+ at DPATCH@
+diff -urNad asterisk-1.0.7.dfsg.1~/channels/chan_iax2.c asterisk-1.0.7.dfsg.1/channels/chan_iax2.c
+--- asterisk-1.0.7.dfsg.1~/channels/chan_iax2.c	2007-08-23 03:18:59.000000000 +0300
++++ asterisk-1.0.7.dfsg.1/channels/chan_iax2.c	2007-08-23 03:19:51.000000000 +0300
+@@ -5274,6 +5274,12 @@
+ 			ast_mutex_unlock(&iaxsl[fr.callno]);
+ 			return 1;
+ 		}
++		if (f.frametype == AST_FRAME_TEXT && buf[res - 1] != '\0') {
++			if (res < sizeof(buf))
++				buf[res++] = '\0';
++			else /* Trims one character from the text message, but that's better than overwriting the end of the buffer. */
++				buf[res - 1] = '\0';
++		}
+ 		f.datalen = res - sizeof(struct ast_iax2_full_hdr);
+ 
+ 		/* Handle implicit ACKing unless this is an INVAL, and only if this is 


Property changes on: asterisk/branches/sarge/debian/patches/99_CVE-2007-2488.dpatch
___________________________________________________________________
Name: svn:executable
   + *


