[Pkg-voip-commits] r9738 - in /asterisk/branches/squeeze/debian: changelog patches/AST-2012-007 patches/series

tzafrir at alioth.debian.org tzafrir at alioth.debian.org
Wed May 30 12:27:35 UTC 2012 

Author: tzafrir
Date: Wed May 30 12:27:34 2012
New Revision: 9738

URL: http://svn.debian.org/wsvn/pkg-voip/?sc=1&rev=9738
Log:
Patch AST-2012-007 (CVE-2012-2947): Fix IAX receiving HOLD without
suggested MOH class crash (Closes: ).

Added:
    asterisk/branches/squeeze/debian/patches/AST-2012-007
Modified:
    asterisk/branches/squeeze/debian/changelog
    asterisk/branches/squeeze/debian/patches/series

Modified: asterisk/branches/squeeze/debian/changelog
URL: http://svn.debian.org/wsvn/pkg-voip/asterisk/branches/squeeze/debian/changelog?rev=9738&op=diff
==============================================================================
--- asterisk/branches/squeeze/debian/changelog (original)
+++ asterisk/branches/squeeze/debian/changelog Wed May 30 12:27:34 2012
@@ -1,8 +1,10 @@
-asterisk (1:1.6.2.9-2+squeeze6) UNRELEASED; urgency=low
+asterisk (1:1.6.2.9-2+squeeze7) UNRELEASED; urgency=low
 
   * NOT RELEASED YET
-
- -- Tzafrir Cohen <tzafrir at debian.org>  Wed, 25 Apr 2012 23:36:13 +0300
+  * Patch AST-2012-007 (CVE-2012-2947): Fix IAX receiving HOLD without
+    suggested MOH class crash (Closes: ).
+
+ -- Tzafrir Cohen <tzafrir at debian.org>  Wed, 30 May 2012 15:01:36 +0300
 
 asterisk (1:1.6.2.9-2+squeeze5) stable-security; urgency=high
 

Added: asterisk/branches/squeeze/debian/patches/AST-2012-007
URL: http://svn.debian.org/wsvn/pkg-voip/asterisk/branches/squeeze/debian/patches/AST-2012-007?rev=9738&op=file
==============================================================================
--- asterisk/branches/squeeze/debian/patches/AST-2012-007 (added)
+++ asterisk/branches/squeeze/debian/patches/AST-2012-007 Wed May 30 12:27:34 2012
@@ -1,0 +1,87 @@
+From 69d64225c1edc7cdaff5bdd1981ad06bd4ee08d1 Mon Sep 17 00:00:00 2001
+From: Richard Mudgett <rmudgett at digium.com>
+Date: Fri, 25 May 2012 16:28:04 +0000
+Subject: Fix IAX receiving HOLD without suggested MOH class crash.
+Bug: https://issues.asterisk.org/jira/browse/ASTERISK-19597
+Origin: http://svnview.digium.com/svn/asterisk?view=rev&rev=367781
+CVE: CVE-2012-2947
+
+A remotely exploitable crash vulnerability exists in the IAX2 channel
+driver if an established call is placed on hold without a suggested
+music class. For this to occur, the following must take place:
+
+1. The setting mohinterpret=passthrough must be set on the end placing
+   the call on hold.
+2. A call must be established.
+3. The call is placed on hold without a suggested music-on-hold class name.
+
+When these conditions are true, Asterisk will attempt to use an invalid
+pointer to a music-on-hold class name. Use of the invalid pointer will
+either cause a crash or the music-on-hold class name will be garbage.
+
+Patch copied as-is from branch 1.8.
+
+---
+ channels/chan_iax2.c |   30 ++++++++++++++++++++----------
+ 1 file changed, 20 insertions(+), 10 deletions(-)
+
+diff --git a/channels/chan_iax2.c b/channels/chan_iax2.c
+index 869fc84..e76979d 100644
+--- a/channels/chan_iax2.c
++++ b/channels/chan_iax2.c
+@@ -1842,24 +1842,25 @@ static void send_signaling(struct chan_iax2_pvt *pvt)
+  *  we have received a destination call number. */
+ static int queue_signalling(struct chan_iax2_pvt *pvt, struct ast_frame *f)
+ {
+-	struct signaling_queue_entry *new;
++	struct signaling_queue_entry *qe;
+ 
+ 	if (f->frametype == AST_FRAME_IAX || !pvt->hold_signaling) {
+ 		return 1; /* do not queue this frame */
+-	} else if (!(new = ast_calloc(1, sizeof(struct signaling_queue_entry)))) {
++	} else if (!(qe = ast_calloc(1, sizeof(struct signaling_queue_entry)))) {
+ 		return -1;  /* out of memory */
+ 	}
+ 
+-	memcpy(&new->f, f, sizeof(new->f)); /* copy ast_frame into our queue entry */
+-
+-	if (new->f.datalen) { /* if there is data in this frame copy it over as well */
+-		if (!(new->f.data.ptr = ast_calloc(1, new->f.datalen))) {
+-			free_signaling_queue_entry(new);
++	/* copy ast_frame into our queue entry */
++	qe->f = *f;
++	if (qe->f.datalen) {
++		/* if there is data in this frame copy it over as well */
++		if (!(qe->f.data.ptr = ast_malloc(qe->f.datalen))) {
++			free_signaling_queue_entry(qe);
+ 			return -1;
+ 		}
+-		memcpy(new->f.data.ptr, f->data.ptr, sizeof(*new->f.data.ptr));
++		memcpy(qe->f.data.ptr, f->data.ptr, qe->f.datalen);
+ 	}
+-	AST_LIST_INSERT_TAIL(&pvt->signaling_queue, new, next);
++	AST_LIST_INSERT_TAIL(&pvt->signaling_queue, qe, next);
+ 
+ 	return 0;
+ }
+@@ -4160,7 +4161,16 @@ static int schedule_delivery(struct iax_frame *fr, int updatehistory, int fromtr
+ 	int needfree = 0;
+ 	struct ast_channel *owner = NULL;
+ 	struct ast_channel *bridge = NULL;
+-	
++
++	/*
++	 * Clear fr->af.data if there is no data in the buffer.  Things
++	 * like AST_CONTROL_HOLD without a suggested music class must
++	 * have a NULL pointer.
++	 */
++	if (!fr->af.datalen) {
++		memset(&fr->af.data, 0, sizeof(fr->af.data));
++	}
++
+ 	/* Attempt to recover wrapped timestamps */
+ 	unwrap_timestamp(fr);
+ 
+-- 
+1.7.10
+

Modified: asterisk/branches/squeeze/debian/patches/series
URL: http://svn.debian.org/wsvn/pkg-voip/asterisk/branches/squeeze/debian/patches/series?rev=9738&op=diff
==============================================================================
--- asterisk/branches/squeeze/debian/patches/series (original)
+++ asterisk/branches/squeeze/debian/patches/series Wed May 30 12:27:34 2012
@@ -50,3 +50,4 @@
 AST-2012-002
 AST-2012-004
 AST-2012-005
+AST-2012-007

More information about the Pkg-voip-commits mailing list