[Pkg-voip-commits] r9738 - in /asterisk/branches/squeeze/debian: changelog patches/AST-2012-007 patches/series
tzafrir at alioth.debian.org
tzafrir at alioth.debian.org
Wed May 30 12:27:35 UTC 2012
Author: tzafrir
Date: Wed May 30 12:27:34 2012
New Revision: 9738
URL: http://svn.debian.org/wsvn/pkg-voip/?sc=1&rev=9738
Log:
Patch AST-2012-007 (CVE-2012-2947): Fix IAX receiving HOLD without
suggested MOH class crash (Closes: ).
Added:
asterisk/branches/squeeze/debian/patches/AST-2012-007
Modified:
asterisk/branches/squeeze/debian/changelog
asterisk/branches/squeeze/debian/patches/series
Modified: asterisk/branches/squeeze/debian/changelog
URL: http://svn.debian.org/wsvn/pkg-voip/asterisk/branches/squeeze/debian/changelog?rev=9738&op=diff
==============================================================================
--- asterisk/branches/squeeze/debian/changelog (original)
+++ asterisk/branches/squeeze/debian/changelog Wed May 30 12:27:34 2012
@@ -1,8 +1,10 @@
-asterisk (1:1.6.2.9-2+squeeze6) UNRELEASED; urgency=low
+asterisk (1:1.6.2.9-2+squeeze7) UNRELEASED; urgency=low
* NOT RELEASED YET
-
- -- Tzafrir Cohen <tzafrir at debian.org> Wed, 25 Apr 2012 23:36:13 +0300
+ * Patch AST-2012-007 (CVE-2012-2947): Fix IAX receiving HOLD without
+ suggested MOH class crash (Closes: ).
+
+ -- Tzafrir Cohen <tzafrir at debian.org> Wed, 30 May 2012 15:01:36 +0300
asterisk (1:1.6.2.9-2+squeeze5) stable-security; urgency=high
Added: asterisk/branches/squeeze/debian/patches/AST-2012-007
URL: http://svn.debian.org/wsvn/pkg-voip/asterisk/branches/squeeze/debian/patches/AST-2012-007?rev=9738&op=file
==============================================================================
--- asterisk/branches/squeeze/debian/patches/AST-2012-007 (added)
+++ asterisk/branches/squeeze/debian/patches/AST-2012-007 Wed May 30 12:27:34 2012
@@ -1,0 +1,87 @@
+From 69d64225c1edc7cdaff5bdd1981ad06bd4ee08d1 Mon Sep 17 00:00:00 2001
+From: Richard Mudgett <rmudgett at digium.com>
+Date: Fri, 25 May 2012 16:28:04 +0000
+Subject: Fix IAX receiving HOLD without suggested MOH class crash.
+Bug: https://issues.asterisk.org/jira/browse/ASTERISK-19597
+Origin: http://svnview.digium.com/svn/asterisk?view=rev&rev=367781
+CVE: CVE-2012-2947
+
+A remotely exploitable crash vulnerability exists in the IAX2 channel
+driver if an established call is placed on hold without a suggested
+music class. For this to occur, the following must take place:
+
+1. The setting mohinterpret=passthrough must be set on the end placing
+ the call on hold.
+2. A call must be established.
+3. The call is placed on hold without a suggested music-on-hold class name.
+
+When these conditions are true, Asterisk will attempt to use an invalid
+pointer to a music-on-hold class name. Use of the invalid pointer will
+either cause a crash or the music-on-hold class name will be garbage.
+
+Patch copied as-is from branch 1.8.
+
+---
+ channels/chan_iax2.c | 30 ++++++++++++++++++++----------
+ 1 file changed, 20 insertions(+), 10 deletions(-)
+
+diff --git a/channels/chan_iax2.c b/channels/chan_iax2.c
+index 869fc84..e76979d 100644
+--- a/channels/chan_iax2.c
++++ b/channels/chan_iax2.c
+@@ -1842,24 +1842,25 @@ static void send_signaling(struct chan_iax2_pvt *pvt)
+ * we have received a destination call number. */
+ static int queue_signalling(struct chan_iax2_pvt *pvt, struct ast_frame *f)
+ {
+- struct signaling_queue_entry *new;
++ struct signaling_queue_entry *qe;
+
+ if (f->frametype == AST_FRAME_IAX || !pvt->hold_signaling) {
+ return 1; /* do not queue this frame */
+- } else if (!(new = ast_calloc(1, sizeof(struct signaling_queue_entry)))) {
++ } else if (!(qe = ast_calloc(1, sizeof(struct signaling_queue_entry)))) {
+ return -1; /* out of memory */
+ }
+
+- memcpy(&new->f, f, sizeof(new->f)); /* copy ast_frame into our queue entry */
+-
+- if (new->f.datalen) { /* if there is data in this frame copy it over as well */
+- if (!(new->f.data.ptr = ast_calloc(1, new->f.datalen))) {
+- free_signaling_queue_entry(new);
++ /* copy ast_frame into our queue entry */
++ qe->f = *f;
++ if (qe->f.datalen) {
++ /* if there is data in this frame copy it over as well */
++ if (!(qe->f.data.ptr = ast_malloc(qe->f.datalen))) {
++ free_signaling_queue_entry(qe);
+ return -1;
+ }
+- memcpy(new->f.data.ptr, f->data.ptr, sizeof(*new->f.data.ptr));
++ memcpy(qe->f.data.ptr, f->data.ptr, qe->f.datalen);
+ }
+- AST_LIST_INSERT_TAIL(&pvt->signaling_queue, new, next);
++ AST_LIST_INSERT_TAIL(&pvt->signaling_queue, qe, next);
+
+ return 0;
+ }
+@@ -4160,7 +4161,16 @@ static int schedule_delivery(struct iax_frame *fr, int updatehistory, int fromtr
+ int needfree = 0;
+ struct ast_channel *owner = NULL;
+ struct ast_channel *bridge = NULL;
+-
++
++ /*
++ * Clear fr->af.data if there is no data in the buffer. Things
++ * like AST_CONTROL_HOLD without a suggested music class must
++ * have a NULL pointer.
++ */
++ if (!fr->af.datalen) {
++ memset(&fr->af.data, 0, sizeof(fr->af.data));
++ }
++
+ /* Attempt to recover wrapped timestamps */
+ unwrap_timestamp(fr);
+
+--
+1.7.10
+
Modified: asterisk/branches/squeeze/debian/patches/series
URL: http://svn.debian.org/wsvn/pkg-voip/asterisk/branches/squeeze/debian/patches/series?rev=9738&op=diff
==============================================================================
--- asterisk/branches/squeeze/debian/patches/series (original)
+++ asterisk/branches/squeeze/debian/patches/series Wed May 30 12:27:34 2012
@@ -50,3 +50,4 @@
AST-2012-002
AST-2012-004
AST-2012-005
+AST-2012-007
More information about the Pkg-voip-commits
mailing list