Asterisk: multiple vulnerabilities

[Faidon Liambotis]

Moritz Muehlenhoff wrote:
> Faidon Liambotis wrote:
>> I'm a member of the Debian VoIP packages team and I have prepared a
>> security update for Asterisk for stable that fixes CVE-2007-1594,
>> CVE-2007-2294, CVE-2007-3762, CVE-2007-3763 and CVE-2007-3764.
> Good, it's nice to see progress on asterisk.
Yes, the current version has many vulnerabilities since many months,
unfortunately.

> There are further issues in Etch:
> CVE-2007-2297
> CVE-2007-1306
> CVE-2007-1561
> CVE-2007-1595
> CVE-2007-2488
Hm, there doesn't seem to be an ASA for these AFAIK, that's why I didn't
see those. I'll check them, thanks.

> CVE-2007-4103
This (ASA-2007-018) doesn't apply to etch. It's a fix for a
vulnerability that was introduced by a newer version than what we have
in etch.
That being said, the reason this was introduced was to fix a bug that
may or may not have security implications -- I don't think there was an
ASA or CVE for that but I may be wrong.

I'll definitely have a look but this seems more complicated and fragile
and will need more testing, so I'd say that we should initially exclude
this.

> Steffen Joeris started working on an update, please coordinate your
> efforts, I'm Ccing him.
> http://developer.skolelinux.no/~white/debs/security/etch/asterisk/
I became aware of his efforts after I sent you the email.
Stefan Fritsch (a DD, but not a pkg-voip member) sent an email to
pkg-voip pointing us to Steffen's efforts but I was not a member of the
team at that point.

AFAIK, we've never heard from Steffen; Steffen, I think we should
coordinate a bit on this one, feel free to contact the list or me
personally.

>> Attached you will find the diff -- it's a bit messy due to the use of
>> dpatch but once applied it's pretty straightforward.
>> This is from asterisk/branches/etch on our SVN repository[1].
>>
>> I've successfully built this in a clean etch chroot and debdiff'ed them
>> with the ones in etch without anomalies.
>>
>> I'm requesting permission to upload to SecurityUploadQueue.
> 
> Most important: Has it been tested? (We can't test a VOIP PBOX solution)
It hasn't been tested extensively, no. These touch a great variety of
Asterisk and I don't think anyone in the team can really test e.g. the
Skinny channel.

However, these come straight from upstream's SVN; I looked for commits
that claim to fix bugs introduced by these fixes and didn't find any.

So in a way, yes, it was tested by the users of upstream.

I'll have a look at other distributions too FWIW.

>> Is there a way to push the etch binaries to testing as-is?
>> It's a bit of a policy violation but could help our users until all of
>> the RC bugs of the unstable version get resolved.
> 
> Steffen also prepared a testing-security upload.
Stefan's mail claimed that there quite a few of missing modules from
Steffen's package regarding to the current one (including the one due to
the missing dependency I fixed and you read about it in the changelog).
Plus, building with the current testing will certainly need some
extensive changes as it currently FTBFS.

So, again, if there is a way to upload etch's packages to testing (which
is what we have now after all) -ignoring the fact that it will FTBFS in
the testing suite, since this is a temporary measure- I think we should
go for it, IMHO.

Thanks,
Faidon