diff -Nur --exclude=.svn tags/1.2.13~dfsg-2/debian/changelog branches/etch/debian/changelog
--- tags/1.2.13~dfsg-2/debian/changelog	2007-07-22 05:00:50.000000000 +0300
+++ branches/etch/debian/changelog	2007-08-16 08:10:46.000000000 +0300
@@ -1,3 +1,28 @@
+asterisk (1:1.2.13~dfsg-2etch1) stable-security; urgency=high
+
+  * Multiple upstream security fixes:
+    - channels/chan_sip.c: Only try to handle a response if it has a response
+      code. (ASA-2007-011, CVE-2007-1594)
+    - manager.c: Don't crash if a manager connection provides a username that
+      exists in manager.conf but does not have a password, and also requests
+      MD5 authentication. (ASA-2007-012, CVE-2007-2294)
+    - channels/iax2-parser.h, channels/chan_iax2.c, channels/iax2-parser.c:
+      Ensure that when encoding the contents of an ast_frame into an iax_frame,
+      that the size of the destination buffer is known in the iax_frame so that
+      code won't write past the end of the allocated buffer when sending
+      outgoing frames. (ASA-2007-014, CVE-2007-3762)
+    - channels/chan_iax2.c: After parsing information elements in IAX frames,
+      set the data length to zero, so that code later on does not think it has
+      data to copy. (ASA-2007-015, CVE-2007-3763)
+    - channels/chan_skinny.c: Properly check for the length in the skinny packet
+      to prevent an invalid memcpy. (ASA-2007-016, CVE-2007-3764)
+  * i386 binary packages in etch were unfortunately compiled in an unclean
+    chroot with libsqlite3-dev present and provide a feature based on that.
+    Added a build dependency on that package to avoid regressions on a security
+    upload.
+
+ -- Faidon Liambotis <paravoid@debian.org>  Thu, 16 Aug 2007 08:10:44 +0300
+
 asterisk (1:1.2.13~dfsg-2) unstable; urgency=low
 
   [ Tzafrir Cohen ]
diff -Nur --exclude=.svn tags/1.2.13~dfsg-2/debian/control branches/etch/debian/control
--- tags/1.2.13~dfsg-2/debian/control	2007-07-22 05:00:50.000000000 +0300
+++ branches/etch/debian/control	2007-08-16 08:01:12.000000000 +0300
@@ -4,7 +4,7 @@
 Maintainer: Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>
 Uploaders: Mark Purcell <msp@debian.org>, Kilian Krause <kilian@debian.org>, Jose Carlos Garcia Sogo <jsogo@debian.org>, Santiago Garcia Mantinan <manty@debian.org>, Simon Richter <sjr@debian.org>, Tzafrir Cohen <tzafrir.cohen@xorcom.com>
 Standards-Version: 3.6.1
-Build-Depends: debhelper (>= 4.0.4), sed (>= 3.95), zlib1g-dev, libreadline5-dev, libgsm1-dev, libssl-dev, libzap-dev, libtonezone-dev (>= 1:1.2.3-1), bison, libasound2-dev, libpq-dev, unixodbc-dev, libpri-dev (>= 1.2.3-1), dpatch (>= 2.0.10), zaptel-source (>= 1:1.2.3-1), autotools-dev, libnewt-dev, libsqlite-dev, libspeex-dev, graphviz, libcurl3-dev, doxygen, gsfonts, libpopt-dev, libopenh323-dev (>= 1.17.4-1), dpkg ( >= 1.13.19), libogg-dev, libvorbis-dev
+Build-Depends: debhelper (>= 4.0.4), sed (>= 3.95), zlib1g-dev, libreadline5-dev, libgsm1-dev, libssl-dev, libzap-dev, libtonezone-dev (>= 1:1.2.3-1), bison, libasound2-dev, libpq-dev, unixodbc-dev, libpri-dev (>= 1.2.3-1), dpatch (>= 2.0.10), zaptel-source (>= 1:1.2.3-1), autotools-dev, libnewt-dev, libsqlite-dev, libspeex-dev, graphviz, libcurl3-dev, doxygen, gsfonts, libpopt-dev, libopenh323-dev (>= 1.17.4-1), dpkg ( >= 1.13.19), libogg-dev, libvorbis-dev, libsqlite3-dev
 
 Package: asterisk
 Architecture: all
diff -Nur --exclude=.svn tags/1.2.13~dfsg-2/debian/patches/00list branches/etch/debian/patches/00list
--- tags/1.2.13~dfsg-2/debian/patches/00list	2007-07-22 05:00:50.000000000 +0300
+++ branches/etch/debian/patches/00list	2007-08-16 06:40:38.000000000 +0300
@@ -1,4 +1,9 @@
 patch.CVE-2006-2898.dpatch
+ASA-2007-011.dpatch
+ASA-2007-012.dpatch
+ASA-2007-014.dpatch
+ASA-2007-015.dpatch
+ASA-2007-016.dpatch
 # ukcid probably conflicts with bristuff
 ukcid
 option_detach
diff -Nur --exclude=.svn tags/1.2.13~dfsg-2/debian/patches/ASA-2007-011.dpatch branches/etch/debian/patches/ASA-2007-011.dpatch
--- tags/1.2.13~dfsg-2/debian/patches/ASA-2007-011.dpatch	1970-01-01 02:00:00.000000000 +0200
+++ branches/etch/debian/patches/ASA-2007-011.dpatch	2007-08-16 06:38:07.000000000 +0300
@@ -0,0 +1,40 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## ASA-2007-011.dpatch by Faidon Liambotis <paravoid@debian.org>
+##
+## DP: channels/chan_sip.c: Only try to handle a response if it has a response code. 
+## DP: r59194 in upstream's SVN
+## DP: Security fix, ASA-2007-011, CVE-2007-1594
+
+@DPATCH@
+Index: channels/chan_sip.c
+===================================================================
+--- a/channels/chan_sip.c	(revision 59193)
++++ b/channels/chan_sip.c	(revision 59194)
+@@ -11295,17 +11295,17 @@
+ 			/* ignore means "don't do anything with it" but still have to 
+ 			   respond appropriately  */
+ 			ignore=1;
++		} else if (e) {
++			e = ast_skip_blanks(e);
++			if (sscanf(e, "%d %n", &respid, &len) != 1) {
++				ast_log(LOG_WARNING, "Invalid response: '%s'\n", e);
++			} else {
++				/* More SIP ridiculousness, we have to ignore bogus contacts in 100 etc responses */
++				if ((respid == 200) || ((respid >= 300) && (respid <= 399)))
++					extract_uri(p, req);
++				handle_response(p, respid, e + len, req, ignore, seqno);
++			}
+ 		}
+-	
+-		e = ast_skip_blanks(e);
+-		if (sscanf(e, "%d %n", &respid, &len) != 1) {
+-			ast_log(LOG_WARNING, "Invalid response: '%s'\n", e);
+-		} else {
+-			/* More SIP ridiculousness, we have to ignore bogus contacts in 100 etc responses */
+-			if ((respid == 200) || ((respid >= 300) && (respid <= 399)))
+-				extract_uri(p, req);
+-			handle_response(p, respid, e + len, req, ignore, seqno);
+-		}
+ 		return 0;
+ 	}
+ 
diff -Nur --exclude=.svn tags/1.2.13~dfsg-2/debian/patches/ASA-2007-012.dpatch branches/etch/debian/patches/ASA-2007-012.dpatch
--- tags/1.2.13~dfsg-2/debian/patches/ASA-2007-012.dpatch	1970-01-01 02:00:00.000000000 +0200
+++ branches/etch/debian/patches/ASA-2007-012.dpatch	2007-08-16 06:38:16.000000000 +0300
@@ -0,0 +1,24 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## ASA-2007-012.dpatch by Faidon Liambotis <paravoid@debian.org>
+##
+## DP: manager.c: Don't crash if a manager connection provides a username
+## DP: that exists in manager.conf but does not have a password, and also
+## DP: requests MD5 authentication.
+## DP: r61786 in upstream's SVN
+## DP: Security fix, ASA-2007-012, CVE-2007-2294
+
+@DPATCH@
+Index: manager.c
+===================================================================
+--- a/manager.c	(revision 61785)
++++ b/manager.c	(revision 61786)
+@@ -533,7 +533,8 @@
+ 				} else if (ha)
+ 					ast_free_ha(ha);
+ 				if (!strcasecmp(authtype, "MD5")) {
+-					if (!ast_strlen_zero(key) && s->challenge) {
++					if (!ast_strlen_zero(key) && 
++					    !ast_strlen_zero(s->challenge) && !ast_strlen_zero(password)) {
+ 						int x;
+ 						int len=0;
+ 						char md5key[256] = "";
diff -Nur --exclude=.svn tags/1.2.13~dfsg-2/debian/patches/ASA-2007-014.dpatch branches/etch/debian/patches/ASA-2007-014.dpatch
--- tags/1.2.13~dfsg-2/debian/patches/ASA-2007-014.dpatch	1970-01-01 02:00:00.000000000 +0200
+++ branches/etch/debian/patches/ASA-2007-014.dpatch	2007-08-16 06:38:37.000000000 +0300
@@ -0,0 +1,84 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## ASA-2007-014.dpatch by Faidon Liambotis <paravoid@debian.org>
+##
+## DP: Ensure that when encoding the contents of an ast_frame into an
+## DP: iax_frame, that the size of the destination buffer is known in the
+## DP: iax_frame so that code won't write past the end of the allocated
+## DP: buffer when sending outgoing frames.
+## DP: r75444 in upstream's SVN
+## DP: Security fix, ASA-2007-014, CVE-2007-3762
+
+@DPATCH@
+Index: channels/iax2-parser.h
+===================================================================
+--- a/channels/iax2-parser.h	(revision 75443)
++++ b/channels/iax2-parser.h	(revision 75444)
+@@ -119,6 +119,8 @@
+ 	struct iax_frame *prev;
+ 	/* Actual, isolated frame header */
+ 	struct ast_frame af;
++	/* Amount of data _allocated_ for afdata */
++	size_t afdatalen;
+ 	unsigned char unused[AST_FRIENDLY_OFFSET];
+ 	unsigned char afdata[0];	/* Data for frame */
+ };
+Index: channels/chan_iax2.c
+===================================================================
+--- a/channels/chan_iax2.c	(revision 75443)
++++ b/channels/chan_iax2.c	(revision 75444)
+@@ -4020,7 +4020,9 @@
+ 	int sendmini=0;
+ 	unsigned int lastsent;
+ 	unsigned int fts;
+-		
++
++	frb.fr2.afdatalen = sizeof(frb.buffer);
++
+ 	if (!pvt) {
+ 		ast_log(LOG_WARNING, "No private structure for packet?\n");
+ 		return -1;
+@@ -6435,7 +6437,8 @@
+ 	/* allocate an iax_frame with 4096 bytes of data buffer */
+ 	fr = alloca(sizeof(*fr) + 4096);
+ 	fr->callno = 0;
+-	
++	fr->afdatalen = 4096; /* From alloca() above */
++
+ 	res = recvfrom(fd, buf, sizeof(buf), 0,(struct sockaddr *) &sin, &len);
+ 	if (res < 0) {
+ 		if (errno != ECONNREFUSED)
+Index: channels/iax2-parser.c
+===================================================================
+--- a/channels/iax2-parser.c	(revision 75443)
++++ b/channels/iax2-parser.c	(revision 75444)
+@@ -904,13 +904,20 @@
+ 	fr->af.delivery.tv_usec = 0;
+ 	fr->af.data = fr->afdata;
+ 	if (fr->af.datalen) {
++		size_t copy_len = fr->af.datalen;
++		if (copy_len > fr->afdatalen) {
++			ast_log(LOG_ERROR, "Losing frame data because destination buffer size '%d' bytes not big enough for '%d' bytes in the frame\n",
++				(int) fr->afdatalen, (int) fr->af.datalen);
++			copy_len = fr->afdatalen;
++		}
+ #if __BYTE_ORDER == __LITTLE_ENDIAN
+ 		/* We need to byte-swap slinear samples from network byte order */
+ 		if ((fr->af.frametype == AST_FRAME_VOICE) && (fr->af.subclass == AST_FORMAT_SLINEAR)) {
+-			ast_swapcopy_samples(fr->af.data, f->data, fr->af.samples);
++			/* 2 bytes / sample for SLINEAR */
++			ast_swapcopy_samples(fr->af.data, f->data, copy_len / 2);
+ 		} else
+ #endif
+-		memcpy(fr->af.data, f->data, fr->af.datalen);
++			memcpy(fr->af.data, f->data, copy_len);
+ 	}
+ }
+ 
+@@ -919,6 +926,7 @@
+ 	struct iax_frame *fr;
+ 	fr = malloc((int)sizeof(struct iax_frame) + datalen);
+ 	if (fr) {
++		fr->afdatalen = datalen;
+ 		fr->direction = direction;
+ 		fr->retrans = -1;
+ 		frames++;
diff -Nur --exclude=.svn tags/1.2.13~dfsg-2/debian/patches/ASA-2007-015.dpatch branches/etch/debian/patches/ASA-2007-015.dpatch
--- tags/1.2.13~dfsg-2/debian/patches/ASA-2007-015.dpatch	1970-01-01 02:00:00.000000000 +0200
+++ branches/etch/debian/patches/ASA-2007-015.dpatch	2007-08-16 06:41:12.000000000 +0300
@@ -0,0 +1,21 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## ASA-2007-015.dpatch by Faidon Liambotis <paravoid@debian.org>
+##
+## DP: After parsing information elements in IAX frames, set the data length
+## DP: to zero, so that code later on does not think it has data to copy.
+## DP: r75440 in upstream's SVN
+## DP: Security fix, ASA-2007-015, CVE-2007-3763
+
+@DPATCH@
+Index: channels/chan_iax2.c
+===================================================================
+--- a/channels/chan_iax2.c	(revision 75439)
++++ b/channels/chan_iax2.c	(revision 75440)
+@@ -6811,6 +6811,7 @@
+ 					return 1;
+ 				}
+ 				f.data = NULL;
++				f.datalen = 0;
+ 			} else
+ 				f.data = buf + sizeof(*fh);
+ 		} else {
diff -Nur --exclude=.svn tags/1.2.13~dfsg-2/debian/patches/ASA-2007-016.dpatch branches/etch/debian/patches/ASA-2007-016.dpatch
--- tags/1.2.13~dfsg-2/debian/patches/ASA-2007-016.dpatch	1970-01-01 02:00:00.000000000 +0200
+++ branches/etch/debian/patches/ASA-2007-016.dpatch	2007-08-16 06:38:47.000000000 +0300
@@ -0,0 +1,22 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## ASA-2007-016.dpatch by Faidon Liambotis <paravoid@debian.org>
+##
+## DP: chan_skinny: Properly check for the length in the skinny packet to
+## DP: prevent an invalid memcpy.
+## DP: r75449 in upstream's SVN
+## DP: Security fix, ASA-2007-016, CVE-2007-3764
+
+@DPATCH@
+Index: channels/chan_skinny.c
+===================================================================
+--- a/channels/chan_skinny.c	(revision 75448)
++++ b/channels/chan_skinny.c	(revision 75449)
+@@ -2862,7 +2862,7 @@
+ 			return -1;
+ 		}
+ 		dlen = letohl(*(int *)s->inbuf);
+-		if (dlen < 0) {
++		if (dlen < 4) {
+ 			ast_log(LOG_WARNING, "Skinny Client sent invalid data.\n");
+ 			return -1;
+ 		}