diff -Nur --exclude=.svn tags/1.2.13~dfsg-2/debian/changelog branches/etch/debian/changelog
--- tags/1.2.13~dfsg-2/debian/changelog	2007-07-22 05:00:50.000000000 +0300
+++ branches/etch/debian/changelog	2007-08-21 06:21:01.000000000 +0300
@@ -1,3 +1,38 @@
+asterisk (1:1.2.13~dfsg-2etch1) stable-security; urgency=high
+
+  * Add myself to Uploaders to mark this as a maintainer upload.
+  * Multiple upstream security fixes:
+    - channels/chan_sip.c: If a SIP message comes in and goes to a method
+      handler that requires additional values that may not be present then
+      send back an error. (CVE-2007-1306)
+    - channels/chan_sip.c: fix bug that allows remote attackers to cause a
+      denial of service (crash) via a SIP INVITE message with an SDP
+      containing one valid and one invalid IP address. (CVE-2007-1561)
+    - channels/chan_sip.c: Only try to handle a response if it has a response
+      code. (ASA-2007-011, CVE-2007-1594, CVE-2007-2297)
+    - manager.c: Don't crash if a manager connection provides a username that
+      exists in manager.conf but does not have a password, and also requests
+      MD5 authentication. (ASA-2007-012, CVE-2007-2294)
+    - channels/iax2-parser.h, channels/chan_iax2.c, channels/iax2-parser.c:
+      Ensure that when encoding the contents of an ast_frame into an iax_frame,
+      that the size of the destination buffer is known in the iax_frame so that
+      code won't write past the end of the allocated buffer when sending
+      outgoing frames. (ASA-2007-014, CVE-2007-3762)
+    - channels/chan_iax2.c: if a text frame is sent with no terminating NULL
+      through a bridged IAX connection, the remote end will receive garbage
+      characters tacked onto the end. (CVE-2007-2488)
+    - channels/chan_iax2.c: After parsing information elements in IAX frames,
+      set the data length to zero, so that code later on does not think it has
+      data to copy. (ASA-2007-015, CVE-2007-3763)
+    - channels/chan_skinny.c: Properly check for the length in the skinny packet
+      to prevent an invalid memcpy. (ASA-2007-016, CVE-2007-3764)
+  * i386 binary packages in etch were unfortunately compiled in an unclean
+    chroot with libsqlite3-dev present and provide a feature based on that.
+    Added a build dependency on that package to avoid regressions on a security
+    upload.
+
+ -- Faidon Liambotis <paravoid@debian.org>  Tue, 21 Aug 2007 06:21:00 +0300
+
 asterisk (1:1.2.13~dfsg-2) unstable; urgency=low
 
   [ Tzafrir Cohen ]
diff -Nur --exclude=.svn tags/1.2.13~dfsg-2/debian/control branches/etch/debian/control
--- tags/1.2.13~dfsg-2/debian/control	2007-07-22 05:00:50.000000000 +0300
+++ branches/etch/debian/control	2007-08-21 06:20:31.000000000 +0300
@@ -2,9 +2,9 @@
 Priority: optional
 Section: comm
 Maintainer: Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>
-Uploaders: Mark Purcell <msp@debian.org>, Kilian Krause <kilian@debian.org>, Jose Carlos Garcia Sogo <jsogo@debian.org>, Santiago Garcia Mantinan <manty@debian.org>, Simon Richter <sjr@debian.org>, Tzafrir Cohen <tzafrir.cohen@xorcom.com>
+Uploaders: Mark Purcell <msp@debian.org>, Kilian Krause <kilian@debian.org>, Jose Carlos Garcia Sogo <jsogo@debian.org>, Santiago Garcia Mantinan <manty@debian.org>, Simon Richter <sjr@debian.org>, Tzafrir Cohen <tzafrir.cohen@xorcom.com>, Faidon Liambotis <paravoid@debian.org>
 Standards-Version: 3.6.1
-Build-Depends: debhelper (>= 4.0.4), sed (>= 3.95), zlib1g-dev, libreadline5-dev, libgsm1-dev, libssl-dev, libzap-dev, libtonezone-dev (>= 1:1.2.3-1), bison, libasound2-dev, libpq-dev, unixodbc-dev, libpri-dev (>= 1.2.3-1), dpatch (>= 2.0.10), zaptel-source (>= 1:1.2.3-1), autotools-dev, libnewt-dev, libsqlite-dev, libspeex-dev, graphviz, libcurl3-dev, doxygen, gsfonts, libpopt-dev, libopenh323-dev (>= 1.17.4-1), dpkg ( >= 1.13.19), libogg-dev, libvorbis-dev
+Build-Depends: debhelper (>= 4.0.4), sed (>= 3.95), zlib1g-dev, libreadline5-dev, libgsm1-dev, libssl-dev, libzap-dev, libtonezone-dev (>= 1:1.2.3-1), bison, libasound2-dev, libpq-dev, unixodbc-dev, libpri-dev (>= 1.2.3-1), dpatch (>= 2.0.10), zaptel-source (>= 1:1.2.3-1), autotools-dev, libnewt-dev, libsqlite-dev, libspeex-dev, graphviz, libcurl3-dev, doxygen, gsfonts, libpopt-dev, libopenh323-dev (>= 1.17.4-1), dpkg ( >= 1.13.19), libogg-dev, libvorbis-dev, libsqlite3-dev
 
 Package: asterisk
 Architecture: all
diff -Nur --exclude=.svn tags/1.2.13~dfsg-2/debian/patches/00list branches/etch/debian/patches/00list
--- tags/1.2.13~dfsg-2/debian/patches/00list	2007-07-22 05:00:50.000000000 +0300
+++ branches/etch/debian/patches/00list	2007-08-21 05:55:08.000000000 +0300
@@ -1,4 +1,12 @@
 patch.CVE-2006-2898.dpatch
+CVE-2007-1306.dpatch
+CVE-2007-1561.dpatch
+ASA-2007-011.dpatch
+ASA-2007-012.dpatch
+ASA-2007-014.dpatch
+CVE-2007-2488.dpatch
+ASA-2007-015.dpatch
+ASA-2007-016.dpatch
 # ukcid probably conflicts with bristuff
 ukcid
 option_detach
diff -Nur --exclude=.svn tags/1.2.13~dfsg-2/debian/patches/ASA-2007-011.dpatch branches/etch/debian/patches/ASA-2007-011.dpatch
--- tags/1.2.13~dfsg-2/debian/patches/ASA-2007-011.dpatch	1970-01-01 02:00:00.000000000 +0200
+++ branches/etch/debian/patches/ASA-2007-011.dpatch	2007-08-21 06:00:57.000000000 +0300
@@ -0,0 +1,40 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## ASA-2007-011.dpatch by Faidon Liambotis <paravoid@debian.org>
+##
+## DP: channels/chan_sip.c: Only try to handle a response if it has a response code. 
+## DP: r59194 in upstream's SVN
+## DP: Security fix, ASA-2007-011, CVE-2007-1594, CVE-2007-2297
+
+@DPATCH@
+Index: channels/chan_sip.c
+===================================================================
+--- a/channels/chan_sip.c	(revision 59193)
++++ b/channels/chan_sip.c	(revision 59194)
+@@ -11295,17 +11295,17 @@
+ 			/* ignore means "don't do anything with it" but still have to 
+ 			   respond appropriately  */
+ 			ignore=1;
++		} else if (e) {
++			e = ast_skip_blanks(e);
++			if (sscanf(e, "%d %n", &respid, &len) != 1) {
++				ast_log(LOG_WARNING, "Invalid response: '%s'\n", e);
++			} else {
++				/* More SIP ridiculousness, we have to ignore bogus contacts in 100 etc responses */
++				if ((respid == 200) || ((respid >= 300) && (respid <= 399)))
++					extract_uri(p, req);
++				handle_response(p, respid, e + len, req, ignore, seqno);
++			}
+ 		}
+-	
+-		e = ast_skip_blanks(e);
+-		if (sscanf(e, "%d %n", &respid, &len) != 1) {
+-			ast_log(LOG_WARNING, "Invalid response: '%s'\n", e);
+-		} else {
+-			/* More SIP ridiculousness, we have to ignore bogus contacts in 100 etc responses */
+-			if ((respid == 200) || ((respid >= 300) && (respid <= 399)))
+-				extract_uri(p, req);
+-			handle_response(p, respid, e + len, req, ignore, seqno);
+-		}
+ 		return 0;
+ 	}
+ 
diff -Nur --exclude=.svn tags/1.2.13~dfsg-2/debian/patches/ASA-2007-012.dpatch branches/etch/debian/patches/ASA-2007-012.dpatch
--- tags/1.2.13~dfsg-2/debian/patches/ASA-2007-012.dpatch	1970-01-01 02:00:00.000000000 +0200
+++ branches/etch/debian/patches/ASA-2007-012.dpatch	2007-08-16 06:38:16.000000000 +0300
@@ -0,0 +1,24 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## ASA-2007-012.dpatch by Faidon Liambotis <paravoid@debian.org>
+##
+## DP: manager.c: Don't crash if a manager connection provides a username
+## DP: that exists in manager.conf but does not have a password, and also
+## DP: requests MD5 authentication.
+## DP: r61786 in upstream's SVN
+## DP: Security fix, ASA-2007-012, CVE-2007-2294
+
+@DPATCH@
+Index: manager.c
+===================================================================
+--- a/manager.c	(revision 61785)
++++ b/manager.c	(revision 61786)
+@@ -533,7 +533,8 @@
+ 				} else if (ha)
+ 					ast_free_ha(ha);
+ 				if (!strcasecmp(authtype, "MD5")) {
+-					if (!ast_strlen_zero(key) && s->challenge) {
++					if (!ast_strlen_zero(key) && 
++					    !ast_strlen_zero(s->challenge) && !ast_strlen_zero(password)) {
+ 						int x;
+ 						int len=0;
+ 						char md5key[256] = "";
diff -Nur --exclude=.svn tags/1.2.13~dfsg-2/debian/patches/ASA-2007-014.dpatch branches/etch/debian/patches/ASA-2007-014.dpatch
--- tags/1.2.13~dfsg-2/debian/patches/ASA-2007-014.dpatch	1970-01-01 02:00:00.000000000 +0200
+++ branches/etch/debian/patches/ASA-2007-014.dpatch	2007-08-16 06:38:37.000000000 +0300
@@ -0,0 +1,84 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## ASA-2007-014.dpatch by Faidon Liambotis <paravoid@debian.org>
+##
+## DP: Ensure that when encoding the contents of an ast_frame into an
+## DP: iax_frame, that the size of the destination buffer is known in the
+## DP: iax_frame so that code won't write past the end of the allocated
+## DP: buffer when sending outgoing frames.
+## DP: r75444 in upstream's SVN
+## DP: Security fix, ASA-2007-014, CVE-2007-3762
+
+@DPATCH@
+Index: channels/iax2-parser.h
+===================================================================
+--- a/channels/iax2-parser.h	(revision 75443)
++++ b/channels/iax2-parser.h	(revision 75444)
+@@ -119,6 +119,8 @@
+ 	struct iax_frame *prev;
+ 	/* Actual, isolated frame header */
+ 	struct ast_frame af;
++	/* Amount of data _allocated_ for afdata */
++	size_t afdatalen;
+ 	unsigned char unused[AST_FRIENDLY_OFFSET];
+ 	unsigned char afdata[0];	/* Data for frame */
+ };
+Index: channels/chan_iax2.c
+===================================================================
+--- a/channels/chan_iax2.c	(revision 75443)
++++ b/channels/chan_iax2.c	(revision 75444)
+@@ -4020,7 +4020,9 @@
+ 	int sendmini=0;
+ 	unsigned int lastsent;
+ 	unsigned int fts;
+-		
++
++	frb.fr2.afdatalen = sizeof(frb.buffer);
++
+ 	if (!pvt) {
+ 		ast_log(LOG_WARNING, "No private structure for packet?\n");
+ 		return -1;
+@@ -6435,7 +6437,8 @@
+ 	/* allocate an iax_frame with 4096 bytes of data buffer */
+ 	fr = alloca(sizeof(*fr) + 4096);
+ 	fr->callno = 0;
+-	
++	fr->afdatalen = 4096; /* From alloca() above */
++
+ 	res = recvfrom(fd, buf, sizeof(buf), 0,(struct sockaddr *) &sin, &len);
+ 	if (res < 0) {
+ 		if (errno != ECONNREFUSED)
+Index: channels/iax2-parser.c
+===================================================================
+--- a/channels/iax2-parser.c	(revision 75443)
++++ b/channels/iax2-parser.c	(revision 75444)
+@@ -904,13 +904,20 @@
+ 	fr->af.delivery.tv_usec = 0;
+ 	fr->af.data = fr->afdata;
+ 	if (fr->af.datalen) {
++		size_t copy_len = fr->af.datalen;
++		if (copy_len > fr->afdatalen) {
++			ast_log(LOG_ERROR, "Losing frame data because destination buffer size '%d' bytes not big enough for '%d' bytes in the frame\n",
++				(int) fr->afdatalen, (int) fr->af.datalen);
++			copy_len = fr->afdatalen;
++		}
+ #if __BYTE_ORDER == __LITTLE_ENDIAN
+ 		/* We need to byte-swap slinear samples from network byte order */
+ 		if ((fr->af.frametype == AST_FRAME_VOICE) && (fr->af.subclass == AST_FORMAT_SLINEAR)) {
+-			ast_swapcopy_samples(fr->af.data, f->data, fr->af.samples);
++			/* 2 bytes / sample for SLINEAR */
++			ast_swapcopy_samples(fr->af.data, f->data, copy_len / 2);
+ 		} else
+ #endif
+-		memcpy(fr->af.data, f->data, fr->af.datalen);
++			memcpy(fr->af.data, f->data, copy_len);
+ 	}
+ }
+ 
+@@ -919,6 +926,7 @@
+ 	struct iax_frame *fr;
+ 	fr = malloc((int)sizeof(struct iax_frame) + datalen);
+ 	if (fr) {
++		fr->afdatalen = datalen;
+ 		fr->direction = direction;
+ 		fr->retrans = -1;
+ 		frames++;
diff -Nur --exclude=.svn tags/1.2.13~dfsg-2/debian/patches/ASA-2007-015.dpatch branches/etch/debian/patches/ASA-2007-015.dpatch
--- tags/1.2.13~dfsg-2/debian/patches/ASA-2007-015.dpatch	1970-01-01 02:00:00.000000000 +0200
+++ branches/etch/debian/patches/ASA-2007-015.dpatch	2007-08-16 06:41:12.000000000 +0300
@@ -0,0 +1,21 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## ASA-2007-015.dpatch by Faidon Liambotis <paravoid@debian.org>
+##
+## DP: After parsing information elements in IAX frames, set the data length
+## DP: to zero, so that code later on does not think it has data to copy.
+## DP: r75440 in upstream's SVN
+## DP: Security fix, ASA-2007-015, CVE-2007-3763
+
+@DPATCH@
+Index: channels/chan_iax2.c
+===================================================================
+--- a/channels/chan_iax2.c	(revision 75439)
++++ b/channels/chan_iax2.c	(revision 75440)
+@@ -6811,6 +6811,7 @@
+ 					return 1;
+ 				}
+ 				f.data = NULL;
++				f.datalen = 0;
+ 			} else
+ 				f.data = buf + sizeof(*fh);
+ 		} else {
diff -Nur --exclude=.svn tags/1.2.13~dfsg-2/debian/patches/ASA-2007-016.dpatch branches/etch/debian/patches/ASA-2007-016.dpatch
--- tags/1.2.13~dfsg-2/debian/patches/ASA-2007-016.dpatch	1970-01-01 02:00:00.000000000 +0200
+++ branches/etch/debian/patches/ASA-2007-016.dpatch	2007-08-16 06:38:47.000000000 +0300
@@ -0,0 +1,22 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## ASA-2007-016.dpatch by Faidon Liambotis <paravoid@debian.org>
+##
+## DP: chan_skinny: Properly check for the length in the skinny packet to
+## DP: prevent an invalid memcpy.
+## DP: r75449 in upstream's SVN
+## DP: Security fix, ASA-2007-016, CVE-2007-3764
+
+@DPATCH@
+Index: channels/chan_skinny.c
+===================================================================
+--- a/channels/chan_skinny.c	(revision 75448)
++++ b/channels/chan_skinny.c	(revision 75449)
+@@ -2862,7 +2862,7 @@
+ 			return -1;
+ 		}
+ 		dlen = letohl(*(int *)s->inbuf);
+-		if (dlen < 0) {
++		if (dlen < 4) {
+ 			ast_log(LOG_WARNING, "Skinny Client sent invalid data.\n");
+ 			return -1;
+ 		}
diff -Nur --exclude=.svn tags/1.2.13~dfsg-2/debian/patches/CVE-2007-1306.dpatch branches/etch/debian/patches/CVE-2007-1306.dpatch
--- tags/1.2.13~dfsg-2/debian/patches/CVE-2007-1306.dpatch	1970-01-01 02:00:00.000000000 +0200
+++ branches/etch/debian/patches/CVE-2007-1306.dpatch	2007-08-21 05:45:24.000000000 +0300
@@ -0,0 +1,27 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## CVE-2007-1306.dpatch by Faidon Liambotis <paravoid@debian.org>
+##
+## DP: channels/chan_sip.c: If a SIP message comes in and goes to a method
+## DP: handler that requires additional values that may not be present then
+## DP: send back an error.
+## DP: r57475, r58052 in upstream's SVN
+## DP: Security fix, CVE-2007-1306
+
+@DPATCH@
+Index: channels/chan_sip.c
+===================================================================
+--- a/channels/chan_sip.c	(revision 56230)
++++ b/channels/chan_sip.c	(revision 58052)
+@@ -11340,6 +11340,12 @@
+ 		}
+ 	}
+ 
++	if (!e && (p->method == SIP_INVITE || p->method == SIP_SUBSCRIBE || p->method == SIP_REGISTER)) {
++		transmit_response(p, "400 Bad request", req);
++		ast_set_flag(p, SIP_NEEDDESTROY);
++		return -1;
++	}
++
+ 	/* Handle various incoming SIP methods in requests */
+ 	switch (p->method) {
+ 	case SIP_OPTIONS:
diff -Nur --exclude=.svn tags/1.2.13~dfsg-2/debian/patches/CVE-2007-1561.dpatch branches/etch/debian/patches/CVE-2007-1561.dpatch
--- tags/1.2.13~dfsg-2/debian/patches/CVE-2007-1561.dpatch	1970-01-01 02:00:00.000000000 +0200
+++ branches/etch/debian/patches/CVE-2007-1561.dpatch	2007-08-21 06:41:51.000000000 +0300
@@ -0,0 +1,30 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## CVE-2007-1561.dpatch by Faidon Liambotis <paravoid@debian.org>
+##
+## DP: channels/chan_sip.c: If we are unable to lookup the host in a c line we
+## DP: have to abort, otherwise the previous data is gone and we will
+## DP: (potentially) have no data when all is said and done.
+## DP: r58579 in upstream's SVN
+## DP: Security fix, CVE-2007-1561
+
+@DPATCH@
+Index: channels/chan_sip.c
+===================================================================
+--- a/channels/chan_sip.c	(revision 58578)
++++ b/channels/chan_sip.c	(revision 58579)
+@@ -3615,6 +3615,7 @@
+ 			hp = ast_gethostbyname(host, &ahp);
+ 			if (!hp) {
+ 				ast_log(LOG_WARNING, "Unable to lookup host in secondary c= line, '%s'\n", c);
++				return -1;
+ 			}
+ 		}
+ 	}
+@@ -3641,6 +3642,7 @@
+ 			hp = ast_gethostbyname(host, &ahp);
+ 			if (!hp) {
+ 				ast_log(LOG_WARNING, "Unable to lookup host in secondary c= line, '%s'\n", c);
++				return -1;
+ 			}
+ 		}
+ 	}
diff -Nur --exclude=.svn tags/1.2.13~dfsg-2/debian/patches/CVE-2007-2488.dpatch branches/etch/debian/patches/CVE-2007-2488.dpatch
--- tags/1.2.13~dfsg-2/debian/patches/CVE-2007-2488.dpatch	1970-01-01 02:00:00.000000000 +0200
+++ branches/etch/debian/patches/CVE-2007-2488.dpatch	2007-08-21 05:08:43.000000000 +0300
@@ -0,0 +1,28 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## CVE-2007-2488.dpatch by Faidon Liambotis <paravoid@debian.org>
+##
+## DP: chan_iax2: if a text frame is sent with no terminating NULL through a
+## DP: bridged IAX connection, the remote end will receive garbage characters
+## DP: tacked onto the end.
+## DP: r62691 in upstream's SVN, fixes issue 9638
+## DP: Security fix, CVE-2007-2488
+
+@DPATCH@
+Index: channels/chan_iax2.c
+===================================================================
+--- a/channels/chan_iax2.c	(revision 62690)
++++ b/channels/chan_iax2.c	(revision 62691)
+@@ -6732,6 +6732,13 @@
+ 			ast_mutex_unlock(&iaxsl[fr->callno]);
+ 			return 1;
+ 		}
++		/* Ensure text frames are NULL-terminated */
++		if (f.frametype == AST_FRAME_TEXT && buf[res - 1] != '\0') {
++			if (res < sizeof(buf))
++				buf[res++] = '\0';
++			else /* Trims one character from the text message, but that's better than overwriting the end of the buffer. */
++				buf[res - 1] = '\0';
++		}
+ 		f.datalen = res - sizeof(*fh);
+ 
+ 		/* Handle implicit ACKing unless this is an INVAL, and only if this is