diff -Nur --exclude=.svn tags/1.0.7.dfsg.1-2sarge4/debian/changelog branches/sarge/debian/changelog
--- tags/1.0.7.dfsg.1-2sarge4/debian/changelog	2007-08-23 04:00:47.000000000 +0300
+++ branches/sarge/debian/changelog	2007-08-23 03:48:59.000000000 +0300
@@ -1,3 +1,26 @@
+asterisk (1:1.0.7.dfsg.1-2sarge5) stable-security; urgency=high
+
+  * Add myself to Uploaders to mark this as a maintainer upload.
+  * Multiple upstream security fixes:
+    - channels/chan_sip.c: Only try to handle a response if it has a
+      response code. (ASA-2007-011, CVE-2007-1594, CVE-2007-2297)
+    - manager.c: Don't crash if a manager connection provides a username that
+      exists in manager.conf but does not have a password, and also requests
+      MD5 authentication. (ASA-2007-012, CVE-2007-2294)
+    - channels/iax2-parser.h, channels/chan_iax2.c, channels/iax2-parser.c:
+      Ensure that when encoding the contents of an ast_frame into an iax_frame,
+      that the size of the destination buffer is known in the iax_frame so that
+      code won't write past the end of the allocated buffer when sending
+      outgoing frames. (ASA-2007-014, CVE-2007-3762)
+    - channels/chan_iax2.c: if a text frame is sent with no terminating NULL
+      through a bridged IAX connection, the remote end will receive garbage
+      characters tacked onto the end. (CVE-2007-2488)
+    - channels/chan_iax2.c: After parsing information elements in IAX frames,
+      set the data length to zero, so that code later on does not think it has
+      data to copy. (ASA-2007-015, CVE-2007-3763)
+
+ -- Faidon Liambotis <paravoid@debian.org>  Thu, 23 Aug 2007 03:48:56 +0300
+
 asterisk (1:1.0.7.dfsg.1-2sarge4) stable-security; urgency=high
 
   * Non-maintainer upload
diff -Nur --exclude=.svn tags/1.0.7.dfsg.1-2sarge4/debian/control branches/sarge/debian/control
--- tags/1.0.7.dfsg.1-2sarge4/debian/control	2007-08-23 04:00:47.000000000 +0300
+++ branches/sarge/debian/control	2007-08-23 03:42:25.000000000 +0300
@@ -2,7 +2,7 @@
 Priority: optional
 Section: comm
 Maintainer: Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>
-Uploaders: Mark Purcell <msp@debian.org>, Kilian Krause <kk@verfaction.de>, Jose Carlos Garcia Sogo <jsogo@debian.org>, Santiago Garcia Mantinan <manty@debian.org>
+Uploaders: Mark Purcell <msp@debian.org>, Kilian Krause <kk@verfaction.de>, Jose Carlos Garcia Sogo <jsogo@debian.org>, Santiago Garcia Mantinan <manty@debian.org>, Faidon Liambotis <paravoid@debian.org>
 Standards-Version: 3.6.1
 Build-Depends: debhelper (>= 4.0.4), zlib1g-dev, libgtk1.2-dev | libgtk-dev, libreadline4-dev | libreadline-dev, libgsm1-dev, libssl-dev, libzap-dev, libtonezone-dev (>= 1:1.0.6-1), doxygen, bison, libasound2-dev, postgresql-dev, unixodbc-dev, libpri-dev (>= 1.0.6-1), dpatch (>= 2.0.10), zaptel-source (>= 1:1.0.6-1), autotools-dev, libnewt-dev, libsqlite-dev, libspeex-dev
 
diff -Nur --exclude=.svn tags/1.0.7.dfsg.1-2sarge4/debian/patches/00list branches/sarge/debian/patches/00list
--- tags/1.0.7.dfsg.1-2sarge4/debian/patches/00list	2007-08-23 04:00:47.000000000 +0300
+++ branches/sarge/debian/patches/00list	2007-08-23 04:11:16.000000000 +0300
@@ -17,4 +17,8 @@
 99_CVE-2006-1827.dpatch
 99_CVE-2006-2898.dpatch
 99_CVE-2006-5444.dpatch
-
+99_ASA-2007-011.dpatch
+99_ASA-2007-012.dpatch
+99_ASA-2007-014.dpatch
+99_CVE-2007-2488.dpatch
+99_ASA-2007-015.dpatch
diff -Nur --exclude=.svn tags/1.0.7.dfsg.1-2sarge4/debian/patches/99_ASA-2007-011.dpatch branches/sarge/debian/patches/99_ASA-2007-011.dpatch
--- tags/1.0.7.dfsg.1-2sarge4/debian/patches/99_ASA-2007-011.dpatch	1970-01-01 02:00:00.000000000 +0200
+++ branches/sarge/debian/patches/99_ASA-2007-011.dpatch	2007-08-23 03:03:20.000000000 +0300
@@ -0,0 +1,22 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 99_ASA-2007-011.dpatch by Faidon Liambotis <paravoid@debian.org>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: channels/chan_sip.c: Only try to handle a response if it has a response code. 
+## DP: Backported to v1.0, original is r59194 in upstream's SVN
+## DP: Security fix, ASA-2007-011, CVE-2007-1594, CVE-2007-2297
+
+@DPATCH@
+diff -urNad asterisk-1.0.7.dfsg.1~/channels/chan_sip.c asterisk-1.0.7.dfsg.1/channels/chan_sip.c
+--- asterisk-1.0.7.dfsg.1~/channels/chan_sip.c	2007-08-23 02:56:37.000000000 +0300
++++ asterisk-1.0.7.dfsg.1/channels/chan_sip.c	2007-08-23 03:02:06.000000000 +0300
+@@ -7718,6 +7718,9 @@
+ 			p->needdestroy = 1;
+ 	} else if (!strcasecmp(cmd, "SIP/2.0")) {
+ 		extract_uri(p, req);
++		if (!e)
++			return 0;
++
+ 		while(*e && (*e < 33)) e++;
+ 		if (sscanf(e, "%i %n", &respid, &len) != 1) {
+ 			ast_log(LOG_WARNING, "Invalid response: '%s'\n", e);
diff -Nur --exclude=.svn tags/1.0.7.dfsg.1-2sarge4/debian/patches/99_ASA-2007-012.dpatch branches/sarge/debian/patches/99_ASA-2007-012.dpatch
--- tags/1.0.7.dfsg.1-2sarge4/debian/patches/99_ASA-2007-012.dpatch	1970-01-01 02:00:00.000000000 +0200
+++ branches/sarge/debian/patches/99_ASA-2007-012.dpatch	2007-08-23 04:17:02.000000000 +0300
@@ -0,0 +1,25 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 99_ASA-2007-012.dpatch by Faidon Liambotis <paravoid@debian.org>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: manager.c: Don't crash if a manager connection provides a username
+## DP: that exists in manager.conf but does not have a password, and also
+## DP: requests MD5 authentication.
+## DP: Backported to v1.0, original is r61786 in upstream's SVN
+## DP: Security fix, ASA-2007-012, CVE-2007-2294
+
+@DPATCH@
+diff -urNad asterisk-1.0.7.dfsg.1~/manager.c asterisk-1.0.7.dfsg.1/manager.c
+--- asterisk-1.0.7.dfsg.1~/manager.c	2007-08-23 03:04:18.000000000 +0300
++++ asterisk-1.0.7.dfsg.1/manager.c	2007-08-23 03:06:21.000000000 +0300
+@@ -429,7 +429,9 @@
+ 				} else if (ha)
+ 					ast_free_ha(ha);
+ 				if (!strcasecmp(authtype, "MD5")) {
+-					if (key && !ast_strlen_zero(key) && s->challenge) {
++					if (key && !ast_strlen_zero(key) &&
++					    s->challenge && !ast_strlen_zero(s->challenge) &&
++					    password && !ast_strlen_zero(password)) {
+ 						int x;
+ 						int len=0;
+ 						char md5key[256] = "";
diff -Nur --exclude=.svn tags/1.0.7.dfsg.1-2sarge4/debian/patches/99_ASA-2007-014.dpatch branches/sarge/debian/patches/99_ASA-2007-014.dpatch
--- tags/1.0.7.dfsg.1-2sarge4/debian/patches/99_ASA-2007-014.dpatch	1970-01-01 02:00:00.000000000 +0200
+++ branches/sarge/debian/patches/99_ASA-2007-014.dpatch	2007-08-23 04:27:40.000000000 +0300
@@ -0,0 +1,73 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 99_ASA-2007-014.dpatch by Faidon Liambotis <paravoid@debian.org>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Ensure that when encoding the contents of an ast_frame into an
+## DP: iax_frame, that the size of the destination buffer is known in the
+## DP: iax_frame so that code won't write past the end of the allocated
+## DP: buffer when sending outgoing frames.
+## DP: Backported to v1.0, original is r75444 in upstream's SVN
+## DP: Security fix, ASA-2007-014, CVE-2007-3762
+
+@DPATCH@
+diff -urNad asterisk-1.0.7.dfsg.1~/channels/chan_iax2.c asterisk-1.0.7.dfsg.1/channels/chan_iax2.c
+--- asterisk-1.0.7.dfsg.1~/channels/chan_iax2.c	2007-08-23 04:26:27.000000000 +0300
++++ asterisk-1.0.7.dfsg.1/channels/chan_iax2.c	2007-08-23 04:26:27.000000000 +0300
+@@ -3090,7 +3090,9 @@
+ 	int sendmini=0;
+ 	unsigned int lastsent;
+ 	unsigned int fts;
+-		
++
++	frb.fr2.afdatalen = sizeof(frb.buffer);
++
+ 	if (!pvt) {
+ 		ast_log(LOG_WARNING, "No private structure for packet?\n");
+ 		return -1;
+@@ -5051,6 +5053,7 @@
+ 
+ 	dblbuf[0] = 0;	/* Keep GCC from whining */
+ 	fr.callno = 0;
++	fr.afdatalen = 4096;
+ 	
+ 	res = recvfrom(netsocket, buf, sizeof(buf), 0,(struct sockaddr *) &sin, &len);
+ 	if (res < 0) {
+diff -urNad asterisk-1.0.7.dfsg.1~/channels/iax2-parser.c asterisk-1.0.7.dfsg.1/channels/iax2-parser.c
+--- asterisk-1.0.7.dfsg.1~/channels/iax2-parser.c	2007-08-23 04:26:17.000000000 +0300
++++ asterisk-1.0.7.dfsg.1/channels/iax2-parser.c	2007-08-23 04:27:18.000000000 +0300
+@@ -688,8 +688,13 @@
+ 	fr->af.delivery.tv_sec = 0;
+ 	fr->af.delivery.tv_usec = 0;
+ 	fr->af.data = fr->afdata;
+-	if (fr->af.datalen) 
+-		memcpy(fr->af.data, f->data, fr->af.datalen);
++	if (fr->af.datalen) {
++		size_t copy_len = fr->af.datalen;
++		if (copy_len > fr->afdatalen)
++			copy_len = fr->afdatalen;
++
++		memcpy(fr->af.data, f->data, copy_len);
++	}
+ }
+ 
+ struct iax_frame *iax_frame_new(int direction, int datalen)
+@@ -697,6 +702,7 @@
+ 	struct iax_frame *fr;
+ 	fr = malloc((int)sizeof(struct iax_frame) + datalen);
+ 	if (fr) {
++		fr->afdatalen = datalen;
+ 		fr->direction = direction;
+ 		fr->retrans = -1;
+ 		frames++;
+diff -urNad asterisk-1.0.7.dfsg.1~/channels/iax2-parser.h asterisk-1.0.7.dfsg.1/channels/iax2-parser.h
+--- asterisk-1.0.7.dfsg.1~/channels/iax2-parser.h	2007-08-23 04:26:17.000000000 +0300
++++ asterisk-1.0.7.dfsg.1/channels/iax2-parser.h	2007-08-23 04:26:27.000000000 +0300
+@@ -98,6 +98,8 @@
+ 	struct iax_frame *prev;
+ 	/* Actual, isolated frame header */
+ 	struct ast_frame af;
++	/* Amount of data _allocated_ for afdata */
++	size_t afdatalen;
+ 	unsigned char unused[AST_FRIENDLY_OFFSET];
+ 	unsigned char afdata[0];	/* Data for frame */
+ };
diff -Nur --exclude=.svn tags/1.0.7.dfsg.1-2sarge4/debian/patches/99_ASA-2007-015.dpatch branches/sarge/debian/patches/99_ASA-2007-015.dpatch
--- tags/1.0.7.dfsg.1-2sarge4/debian/patches/99_ASA-2007-015.dpatch	1970-01-01 02:00:00.000000000 +0200
+++ branches/sarge/debian/patches/99_ASA-2007-015.dpatch	2007-08-23 03:18:21.000000000 +0300
@@ -0,0 +1,21 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 99_ASA-2007-015.dpatch by Faidon Liambotis <paravoid@debian.org>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: After parsing information elements in IAX frames, set the data length
+## DP: to zero, so that code later on does not think it has data to copy.
+## DP: Backported to v1.0, original is r75440 in upstream's SVN
+## DP: Security fix, ASA-2007-015, CVE-2007-3763
+
+@DPATCH@
+diff -urNad asterisk-1.0.7.dfsg.1~/channels/chan_iax2.c asterisk-1.0.7.dfsg.1/channels/chan_iax2.c
+--- asterisk-1.0.7.dfsg.1~/channels/chan_iax2.c	2007-08-23 03:17:25.000000000 +0300
++++ asterisk-1.0.7.dfsg.1/channels/chan_iax2.c	2007-08-23 03:17:26.000000000 +0300
+@@ -5338,6 +5338,7 @@
+ 					return 1;
+ 				}
+ 				f.data = NULL;
++				f.datalen = 0;
+ 			} else
+ 				f.data = buf + sizeof(struct ast_iax2_full_hdr);
+ 		} else {
diff -Nur --exclude=.svn tags/1.0.7.dfsg.1-2sarge4/debian/patches/99_CVE-2007-2488.dpatch branches/sarge/debian/patches/99_CVE-2007-2488.dpatch
--- tags/1.0.7.dfsg.1-2sarge4/debian/patches/99_CVE-2007-2488.dpatch	1970-01-01 02:00:00.000000000 +0200
+++ branches/sarge/debian/patches/99_CVE-2007-2488.dpatch	2007-08-23 03:20:42.000000000 +0300
@@ -0,0 +1,27 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 99_CVE-2007-2488.dpatch by Faidon Liambotis <paravoid@debian.org>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: chan_iax2: if a text frame is sent with no terminating NULL through a
+## DP: bridged IAX connection, the remote end will receive garbage characters
+## DP: tacked onto the end.
+## DP: Backported to v1.0, original is r62691 in upstream's SVN
+## DP: Security fix, CVE-2007-2488
+
+@DPATCH@
+diff -urNad asterisk-1.0.7.dfsg.1~/channels/chan_iax2.c asterisk-1.0.7.dfsg.1/channels/chan_iax2.c
+--- asterisk-1.0.7.dfsg.1~/channels/chan_iax2.c	2007-08-23 03:18:59.000000000 +0300
++++ asterisk-1.0.7.dfsg.1/channels/chan_iax2.c	2007-08-23 03:19:51.000000000 +0300
+@@ -5274,6 +5274,12 @@
+ 			ast_mutex_unlock(&iaxsl[fr.callno]);
+ 			return 1;
+ 		}
++		if (f.frametype == AST_FRAME_TEXT && buf[res - 1] != '\0') {
++			if (res < sizeof(buf))
++				buf[res++] = '\0';
++			else /* Trims one character from the text message, but that's better than overwriting the end of the buffer. */
++				buf[res - 1] = '\0';
++		}
+ 		f.datalen = res - sizeof(struct ast_iax2_full_hdr);
+ 
+ 		/* Handle implicit ACKing unless this is an INVAL, and only if this is