[Git][pkg-voip-team/asterisk][debian/latest] 4 commits: New upstream version 20.5.1~dfsg+~cs6.13.40431414
Jonas Smedegaard (@js)
gitlab at salsa.debian.org
Tue Dec 19 17:28:54 GMT 2023
Jonas Smedegaard pushed to branch debian/latest at Debian VoIP Packaging Team / asterisk
Commits:
4852c72c by Jonas Smedegaard at 2023-12-19T16:47:26+01:00
New upstream version 20.5.1~dfsg+~cs6.13.40431414
- - - - -
b606687e by Jonas Smedegaard at 2023-12-19T16:47:57+01:00
Update upstream source from tag 'upstream/20.5.1_dfsg+_cs6.13.40431414'
Update to upstream version '20.5.1~dfsg+~cs6.13.40431414'
with Debian dir d9ca47908dac4fc83131cb7c12717eacbd167224
- - - - -
d6b3baa5 by Jonas Smedegaard at 2023-12-19T17:52:21+01:00
fix enable opus codec; build-depend on libopusenc-dev; closes: bug#1025165, thanks to Paweł Bogusławski, Faidon Liambotis and Athos Ribeiro
- - - - -
87df34f8 by Jonas Smedegaard at 2023-12-19T18:08:45+01:00
update changelog and copyright hints
- - - - -
13 changed files:
- .version
- CHANGES.md
- + ChangeLogs/ChangeLog-20.5.1.md
- configs/samples/pjproject.conf.sample
- debian/changelog
- debian/control
- debian/copyright_hints
- debian/rules
- main/manager.c
- res/res_pjproject.c
- res/res_pjsip_header_funcs.c
- res/res_rtp_asterisk.c
- + third-party/pjproject/patches/0020-log-dropped-packet-in-debug.patch
Changes:
=====================================
.version
=====================================
@@ -1 +1 @@
-20.5.0
+20.5.1
=====================================
CHANGES.md
=====================================
@@ -1 +1 @@
-ChangeLogs/ChangeLog-20.5.0.md
\ No newline at end of file
+ChangeLogs/ChangeLog-20.5.1.md
\ No newline at end of file
=====================================
ChangeLogs/ChangeLog-20.5.1.md
=====================================
@@ -0,0 +1,95 @@
+
+Change Log for Release asterisk-20.5.1
+========================================
+
+Links:
+----------------------------------------
+
+ - [Full ChangeLog](https://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-20.5.1.md)
+ - [GitHub Diff](https://github.com/asterisk/asterisk/compare/20.5.0...20.5.1)
+ - [Tarball](https://downloads.asterisk.org/pub/telephony/asterisk/asterisk-20.5.1.tar.gz)
+ - [Downloads](https://downloads.asterisk.org/pub/telephony/asterisk)
+
+Summary:
+----------------------------------------
+
+- res_pjsip_header_funcs: Duplicate new header value, don't copy.
+- res_pjsip: disable raw bad packet logging
+- res_rtp_asterisk.c: Check DTLS packets against ICE candidate list
+- manager.c: Prevent path traversal with GetConfig.
+
+User Notes:
+----------------------------------------
+
+
+Upgrade Notes:
+----------------------------------------
+
+
+Closed Issues:
+----------------------------------------
+
+None
+
+Commits By Author:
+----------------------------------------
+
+- ### Ben Ford (1):
+ - manager.c: Prevent path traversal with GetConfig.
+
+- ### George Joseph (1):
+ - res_rtp_asterisk.c: Check DTLS packets against ICE candidate list
+
+- ### Gitea (1):
+ - res_pjsip_header_funcs: Duplicate new header value, don't copy.
+
+- ### Mike Bradeen (1):
+ - res_pjsip: disable raw bad packet logging
+
+
+Detail:
+----------------------------------------
+
+- ### res_pjsip_header_funcs: Duplicate new header value, don't copy.
+ Author: Gitea
+ Date: 2023-07-10
+
+ When updating an existing header the 'update' code incorrectly
+ just copied the new value into the existing buffer. If the
+ new value exceeded the available buffer size memory outside
+ of the buffer would be written into, potentially causing
+ a crash.
+
+ This change makes it so that the 'update' now duplicates
+ the new header value instead of copying it into the existing
+ buffer.
+
+- ### res_pjsip: disable raw bad packet logging
+ Author: Mike Bradeen
+ Date: 2023-07-25
+
+ Add patch to split the log level for invalid packets received on the
+ signaling port. The warning regarding the packet will move to level 2
+ so that it can still be displayed, while the raw packet will be at level
+ 4.
+
+- ### res_rtp_asterisk.c: Check DTLS packets against ICE candidate list
+ Author: George Joseph
+ Date: 2023-11-09
+
+ When ICE is in use, we can prevent a possible DOS attack by allowing
+ DTLS protocol messages (client hello, etc) only from sources that
+ are in the active remote candidates list.
+
+ Resolves: GHSA-hxj9-xwr8-w8pq
+
+- ### manager.c: Prevent path traversal with GetConfig.
+ Author: Ben Ford
+ Date: 2023-11-13
+
+ When using AMI GetConfig, it was possible to access files outside of the
+ Asterisk configuration directory by using filenames with ".." and "./"
+ even while live_dangerously was not enabled. This change resolves the
+ full path and ensures we are still in the configuration directory before
+ attempting to access the file.
+
=====================================
configs/samples/pjproject.conf.sample
=====================================
@@ -38,6 +38,10 @@
; - 5: trace
; - 6: more detailed trace
;
+; Note: setting the pjproject debug level to 4 (debug) or above may result in
+; raw packets being logged. This should only be enabled during active debugging
+; to avoid a potential security issue due to logging injection.
+;
;asterisk_error = ; A comma separated list of pjproject log levels to map to
; Asterisk errors.
; (default: "0,1")
=====================================
debian/changelog
=====================================
@@ -1,3 +1,20 @@
+asterisk (1:20.5.1~dfsg+~cs6.13.40431414-1) unstable; urgency=high
+
+ [ upstream ]
+ * new release
+ + fixes these upstream bugs:
+ CVE-2023-49294 CVE-2023-49786;
+ closes: bug#1059032, #1059033, thanks to Salvatore Bonaccorso
+
+ [ Jonas Smedegaard ]
+ * fix enable opus codec;
+ build-depend on libopusenc-dev;
+ closes: bug#1025165,
+ thanks to Paweł Bogusławski, Faidon Liambotis and Athos Ribeiro
+ * set urgency=high due to multiple security bugfixes
+
+ -- Jonas Smedegaard <dr at jones.dk> Tue, 19 Dec 2023 17:38:11 +0100
+
asterisk (1:20.5.0~dfsg+~cs6.13.40431414-1) unstable; urgency=medium
[ upstream ]
@@ -24,7 +41,9 @@ asterisk (1:20.4.0~dfsg+~cs6.13.40431414-1) unstable; urgency=medium
[ Jonas Smedegaard ]
* stop depend on lsb-base
* update watch file:
- + fixate component pjproject at upstream release 2.13.1
+ + fixate component pjproject at upstream release 2.13.1;
+ fixes these upstream bugs:
+ CVE-2022-23537 CVE-2022-23547 CVE-2022-39269 CVE-2023-27585
* unfuzz patches
* update copyright info: update coverage
=====================================
debian/control
=====================================
@@ -43,6 +43,7 @@ Build-Depends:
libopencore-amrwb-dev,
libopenr2-dev [linux-any],
libopus-dev,
+ libopusenc-dev,
libopusfile-dev,
libpopt-dev,
libpq-dev,
=====================================
debian/copyright_hints
=====================================
@@ -10,6 +10,7 @@ Files: BSDmakefile
ChangeLogs/ChangeLog-20.3.1.md
ChangeLogs/ChangeLog-20.4.0.md
ChangeLogs/ChangeLog-20.5.0.md
+ ChangeLogs/ChangeLog-20.5.1.md
ChangeLogs/historical/CHANGES
README-SERIOUSLY.bestpractices.md
SECURITY.md
@@ -1648,6 +1649,7 @@ Files: BSDmakefile
third-party/pjproject/patches/0000-configure-ssl-library-path.patch
third-party/pjproject/patches/0000-remove-third-party.patch
third-party/pjproject/patches/0010-Make-sure-that-NOTIFY-tdata-is-set-before-sending-it_new-129fb323a66dd1fd16880fe5ba5e6a57.patch
+ third-party/pjproject/patches/0020-log-dropped-packet-in-debug.patch
third-party/pjproject/patches/README
third-party/pjproject/patches/config_site.h
third-party/pjproject/patches/user.mak
=====================================
debian/rules
=====================================
@@ -61,6 +61,7 @@ endif
ADDONS_ENABLE = app_macro app_voicemail_imap app_voicemail_odbc
ADDONS_ENABLE += res_config_mysql
ADDONS_ENABLE += chan_mobile chan_ooh323 chan_sip
+ADDONS_ENABLE += codec_opus_open_source
ADDONS_ENABLE += aelparse format_mp3 smsq TEST_FRAMEWORK
ADDONS_DISABLE = BUILD_NATIVE
ifneq (,$(findstring debug,$(DEB_BUILD_OPTIONS)))
=====================================
main/manager.c
=====================================
@@ -3752,12 +3752,43 @@ void astman_live_dangerously(int new_live_dangerously)
live_dangerously = new_live_dangerously;
}
+/**
+ * \brief Check if a file is restricted or not
+ *
+ * \return 0 on success
+ * \return 1 on restricted file
+ * \return -1 on failure
+ */
static int restrictedFile(const char *filename)
{
- if (!live_dangerously && !strncasecmp(filename, "/", 1) &&
- strncasecmp(filename, ast_config_AST_CONFIG_DIR, strlen(ast_config_AST_CONFIG_DIR))) {
+ char *stripped_filename;
+ RAII_VAR(char *, path, NULL, ast_free);
+ RAII_VAR(char *, real_path, NULL, ast_free);
+
+ if (live_dangerously) {
+ return 0;
+ }
+
+ stripped_filename = ast_strip(ast_strdupa(filename));
+
+ /* If the file path starts with '/', don't prepend ast_config_AST_CONFIG_DIR */
+ if (stripped_filename[0] == '/') {
+ real_path = realpath(stripped_filename, NULL);
+ } else {
+ if (ast_asprintf(&path, "%s/%s", ast_config_AST_CONFIG_DIR, stripped_filename) == -1) {
+ return -1;
+ }
+ real_path = realpath(path, NULL);
+ }
+
+ if (!real_path) {
+ return -1;
+ }
+
+ if (!ast_begins_with(real_path, ast_config_AST_CONFIG_DIR)) {
return 1;
}
+
return 0;
}
@@ -3770,6 +3801,7 @@ static int action_getconfig(struct mansession *s, const struct message *m)
const char *category_name;
int catcount = 0;
int lineno = 0;
+ int ret = 0;
struct ast_category *cur_category = NULL;
struct ast_variable *v;
struct ast_flags config_flags = { CONFIG_FLAG_WITHCOMMENTS | CONFIG_FLAG_NOCACHE };
@@ -3779,9 +3811,13 @@ static int action_getconfig(struct mansession *s, const struct message *m)
return 0;
}
- if (restrictedFile(fn)) {
+ ret = restrictedFile(fn);
+ if (ret == 1) {
astman_send_error(s, m, "File requires escalated priveledges");
return 0;
+ } else if (ret == -1) {
+ astman_send_error(s, m, "Config file not found");
+ return 0;
}
cfg = ast_config_load2(fn, "manager", config_flags);
=====================================
res/res_pjproject.c
=====================================
@@ -398,7 +398,9 @@ static char *handle_pjproject_set_log_level(struct ast_cli_entry *e, int cmd, st
"\n"
" Set the maximum active pjproject logging level.\n"
" See pjproject.conf.sample for additional information\n"
- " about the various levels pjproject uses.\n";
+ " about the various levels pjproject uses.\n"
+ " Note: setting this level at 4 or above may result in\n"
+ " raw packet logging.\n";
return NULL;
case CLI_GENERATE:
return NULL;
=====================================
res/res_pjsip_header_funcs.c
=====================================
@@ -676,6 +676,7 @@ static int add_header(void *obj)
static int update_header(void *obj)
{
struct header_data *data = obj;
+ pj_pool_t *pool = data->channel->session->inv_session->dlg->pool;
pjsip_hdr *hdr = NULL;
RAII_VAR(struct ast_datastore *, datastore,
ast_sip_session_get_datastore(data->channel->session, data->header_datastore->type),
@@ -694,7 +695,7 @@ static int update_header(void *obj)
return -1;
}
- pj_strcpy2(&((pjsip_generic_string_hdr *) hdr)->hvalue, data->header_value);
+ pj_strdup2(pool, &((pjsip_generic_string_hdr *) hdr)->hvalue, data->header_value);
return 0;
}
=====================================
res/res_rtp_asterisk.c
=====================================
@@ -3179,6 +3179,61 @@ static int __rtp_recvfrom(struct ast_rtp_instance *instance, void *buf, size_t s
ast_debug_dtls(3, "(%p) DTLS - __rtp_recvfrom rtp=%p - Got SSL packet '%d'\n", instance, rtp, *in);
+ /*
+ * If ICE is in use, we can prevent a possible DOS attack
+ * by allowing DTLS protocol messages (client hello, etc)
+ * only from sources that are in the active remote
+ * candidates list.
+ */
+
+ if (rtp->ice) {
+ int pass_src_check = 0;
+ struct ao2_iterator i;
+ struct ast_rtp_engine_ice_candidate *candidate;
+ int cand_cnt = 0;
+
+ /*
+ * You'd think that this check would cause a "deadlock"
+ * because ast_rtp_ice_start_media calls dtls_perform_handshake
+ * before it sets ice_media_started = 1 so how can we do a
+ * handshake if we're dropping packets before we send them
+ * to openssl. Fortunately, dtls_perform_handshake just sets
+ * up openssl to do the handshake and doesn't actually perform it
+ * itself and the locking prevents __rtp_recvfrom from
+ * running before the ice_media_started flag is set. So only
+ * unexpected DTLS packets can get dropped here.
+ */
+ if (!rtp->ice_media_started) {
+ ast_log(LOG_WARNING, "%s: DTLS packet from %s dropped. ICE not completed yet.\n",
+ ast_rtp_instance_get_channel_id(instance),
+ ast_sockaddr_stringify(sa));
+ return 0;
+ }
+
+ /*
+ * If we got this far, then ice_active_remote_candidates
+ * can't be NULL.
+ */
+ i = ao2_iterator_init(rtp->ice_active_remote_candidates, 0);
+ while ((candidate = ao2_iterator_next(&i)) && (cand_cnt < PJ_ICE_MAX_CAND)) {
+ res = ast_sockaddr_cmp_addr(&candidate->address, sa);
+ ao2_ref(candidate, -1);
+ if (res == 0) {
+ pass_src_check = 1;
+ break;
+ }
+ cand_cnt++;
+ }
+ ao2_iterator_destroy(&i);
+
+ if (!pass_src_check) {
+ ast_log(LOG_WARNING, "%s: DTLS packet from %s dropped. Source not in ICE active candidate list.\n",
+ ast_rtp_instance_get_channel_id(instance),
+ ast_sockaddr_stringify(sa));
+ return 0;
+ }
+ }
+
/*
* A race condition is prevented between dtls_perform_handshake()
* and this function because both functions have to get the
=====================================
third-party/pjproject/patches/0020-log-dropped-packet-in-debug.patch
=====================================
@@ -0,0 +1,28 @@
+diff --git a/pjsip/src/pjsip/sip_transport.c b/pjsip/src/pjsip/sip_transport.c
+index 4f483faa1..12439e3ee 100644
+--- a/pjsip/src/pjsip/sip_transport.c
++++ b/pjsip/src/pjsip/sip_transport.c
+@@ -2088,15 +2088,17 @@ PJ_DEF(pj_ssize_t) pjsip_tpmgr_receive_packet( pjsip_tpmgr *mgr,
+ * which were sent to keep NAT bindings.
+ */
+ if (tmp.slen) {
+- PJ_LOG(1, (THIS_FILE,
+- "Error processing %d bytes packet from %s %s:%d %.*s:\n"
+- "%.*s\n"
+- "-- end of packet.",
++ PJ_LOG(2, (THIS_FILE,
++ "Dropping %d bytes packet from %s %s:%d %.*s\n",
+ msg_fragment_size,
+ rdata->tp_info.transport->type_name,
+- rdata->pkt_info.src_name,
++ rdata->pkt_info.src_name,
+ rdata->pkt_info.src_port,
+- (int)tmp.slen, tmp.ptr,
++ (int)tmp.slen, tmp.ptr));
++ PJ_LOG(4, (THIS_FILE,
++ "Dropped packet:"
++ "%.*s\n"
++ "-- end of packet.",
+ (int)msg_fragment_size,
+ rdata->msg_info.msg_buf));
+ }
View it on GitLab: https://salsa.debian.org/pkg-voip-team/asterisk/-/compare/d99ba276a58370e32c94aa3ee1a76e866b70d577...87df34f880f5580a30af2134774b825c7dfa327e
--
View it on GitLab: https://salsa.debian.org/pkg-voip-team/asterisk/-/compare/d99ba276a58370e32c94aa3ee1a76e866b70d577...87df34f880f5580a30af2134774b825c7dfa327e
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-voip-maintainers/attachments/20231219/23b8dbbd/attachment-0001.htm>
More information about the Pkg-voip-maintainers
mailing list