[Pkg-voip-commits] r4175 - in asterisk/branches/etch/debian: . patches
paravoid at alioth.debian.org
paravoid at alioth.debian.org
Tue Aug 21 02:47:16 UTC 2007
Author: paravoid
Date: 2007-08-21 02:47:16 +0000 (Tue, 21 Aug 2007)
New Revision: 4175
Added:
asterisk/branches/etch/debian/patches/CVE-2007-1306.dpatch
Modified:
asterisk/branches/etch/debian/changelog
asterisk/branches/etch/debian/patches/00list
Log:
- channels/chan_sip.c: If a SIP message comes in and goes to a method
handler that requires additional values that may not be present then
send back an error. (CVE-2007-1306)
Modified: asterisk/branches/etch/debian/changelog
===================================================================
--- asterisk/branches/etch/debian/changelog 2007-08-21 02:40:25 UTC (rev 4174)
+++ asterisk/branches/etch/debian/changelog 2007-08-21 02:47:16 UTC (rev 4175)
@@ -1,6 +1,9 @@
asterisk (1:1.2.13~dfsg-2etch1) stable-security; urgency=high
* Multiple upstream security fixes:
+ - channels/chan_sip.c: If a SIP message comes in and goes to a method
+ handler that requires additional values that may not be present then
+ send back an error. (CVE-2007-1306)
- channels/chan_sip.c: Only try to handle a response if it has a response
code. (ASA-2007-011, CVE-2007-1594)
- manager.c: Don't crash if a manager connection provides a username that
@@ -11,12 +14,12 @@
that the size of the destination buffer is known in the iax_frame so that
code won't write past the end of the allocated buffer when sending
outgoing frames. (ASA-2007-014, CVE-2007-3762)
+ - channels/chan_iax2.c: if a text frame is sent with no terminating NULL
+ through a bridged IAX connection, the remote end will receive garbage
+ characters tacked onto the end. (CVE-2007-2488)
- channels/chan_iax2.c: After parsing information elements in IAX frames,
set the data length to zero, so that code later on does not think it has
data to copy. (ASA-2007-015, CVE-2007-3763)
- - channels/chan_iax2.c: if a text frame is sent with no terminating NULL
- through a bridged IAX connection, the remote end will receive garbage
- characters tacked onto the end. (CVE-2007-2488)
- channels/chan_skinny.c: Properly check for the length in the skinny packet
to prevent an invalid memcpy. (ASA-2007-016, CVE-2007-3764)
* i386 binary packages in etch were unfortunately compiled in an unclean
@@ -24,7 +27,7 @@
Added a build dependency on that package to avoid regressions on a security
upload.
- -- Faidon Liambotis <paravoid at debian.org> Tue, 21 Aug 2007 05:10:05 +0300
+ -- Faidon Liambotis <paravoid at debian.org> Tue, 21 Aug 2007 05:42:58 +0300
asterisk (1:1.2.13~dfsg-2) unstable; urgency=low
Modified: asterisk/branches/etch/debian/patches/00list
===================================================================
--- asterisk/branches/etch/debian/patches/00list 2007-08-21 02:40:25 UTC (rev 4174)
+++ asterisk/branches/etch/debian/patches/00list 2007-08-21 02:47:16 UTC (rev 4175)
@@ -1,9 +1,10 @@
patch.CVE-2006-2898.dpatch
+CVE-2007-1306.dpatch
ASA-2007-011.dpatch
ASA-2007-012.dpatch
ASA-2007-014.dpatch
+CVE-2007-2488.dpatch
ASA-2007-015.dpatch
-CVE-2007-2488.dpatch
ASA-2007-016.dpatch
# ukcid probably conflicts with bristuff
ukcid
Added: asterisk/branches/etch/debian/patches/CVE-2007-1306.dpatch
===================================================================
--- asterisk/branches/etch/debian/patches/CVE-2007-1306.dpatch (rev 0)
+++ asterisk/branches/etch/debian/patches/CVE-2007-1306.dpatch 2007-08-21 02:47:16 UTC (rev 4175)
@@ -0,0 +1,27 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## CVE-2007-1306.dpatch by Faidon Liambotis <paravoid at debian.org>
+##
+## DP: channels/chan_sip.c: If a SIP message comes in and goes to a method
+## DP: handler that requires additional values that may not be present then
+## DP: send back an error.
+## DP: r57475, r58052 in upstream's SVN
+## DP: Security fix, CVE-2007-1306
+
+ at DPATCH@
+Index: channels/chan_sip.c
+===================================================================
+--- a/channels/chan_sip.c (revision 56230)
++++ b/channels/chan_sip.c (revision 58052)
+@@ -11340,6 +11340,12 @@
+ }
+ }
+
++ if (!e && (p->method == SIP_INVITE || p->method == SIP_SUBSCRIBE || p->method == SIP_REGISTER)) {
++ transmit_response(p, "400 Bad request", req);
++ ast_set_flag(p, SIP_NEEDDESTROY);
++ return -1;
++ }
++
+ /* Handle various incoming SIP methods in requests */
+ switch (p->method) {
+ case SIP_OPTIONS:
More information about the Pkg-voip-commits
mailing list