[Pkg-voip-commits] r4175 - in asterisk/branches/etch/debian: . patches

paravoid at alioth.debian.org paravoid at alioth.debian.org
Tue Aug 21 02:47:16 UTC 2007 

Author: paravoid
Date: 2007-08-21 02:47:16 +0000 (Tue, 21 Aug 2007)
New Revision: 4175

Added:
   asterisk/branches/etch/debian/patches/CVE-2007-1306.dpatch
Modified:
   asterisk/branches/etch/debian/changelog
   asterisk/branches/etch/debian/patches/00list
Log:
  - channels/chan_sip.c: If a SIP message comes in and goes to a method
    handler that requires additional values that may not be present then
    send back an error. (CVE-2007-1306)


Modified: asterisk/branches/etch/debian/changelog
===================================================================
--- asterisk/branches/etch/debian/changelog	2007-08-21 02:40:25 UTC (rev 4174)
+++ asterisk/branches/etch/debian/changelog	2007-08-21 02:47:16 UTC (rev 4175)
@@ -1,6 +1,9 @@
 asterisk (1:1.2.13~dfsg-2etch1) stable-security; urgency=high
 
   * Multiple upstream security fixes:
+    - channels/chan_sip.c: If a SIP message comes in and goes to a method
+      handler that requires additional values that may not be present then
+      send back an error. (CVE-2007-1306)
     - channels/chan_sip.c: Only try to handle a response if it has a response
       code. (ASA-2007-011, CVE-2007-1594)
     - manager.c: Don't crash if a manager connection provides a username that
@@ -11,12 +14,12 @@
       that the size of the destination buffer is known in the iax_frame so that
       code won't write past the end of the allocated buffer when sending
       outgoing frames. (ASA-2007-014, CVE-2007-3762)
+    - channels/chan_iax2.c: if a text frame is sent with no terminating NULL
+      through a bridged IAX connection, the remote end will receive garbage
+      characters tacked onto the end. (CVE-2007-2488)
     - channels/chan_iax2.c: After parsing information elements in IAX frames,
       set the data length to zero, so that code later on does not think it has
       data to copy. (ASA-2007-015, CVE-2007-3763)
-    - channels/chan_iax2.c: if a text frame is sent with no terminating NULL
-      through a bridged IAX connection, the remote end will receive garbage
-      characters tacked onto the end. (CVE-2007-2488)
     - channels/chan_skinny.c: Properly check for the length in the skinny packet
       to prevent an invalid memcpy. (ASA-2007-016, CVE-2007-3764)
   * i386 binary packages in etch were unfortunately compiled in an unclean
@@ -24,7 +27,7 @@
     Added a build dependency on that package to avoid regressions on a security
     upload.
 
- -- Faidon Liambotis <paravoid at debian.org>  Tue, 21 Aug 2007 05:10:05 +0300
+ -- Faidon Liambotis <paravoid at debian.org>  Tue, 21 Aug 2007 05:42:58 +0300
 
 asterisk (1:1.2.13~dfsg-2) unstable; urgency=low
 

Modified: asterisk/branches/etch/debian/patches/00list
===================================================================
--- asterisk/branches/etch/debian/patches/00list	2007-08-21 02:40:25 UTC (rev 4174)
+++ asterisk/branches/etch/debian/patches/00list	2007-08-21 02:47:16 UTC (rev 4175)
@@ -1,9 +1,10 @@
 patch.CVE-2006-2898.dpatch
+CVE-2007-1306.dpatch
 ASA-2007-011.dpatch
 ASA-2007-012.dpatch
 ASA-2007-014.dpatch
+CVE-2007-2488.dpatch
 ASA-2007-015.dpatch
-CVE-2007-2488.dpatch
 ASA-2007-016.dpatch
 # ukcid probably conflicts with bristuff
 ukcid

Added: asterisk/branches/etch/debian/patches/CVE-2007-1306.dpatch
===================================================================
--- asterisk/branches/etch/debian/patches/CVE-2007-1306.dpatch	                        (rev 0)
+++ asterisk/branches/etch/debian/patches/CVE-2007-1306.dpatch	2007-08-21 02:47:16 UTC (rev 4175)
@@ -0,0 +1,27 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## CVE-2007-1306.dpatch by Faidon Liambotis <paravoid at debian.org>
+##
+## DP: channels/chan_sip.c: If a SIP message comes in and goes to a method
+## DP: handler that requires additional values that may not be present then
+## DP: send back an error.
+## DP: r57475, r58052 in upstream's SVN
+## DP: Security fix, CVE-2007-1306
+
+ at DPATCH@
+Index: channels/chan_sip.c
+===================================================================
+--- a/channels/chan_sip.c	(revision 56230)
++++ b/channels/chan_sip.c	(revision 58052)
+@@ -11340,6 +11340,12 @@
+ 		}
+ 	}
+ 
++	if (!e && (p->method == SIP_INVITE || p->method == SIP_SUBSCRIBE || p->method == SIP_REGISTER)) {
++		transmit_response(p, "400 Bad request", req);
++		ast_set_flag(p, SIP_NEEDDESTROY);
++		return -1;
++	}
++
+ 	/* Handle various incoming SIP methods in requests */
+ 	switch (p->method) {
+ 	case SIP_OPTIONS:

More information about the Pkg-voip-commits mailing list