[Pkg-voip-commits] r4230 - in asterisk/branches/sarge/debian: . patches

Thu Aug 23 00:39:06 UTC 2007

Author: paravoid
Date: 2007-08-23 00:39:06 +0000 (Thu, 23 Aug 2007)
New Revision: 4230

Added:
   asterisk/branches/sarge/debian/patches/99_CVE-2006-2898.dpatch
Modified:
   asterisk/branches/sarge/debian/changelog
   asterisk/branches/sarge/debian/patches/00list
Log:
* Non-maintainer upload by the Security Team
* Applied upstream patch to fix denial of service [channels/chan_iax2.c,
  debian/patches/99_CVE-2006-2898.dpatch]

Modified: asterisk/branches/sarge/debian/changelog
===================================================================

--- asterisk/branches/sarge/debian/changelog	2007-08-23 00:37:45 UTC (rev 4229)
+++ asterisk/branches/sarge/debian/changelog	2007-08-23 00:39:06 UTC (rev 4230)
@@ -1,3 +1,11 @@
+asterisk (1:1.0.7.dfsg.1-2sarge3) stable-security; urgency=high
+
+  * Non-maintainer upload by the Security Team
+  * Applied upstream patch to fix denial of service [channels/chan_iax2.c,
+    debian/patches/99_CVE-2006-2898.dpatch]
+
+ -- Martin Schulze <joey at infodrom.org>  Wed,  7 Jun 2006 16:48:43 +0200
+
 asterisk (1:1.0.7.dfsg.1-2sarge2) stable-security; urgency=high
 
   * Non-maintainer upload by the Security Team

Modified: asterisk/branches/sarge/debian/patches/00list
===================================================================
--- asterisk/branches/sarge/debian/patches/00list	2007-08-23 00:37:45 UTC (rev 4229)
+++ asterisk/branches/sarge/debian/patches/00list	2007-08-23 00:39:06 UTC (rev 4230)
@@ -15,3 +15,4 @@
 30_debian-zaptel.dpatch
 99_CVE-2005-3559.dpatch
 99_CVE-2006-1827.dpatch
+99_CVE-2006-2898.dpatch

Added: asterisk/branches/sarge/debian/patches/99_CVE-2006-2898.dpatch
===================================================================
--- asterisk/branches/sarge/debian/patches/99_CVE-2006-2898.dpatch	                        (rev 0)
+++ asterisk/branches/sarge/debian/patches/99_CVE-2006-2898.dpatch	2007-08-23 00:39:06 UTC (rev 4230)
@@ -0,0 +1,40 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 99_CVE-2006-NNNN.dpatch by Joey Schulze <joey at debian.org>
+##
+## DP: Bug in the IAX2 channel allows remote attackers to craft
+## DP: a denial of service.
+
+ at DPATCH@
+--- asterisk-1.0.7.dfsg.1.orig/channels/chan_iax2.c	2005-03-18 18:30:05.000000000 +0100
+ ++ asterisk-1.0.7.dfsg.1/channels/chan_iax2.c	2006-06-07 08:17:19.000000000 +0200
+@@ -5064,10 +5064,20 @@ static int socket_read(int *id, int fd, 
+ 		return 1;
+ 	}
+ 	if ((vh->zeros == 0) && (ntohs(vh->callno) & 0x8000)) {
++		if (res < sizeof(*vh)) {
++			ast_log(LOG_WARNING, "Rejecting packet from '%s.%d' that is flagged as a mini video frame but is too short\n", ast_inet_ntoa(iabuf, sizeof(iabuf), sin.sin_addr), ntohs(sin.sin_port));
++			return 1;
++			
++		}
+ 		/* This is a video frame, get call number */
+ 		fr.callno = find_callno(ntohs(vh->callno) & ~0x8000, dcallno, &sin, new, 1);
+ 		minivid = 1;
+-	} else if (meta->zeros == 0) {
++	} else if ((meta->zeros == 0) && !(ntohs(meta->metacmd) & 0x8000)) {
++		if (res < sizeof(*meta)) {
++			ast_log(LOG_WARNING, "Rejecting packet from '%s.%d' that is flagged as a meta frame but is too short\n", ast_inet_ntoa(iabuf, sizeof(iabuf), sin.sin_addr), ntohs(sin.sin_port));
++			return 1;
++			
++		}
+ 		/* This is a meta header */
+ 		switch(meta->metacmd) {
+ 		case IAX_META_TRUNK:
+@@ -5164,7 +5174,7 @@ static int socket_read(int *id, int fd, 
+ 	if (iaxdebug)
+ 		iax_showframe(NULL, fh, 1, &sin, res - sizeof(struct ast_iax2_full_hdr));
+ #endif
+-	if (ntohs(mh->callno) & IAX_FLAG_FULL) {
++	if ((res >= sizeof(*fh)) && ntohs(mh->callno) & IAX_FLAG_FULL) {
+ 		/* Get the destination call number */
+ 		dcallno = ntohs(fh->dcallno) & ~IAX_FLAG_RETRANS;
+ 		/* Retrieve the type and subclass */


