[Pkg-voip-commits] r5017 - in /opal/branches: ./ build-area etch/ etch/debian/changelog etch/debian/patches/00list etch/debian/patches/CVE-2007-4924.dpatch lenny/ lenny/debian/changelog lenny/debian/patches/00list lenny/debian/patches/CVE-2007-4924.dpatch tarballs
kilian at alioth.debian.org
kilian at alioth.debian.org
Tue Dec 4 11:30:57 UTC 2007
Author: kilian
Date: Tue Dec 4 11:30:57 2007
New Revision: 5017
URL: http://svn.debian.org/wsvn/pkg-voip/?sc=1&rev=5017
Log:
prepare branches fixing CVE-2007-4924.
Added:
opal/branches/
opal/branches/build-area (with props)
opal/branches/etch/
- copied from r5015, opal/tags/2.2.3.dfsg-3/
opal/branches/etch/debian/patches/CVE-2007-4924.dpatch
opal/branches/lenny/
- copied from r5015, opal/tags/2.2.3.dfsg-3/
opal/branches/lenny/debian/patches/CVE-2007-4924.dpatch
opal/branches/tarballs (with props)
Modified:
opal/branches/etch/debian/changelog
opal/branches/etch/debian/patches/00list
opal/branches/lenny/debian/changelog
opal/branches/lenny/debian/patches/00list
Added: opal/branches/build-area
URL: http://svn.debian.org/wsvn/pkg-voip/opal/branches/build-area?rev=5017&op=file
==============================================================================
--- opal/branches/build-area (added)
+++ opal/branches/build-area Tue Dec 4 11:30:57 2007
@@ -1,0 +1,1 @@
+link ../build-area
Propchange: opal/branches/build-area
------------------------------------------------------------------------------
svn:special = *
Modified: opal/branches/etch/debian/changelog
URL: http://svn.debian.org/wsvn/pkg-voip/opal/branches/etch/debian/changelog?rev=5017&op=diff
==============================================================================
--- opal/branches/etch/debian/changelog (original)
+++ opal/branches/etch/debian/changelog Tue Dec 4 11:30:57 2007
@@ -1,3 +1,12 @@
+opal (2.2.3.dfsg-3+etch1) stable-security; urgency=high
+
+ * Fix CVE-2007-4924: OPAL allows remote attackers to cause a denial of
+ service (crash) via an invalid Content-Length header field in Session
+ Initiation Protocol (SIP) packets, which causes a \0 byte to be written to
+ an "attacker-controlled address." (Closes: #454141)
+
+ -- Kilian Krause <kilian at debian.org> Tue, 4 Dec 2007 12:28:48 +0100
+
opal (2.2.3.dfsg-3) unstable; urgency=high
* Conflict with openmpi-dev to make sure we don't have a filename clash
Modified: opal/branches/etch/debian/patches/00list
URL: http://svn.debian.org/wsvn/pkg-voip/opal/branches/etch/debian/patches/00list?rev=5017&op=diff
==============================================================================
--- opal/branches/etch/debian/patches/00list (original)
+++ opal/branches/etch/debian/patches/00list Tue Dec 4 11:30:57 2007
@@ -1,2 +1,3 @@
libname
remove_ilbc
+CVE-2007-4924
Added: opal/branches/etch/debian/patches/CVE-2007-4924.dpatch
URL: http://svn.debian.org/wsvn/pkg-voip/opal/branches/etch/debian/patches/CVE-2007-4924.dpatch?rev=5017&op=file
==============================================================================
--- opal/branches/etch/debian/patches/CVE-2007-4924.dpatch (added)
+++ opal/branches/etch/debian/patches/CVE-2007-4924.dpatch Tue Dec 4 11:30:57 2007
@@ -1,0 +1,39 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## CVE-2007-4924.dpatch by Nico Golde <nion at debian.org>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: No description.
+
+ at DPATCH@
+diff -urNad opal-2.2.3.dfsg~/src/sip/sippdu.cxx opal-2.2.3.dfsg/src/sip/sippdu.cxx
+--- opal-2.2.3.dfsg~/src/sip/sippdu.cxx 2006-08-07 22:07:46.000000000 +0200
++++ opal-2.2.3.dfsg/src/sip/sippdu.cxx 2007-12-02 23:12:31.000000000 +0100
+@@ -656,7 +656,7 @@
+ else
+ addr += hostname;
+
+- if (port != 0)
++ if (port > 0)
+ addr.sprintf(":%u", port);
+
+ return addr;
+@@ -1815,8 +1815,18 @@
+ // if no content length is specified (which is not the same as zero length)
+ // then read until plausible end of header marker
+ PINDEX contentLength = mime.GetContentLength();
+- if (contentLength > 0)
++ // assume entity bodies can't be longer than a UDP packet
++ if (contentLength > 1500) {
++ PTRACE(2, "SIP\tImplausibly long Content-Length " << contentLength << " received on " << transport);
++ return FALSE;
++ }
++ else if (contentLength < 0) {
++ PTRACE(2, "SIP\tImpossible negative Content-Length on " << transport);
++ return FALSE;
++ }
++ if (contentLength > 0){
+ transport.read(entityBody.GetPointer(contentLength+1), contentLength);
++ }
+
+ else if (!mime.IsContentLengthPresent()) {
+ PBYTEArray pp;
Modified: opal/branches/lenny/debian/changelog
URL: http://svn.debian.org/wsvn/pkg-voip/opal/branches/lenny/debian/changelog?rev=5017&op=diff
==============================================================================
--- opal/branches/lenny/debian/changelog (original)
+++ opal/branches/lenny/debian/changelog Tue Dec 4 11:30:57 2007
@@ -1,3 +1,12 @@
+opal (2.2.3.dfsg-3+lenny1) testing-security; urgency=high
+
+ * Fix CVE-2007-4924: OPAL allows remote attackers to cause a denial of
+ service (crash) via an invalid Content-Length header field in Session
+ Initiation Protocol (SIP) packets, which causes a \0 byte to be written to
+ an "attacker-controlled address." (Closes: #454141)
+
+ -- Kilian Krause <kilian at debian.org> Tue, 4 Dec 2007 12:28:48 +0100
+
opal (2.2.3.dfsg-3) unstable; urgency=high
* Conflict with openmpi-dev to make sure we don't have a filename clash
Modified: opal/branches/lenny/debian/patches/00list
URL: http://svn.debian.org/wsvn/pkg-voip/opal/branches/lenny/debian/patches/00list?rev=5017&op=diff
==============================================================================
--- opal/branches/lenny/debian/patches/00list (original)
+++ opal/branches/lenny/debian/patches/00list Tue Dec 4 11:30:57 2007
@@ -1,2 +1,3 @@
libname
remove_ilbc
+CVE-2007-4924
Added: opal/branches/lenny/debian/patches/CVE-2007-4924.dpatch
URL: http://svn.debian.org/wsvn/pkg-voip/opal/branches/lenny/debian/patches/CVE-2007-4924.dpatch?rev=5017&op=file
==============================================================================
--- opal/branches/lenny/debian/patches/CVE-2007-4924.dpatch (added)
+++ opal/branches/lenny/debian/patches/CVE-2007-4924.dpatch Tue Dec 4 11:30:57 2007
@@ -1,0 +1,39 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## CVE-2007-4924.dpatch by Nico Golde <nion at debian.org>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: No description.
+
+ at DPATCH@
+diff -urNad opal-2.2.3.dfsg~/src/sip/sippdu.cxx opal-2.2.3.dfsg/src/sip/sippdu.cxx
+--- opal-2.2.3.dfsg~/src/sip/sippdu.cxx 2006-08-07 22:07:46.000000000 +0200
++++ opal-2.2.3.dfsg/src/sip/sippdu.cxx 2007-12-02 23:12:31.000000000 +0100
+@@ -656,7 +656,7 @@
+ else
+ addr += hostname;
+
+- if (port != 0)
++ if (port > 0)
+ addr.sprintf(":%u", port);
+
+ return addr;
+@@ -1815,8 +1815,18 @@
+ // if no content length is specified (which is not the same as zero length)
+ // then read until plausible end of header marker
+ PINDEX contentLength = mime.GetContentLength();
+- if (contentLength > 0)
++ // assume entity bodies can't be longer than a UDP packet
++ if (contentLength > 1500) {
++ PTRACE(2, "SIP\tImplausibly long Content-Length " << contentLength << " received on " << transport);
++ return FALSE;
++ }
++ else if (contentLength < 0) {
++ PTRACE(2, "SIP\tImpossible negative Content-Length on " << transport);
++ return FALSE;
++ }
++ if (contentLength > 0){
+ transport.read(entityBody.GetPointer(contentLength+1), contentLength);
++ }
+
+ else if (!mime.IsContentLengthPresent()) {
+ PBYTEArray pp;
Added: opal/branches/tarballs
URL: http://svn.debian.org/wsvn/pkg-voip/opal/branches/tarballs?rev=5017&op=file
==============================================================================
--- opal/branches/tarballs (added)
+++ opal/branches/tarballs Tue Dec 4 11:30:57 2007
@@ -1,0 +1,1 @@
+link ../tarballs
Propchange: opal/branches/tarballs
------------------------------------------------------------------------------
svn:special = *
More information about the Pkg-voip-commits
mailing list