[Pkg-voip-commits] r5594 - in /asterisk/branches/etch/debian: changelog patches/00list patches/AST-2008-006.dpatch
tzafrir-guest at alioth.debian.org
tzafrir-guest at alioth.debian.org
Wed Apr 23 07:50:06 UTC 2008
Author: tzafrir-guest
Date: Wed Apr 23 07:50:05 2008
New Revision: 5594
URL: http://svn.debian.org/wsvn/pkg-voip/?sc=1&rev=5594
Log:
New upstream bugfix release: AST-2008-006 / CVE-2008-1897 .
Added:
asterisk/branches/etch/debian/patches/AST-2008-006.dpatch (with props)
Modified:
asterisk/branches/etch/debian/changelog
asterisk/branches/etch/debian/patches/00list
Modified: asterisk/branches/etch/debian/changelog
URL: http://svn.debian.org/wsvn/pkg-voip/asterisk/branches/etch/debian/changelog?rev=5594&op=diff
==============================================================================
--- asterisk/branches/etch/debian/changelog (original)
+++ asterisk/branches/etch/debian/changelog Wed Apr 23 07:50:05 2008
@@ -1,3 +1,9 @@
+asterisk (1:1.2.13~dfsg-2etch4) UNRELEASED; urgency=low
+
+ * New upstream bugfix release: AST-2008-006 / CVE-2008-1897 .
+
+ -- Tzafrir Cohen <tzafrir.cohen at xorcom.com> Wed, 23 Apr 2008 10:42:58 +0300
+
asterisk (1:1.2.13~dfsg-2etch3) stable-security; urgency=high
* Fix an authentication bypass vulnerability that could be exploited when
Modified: asterisk/branches/etch/debian/patches/00list
URL: http://svn.debian.org/wsvn/pkg-voip/asterisk/branches/etch/debian/patches/00list?rev=5594&op=diff
==============================================================================
--- asterisk/branches/etch/debian/patches/00list (original)
+++ asterisk/branches/etch/debian/patches/00list Wed Apr 23 07:50:05 2008
@@ -11,6 +11,7 @@
AST-2007-027.dpatch
AST-2008-003.dpatch
AST-2008-004.dpatch
+AST-2008-006.dpatch
# ukcid probably conflicts with bristuff
ukcid
option_detach
Added: asterisk/branches/etch/debian/patches/AST-2008-006.dpatch
URL: http://svn.debian.org/wsvn/pkg-voip/asterisk/branches/etch/debian/patches/AST-2008-006.dpatch?rev=5594&op=file
==============================================================================
--- asterisk/branches/etch/debian/patches/AST-2008-006.dpatch (added)
+++ asterisk/branches/etch/debian/patches/AST-2008-006.dpatch Wed Apr 23 07:50:05 2008
@@ -1,0 +1,333 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## AST-2008-006.dpatch by Tzafrir Cohen <tzafrir.cohen at xorcom.com>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: A fix for AST-2008-006: Remote amplification attack on Asterisk.
+## DP: CVE Entry: CVE-2008-1897
+## DP: http://downloads.digium.com/pub/security/AST-2008-006.html
+
+ at DPATCH@
+diff -urNad asterisk-1.2.13~dfsg~/channels/chan_iax2.c asterisk-1.2.13~dfsg/channels/chan_iax2.c
+--- asterisk-1.2.13~dfsg~/channels/chan_iax2.c 2006-10-13 18:18:08.000000000 +0200
++++ asterisk-1.2.13~dfsg/channels/chan_iax2.c 2008-04-23 10:16:33.000000000 +0300
+@@ -958,13 +958,13 @@
+ #define NEW_ALLOW 1
+ #define NEW_FORCE 2
+
+-static int match(struct sockaddr_in *sin, unsigned short callno, unsigned short dcallno, struct chan_iax2_pvt *cur)
++static int match(struct sockaddr_in *sin, unsigned short callno, unsigned short dcallno, struct chan_iax2_pvt *cur, int full_frame)
+ {
+ if ((cur->addr.sin_addr.s_addr == sin->sin_addr.s_addr) &&
+ (cur->addr.sin_port == sin->sin_port)) {
+ /* This is the main host */
+- if ((cur->peercallno == callno) ||
+- ((dcallno == cur->callno) && !cur->peercallno)) {
++ if ( (cur->peercallno == 0 || cur->peercallno == callno) &&
++ (full_frame ? dcallno == cur->callno : 1) ) {
+ /* That's us. Be sure we keep track of the peer call number */
+ return 1;
+ }
+@@ -1053,7 +1053,7 @@
+ return res;
+ }
+
+-static int find_callno(unsigned short callno, unsigned short dcallno, struct sockaddr_in *sin, int new, int lockpeer, int sockfd)
++static int find_callno(unsigned short callno, unsigned short dcallno, struct sockaddr_in *sin, int new, int lockpeer, int sockfd, int full_frame)
+ {
+ int res = 0;
+ int x;
+@@ -1066,7 +1066,7 @@
+ ast_mutex_lock(&iaxsl[x]);
+ if (iaxs[x]) {
+ /* Look for an exact match */
+- if (match(sin, callno, dcallno, iaxs[x])) {
++ if (match(sin, callno, dcallno, iaxs[x], full_frame)) {
+ res = x;
+ }
+ }
+@@ -1076,7 +1076,7 @@
+ ast_mutex_lock(&iaxsl[x]);
+ if (iaxs[x]) {
+ /* Look for an exact match */
+- if (match(sin, callno, dcallno, iaxs[x])) {
++ if (match(sin, callno, dcallno, iaxs[x], full_frame)) {
+ res = x;
+ }
+ }
+@@ -1084,17 +1084,34 @@
+ }
+ }
+ if ((res < 1) && (new >= NEW_ALLOW)) {
++ int start, found = 0;
++
+ if (!iax2_getpeername(*sin, host, sizeof(host), lockpeer))
+ snprintf(host, sizeof(host), "%s:%d", ast_inet_ntoa(iabuf, sizeof(iabuf), sin->sin_addr), ntohs(sin->sin_port));
++
+ gettimeofday(&now, NULL);
+- for (x=1;x<TRUNK_CALL_START;x++) {
++
++ start = 1 + (rand() % (TRUNK_CALL_START - 1));
++ for (x = start; 1; x++) {
++ if (x == TRUNK_CALL_START) {
++ x = 0;
++ continue;
++ }
++
+ /* Find first unused call number that hasn't been used in a while */
+ ast_mutex_lock(&iaxsl[x]);
+- if (!iaxs[x] && ((now.tv_sec - lastused[x].tv_sec) > MIN_REUSE_TIME)) break;
++ if (!iaxs[x] && ((now.tv_sec - lastused[x].tv_sec) > MIN_REUSE_TIME)) {
++ found = 1;
++ break;
++ }
+ ast_mutex_unlock(&iaxsl[x]);
++
++ if (x == start - 1) {
++ break;
++ }
+ }
+ /* We've still got lock held if we found a spot */
+- if (x >= TRUNK_CALL_START) {
++ if (x == start - 1 && !found) {
+ ast_log(LOG_WARNING, "No more space\n");
+ return 0;
+ }
+@@ -6421,7 +6438,7 @@
+ }
+
+ /* This is a video frame, get call number */
+- fr->callno = find_callno(ntohs(vh->callno) & ~0x8000, dcallno, &sin, new, 1, fd);
++ fr->callno = find_callno(ntohs(vh->callno) & ~0x8000, dcallno, &sin, new, 1, fd, 0);
+ minivid = 1;
+ } else if ((meta->zeros == 0) && !(ntohs(meta->metacmd) & 0x8000)) {
+ unsigned char metatype;
+@@ -6479,7 +6496,7 @@
+ /* Stop if we don't have enough data */
+ if (len > res)
+ break;
+- fr->callno = find_callno(callno & ~IAX_FLAG_FULL, 0, &sin, NEW_PREVENT, 1, fd);
++ fr->callno = find_callno(callno & ~IAX_FLAG_FULL, 0, &sin, NEW_PREVENT, 1, fd, 0);
+ if (fr->callno) {
+ ast_mutex_lock(&iaxsl[fr->callno]);
+ /* If it's a valid call, deliver the contents. If not, we
+@@ -6582,7 +6599,7 @@
+ }
+
+ if (!fr->callno)
+- fr->callno = find_callno(ntohs(mh->callno) & ~IAX_FLAG_FULL, dcallno, &sin, new, 1, fd);
++ fr->callno = find_callno(ntohs(mh->callno) & ~IAX_FLAG_FULL, dcallno, &sin, new, 1, fd, ntohs(mh->callno) & IAX_FLAG_FULL);
+
+ if (fr->callno > 0)
+ ast_mutex_lock(&iaxsl[fr->callno]);
+@@ -7749,7 +7766,7 @@
+ if (!reg->callno) {
+ if (option_debug)
+ ast_log(LOG_DEBUG, "Allocate call number\n");
+- reg->callno = find_callno(0, 0, ®->addr, NEW_FORCE, 1, defaultsockfd);
++ reg->callno = find_callno(0, 0, ®->addr, NEW_FORCE, 1, defaultsockfd, 0);
+ if (reg->callno < 1) {
+ ast_log(LOG_WARNING, "Unable to create call for registration\n");
+ return -1;
+@@ -7809,7 +7826,7 @@
+ memset(&ied, 0, sizeof(ied));
+ iax_ie_append_raw(&ied, IAX_IE_PROVISIONING, provdata.buf, provdata.pos);
+
+- callno = find_callno(0, 0, &sin, NEW_FORCE, 1, cai.sockfd);
++ callno = find_callno(0, 0, &sin, NEW_FORCE, 1, cai.sockfd, 0);
+ if (!callno)
+ return -1;
+
+@@ -7927,7 +7944,7 @@
+ }
+ if (heldcall)
+ ast_mutex_unlock(&iaxsl[heldcall]);
+- peer->callno = find_callno(0, 0, &peer->addr, NEW_FORCE, 0, peer->sockfd);
++ peer->callno = find_callno(0, 0, &peer->addr, NEW_FORCE, 0, peer->sockfd, 0);
+ if (heldcall)
+ ast_mutex_lock(&iaxsl[heldcall]);
+ if (peer->callno < 1) {
+@@ -7995,7 +8012,7 @@
+ if (pds.port)
+ sin.sin_port = htons(atoi(pds.port));
+
+- callno = find_callno(0, 0, &sin, NEW_FORCE, 1, cai.sockfd);
++ callno = find_callno(0, 0, &sin, NEW_FORCE, 1, cai.sockfd, 0);
+ if (callno < 1) {
+ ast_log(LOG_WARNING, "Unable to create call\n");
+ *cause = AST_CAUSE_CONGESTION;
+@@ -9034,7 +9051,7 @@
+ ast_log(LOG_DEBUG, "peer: %s, username: %s, password: %s, context: %s\n",
+ pds.peer, pds.username, pds.password, pds.context);
+
+- callno = find_callno(0, 0, &sin, NEW_FORCE, 1, cai.sockfd);
++ callno = find_callno(0, 0, &sin, NEW_FORCE, 1, cai.sockfd, 0);
+ if (callno < 1) {
+ ast_log(LOG_WARNING, "Unable to create call\n");
+ return -1;
+diff -urNad asterisk-1.2.13~dfsg~/diff asterisk-1.2.13~dfsg/diff
+--- asterisk-1.2.13~dfsg~/diff 1970-01-01 02:00:00.000000000 +0200
++++ asterisk-1.2.13~dfsg/diff 2008-04-23 10:16:01.000000000 +0300
+@@ -0,0 +1,163 @@
++Index: channels/chan_iax2.c
++===================================================================
++--- channels/chan_iax2.c (revision 114560)
+++++ channels/chan_iax2.c (revision 114561)
++@@ -967,13 +967,13 @@
++ #define NEW_ALLOW 1
++ #define NEW_FORCE 2
++
++-static int match(struct sockaddr_in *sin, unsigned short callno, unsigned short dcallno, struct chan_iax2_pvt *cur)
+++static int match(struct sockaddr_in *sin, unsigned short callno, unsigned short dcallno, struct chan_iax2_pvt *cur, int full_frame)
++ {
++ if ((cur->addr.sin_addr.s_addr == sin->sin_addr.s_addr) &&
++ (cur->addr.sin_port == sin->sin_port)) {
++ /* This is the main host */
++- if ((cur->peercallno == callno) ||
++- ((dcallno == cur->callno) && !cur->peercallno)) {
+++ if ( (cur->peercallno == 0 || cur->peercallno == callno) &&
+++ (full_frame ? dcallno == cur->callno : 1) ) {
++ /* That's us. Be sure we keep track of the peer call number */
++ return 1;
++ }
++@@ -1062,7 +1062,7 @@
++ return res;
++ }
++
++-static int find_callno(unsigned short callno, unsigned short dcallno, struct sockaddr_in *sin, int new, int lockpeer, int sockfd)
+++static int find_callno(unsigned short callno, unsigned short dcallno, struct sockaddr_in *sin, int new, int lockpeer, int sockfd, int full_frame)
++ {
++ int res = 0;
++ int x;
++@@ -1075,7 +1075,7 @@
++ ast_mutex_lock(&iaxsl[x]);
++ if (iaxs[x]) {
++ /* Look for an exact match */
++- if (match(sin, callno, dcallno, iaxs[x])) {
+++ if (match(sin, callno, dcallno, iaxs[x], full_frame)) {
++ res = x;
++ }
++ }
++@@ -1085,7 +1085,7 @@
++ ast_mutex_lock(&iaxsl[x]);
++ if (iaxs[x]) {
++ /* Look for an exact match */
++- if (match(sin, callno, dcallno, iaxs[x])) {
+++ if (match(sin, callno, dcallno, iaxs[x], full_frame)) {
++ res = x;
++ }
++ }
++@@ -1093,6 +1093,8 @@
++ }
++ }
++ if ((res < 1) && (new >= NEW_ALLOW)) {
+++ int start, found = 0;
+++
++ if (!iax2_getpeername(*sin, host, sizeof(host), lockpeer))
++ snprintf(host, sizeof(host), "%s:%d", ast_inet_ntoa(iabuf, sizeof(iabuf), sin->sin_addr), ntohs(sin->sin_port));
++ gettimeofday(&now, NULL);
++@@ -1101,15 +1103,30 @@
++ * correct, but it will be changed if needed after authentication. */
++ if (!iax2_getpeername(*sin, host, sizeof(host), lockpeer))
++ snprintf(host, sizeof(host), "%s:%d", ast_inet_ntoa(iabuf, sizeof(iabuf), sin->sin_addr), ntohs(sin->sin_port));
+++
++ gettimeofday(&now, NULL);
++- for (x=1;x<TRUNK_CALL_START;x++) {
+++
+++ start = 1 + (rand() % (TRUNK_CALL_START - 1));
+++ for (x = start; 1; x++) {
+++ if (x == TRUNK_CALL_START) {
+++ x = 0;
+++ continue;
+++ }
+++
++ /* Find first unused call number that hasn't been used in a while */
++ ast_mutex_lock(&iaxsl[x]);
++- if (!iaxs[x] && ((now.tv_sec - lastused[x].tv_sec) > MIN_REUSE_TIME)) break;
+++ if (!iaxs[x] && ((now.tv_sec - lastused[x].tv_sec) > MIN_REUSE_TIME)) {
+++ found = 1;
+++ break;
+++ }
++ ast_mutex_unlock(&iaxsl[x]);
+++
+++ if (x == start - 1) {
+++ break;
+++ }
++ }
++ /* We've still got lock held if we found a spot */
++- if (x >= TRUNK_CALL_START) {
+++ if (x == start - 1 && !found) {
++ ast_log(LOG_WARNING, "No more space\n");
++ return 0;
++ }
++@@ -6521,7 +6538,7 @@
++ }
++
++ /* This is a video frame, get call number */
++- fr->callno = find_callno(ntohs(vh->callno) & ~0x8000, dcallno, &sin, new, 1, fd);
+++ fr->callno = find_callno(ntohs(vh->callno) & ~0x8000, dcallno, &sin, new, 1, fd, 0);
++ minivid = 1;
++ } else if ((meta->zeros == 0) && !(ntohs(meta->metacmd) & 0x8000)) {
++ unsigned char metatype;
++@@ -6579,7 +6596,7 @@
++ /* Stop if we don't have enough data */
++ if (len > res)
++ break;
++- fr->callno = find_callno(callno & ~IAX_FLAG_FULL, 0, &sin, NEW_PREVENT, 1, fd);
+++ fr->callno = find_callno(callno & ~IAX_FLAG_FULL, 0, &sin, NEW_PREVENT, 1, fd, 0);
++ if (fr->callno) {
++ ast_mutex_lock(&iaxsl[fr->callno]);
++ /* If it's a valid call, deliver the contents. If not, we
++@@ -6682,7 +6699,7 @@
++ }
++
++ if (!fr->callno)
++- fr->callno = find_callno(ntohs(mh->callno) & ~IAX_FLAG_FULL, dcallno, &sin, new, 1, fd);
+++ fr->callno = find_callno(ntohs(mh->callno) & ~IAX_FLAG_FULL, dcallno, &sin, new, 1, fd, ntohs(mh->callno) & IAX_FLAG_FULL);
++
++ if (fr->callno > 0)
++ ast_mutex_lock(&iaxsl[fr->callno]);
++@@ -7879,7 +7896,7 @@
++ if (!reg->callno) {
++ if (option_debug)
++ ast_log(LOG_DEBUG, "Allocate call number\n");
++- reg->callno = find_callno(0, 0, ®->addr, NEW_FORCE, 1, defaultsockfd);
+++ reg->callno = find_callno(0, 0, ®->addr, NEW_FORCE, 1, defaultsockfd, 0);
++ if (reg->callno < 1) {
++ ast_log(LOG_WARNING, "Unable to create call for registration\n");
++ return -1;
++@@ -7939,7 +7956,7 @@
++ memset(&ied, 0, sizeof(ied));
++ iax_ie_append_raw(&ied, IAX_IE_PROVISIONING, provdata.buf, provdata.pos);
++
++- callno = find_callno(0, 0, &sin, NEW_FORCE, 1, cai.sockfd);
+++ callno = find_callno(0, 0, &sin, NEW_FORCE, 1, cai.sockfd, 0);
++ if (!callno)
++ return -1;
++
++@@ -8057,7 +8074,7 @@
++ }
++ if (heldcall)
++ ast_mutex_unlock(&iaxsl[heldcall]);
++- peer->callno = find_callno(0, 0, &peer->addr, NEW_FORCE, 0, peer->sockfd);
+++ peer->callno = find_callno(0, 0, &peer->addr, NEW_FORCE, 0, peer->sockfd, 0);
++ if (heldcall)
++ ast_mutex_lock(&iaxsl[heldcall]);
++ if (peer->callno < 1) {
++@@ -8125,7 +8142,7 @@
++ if (pds.port)
++ sin.sin_port = htons(atoi(pds.port));
++
++- callno = find_callno(0, 0, &sin, NEW_FORCE, 1, cai.sockfd);
+++ callno = find_callno(0, 0, &sin, NEW_FORCE, 1, cai.sockfd, 0);
++ if (callno < 1) {
++ ast_log(LOG_WARNING, "Unable to create call\n");
++ *cause = AST_CAUSE_CONGESTION;
++@@ -9216,7 +9233,7 @@
++ ast_log(LOG_DEBUG, "peer: %s, username: %s, password: %s, context: %s\n",
++ pds.peer, pds.username, pds.password, pds.context);
++
++- callno = find_callno(0, 0, &sin, NEW_FORCE, 1, cai.sockfd);
+++ callno = find_callno(0, 0, &sin, NEW_FORCE, 1, cai.sockfd, 0);
++ if (callno < 1) {
++ ast_log(LOG_WARNING, "Unable to create call\n");
++ return -1;
Propchange: asterisk/branches/etch/debian/patches/AST-2008-006.dpatch
------------------------------------------------------------------------------
svn:executable = *
More information about the Pkg-voip-commits
mailing list