[Pkg-voip-commits] r5983 - in /asterisk/branches/etch/debian: changelog patches/00list patches/AST-2008-010.dpatch patches/AST-2008-011.dpatch
tzafrir-guest at alioth.debian.org
tzafrir-guest at alioth.debian.org
Wed Jul 23 19:05:44 UTC 2008
Author: tzafrir-guest
Date: Wed Jul 23 19:05:44 2008
New Revision: 5983
URL: http://svn.debian.org/wsvn/pkg-voip/?sc=1&rev=5983
Log:
* Fix for AST-2008-010 (CVE-2008-3263) IAX potential DoS attack,
* Fix for AST-2008-011 (CVE-2008-3264) - IAX provisioning firmware
downloading protocol is a traffic amplifier. It has been disabled by
default.
* To re-enable it set "allowfwdownload = yes" in iaxprov.conf
Added:
asterisk/branches/etch/debian/patches/AST-2008-010.dpatch
asterisk/branches/etch/debian/patches/AST-2008-011.dpatch
Modified:
asterisk/branches/etch/debian/changelog
asterisk/branches/etch/debian/patches/00list
Modified: asterisk/branches/etch/debian/changelog
URL: http://svn.debian.org/wsvn/pkg-voip/asterisk/branches/etch/debian/changelog?rev=5983&op=diff
==============================================================================
--- asterisk/branches/etch/debian/changelog (original)
+++ asterisk/branches/etch/debian/changelog Wed Jul 23 19:05:44 2008
@@ -1,3 +1,13 @@
+asterisk (1:1.2.13~dfsg-2etch6) UNRELEASED; urgency=high
+
+ * Fix for AST-2008-010 (CVE-2008-3263) IAX potential DoS attack,
+ * Fix for AST-2008-011 (CVE-2008-3264) - IAX provisioning firmware
+ downloading protocol is a traffic amplifier. It has been disabled by
+ default.
+ * To re-enable it set "allowfwdownload = yes" in iaxprov.conf
+
+ -- Tzafrir Cohen <tzafrir.cohen at xorcom.com> Wed, 23 Jul 2008 21:33:41 +0300
+
asterisk (1:1.2.13~dfsg-2etch5) stable-security; urgency=high
* Fix a remote crash vulnerability in chan_sip when running in pedantic
Modified: asterisk/branches/etch/debian/patches/00list
URL: http://svn.debian.org/wsvn/pkg-voip/asterisk/branches/etch/debian/patches/00list?rev=5983&op=diff
==============================================================================
--- asterisk/branches/etch/debian/patches/00list (original)
+++ asterisk/branches/etch/debian/patches/00list Wed Jul 23 19:05:44 2008
@@ -14,6 +14,8 @@
AST-2008-006.dpatch
security-IAX2-performance.dpatch
AST-2008-008.dpatch
+AST-2008-010.dpatch
+AST-2008-011.dpatch
# ukcid probably conflicts with bristuff
ukcid
option_detach
Added: asterisk/branches/etch/debian/patches/AST-2008-010.dpatch
URL: http://svn.debian.org/wsvn/pkg-voip/asterisk/branches/etch/debian/patches/AST-2008-010.dpatch?rev=5983&op=file
==============================================================================
--- asterisk/branches/etch/debian/patches/AST-2008-010.dpatch (added)
+++ asterisk/branches/etch/debian/patches/AST-2008-010.dpatch Wed Jul 23 19:05:44 2008
@@ -1,0 +1,56 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## AST-2008-008.dpatch by Faidon Liambotis <paravoid at debian.org>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Fix IAX 'POKE' resource exhaustion
+## DP: AST-2008-010/CVE-2008-3263
+## DP: upstream r132711
+
+ at DPATCH@
+Index: channels/chan_iax2.c
+===================================================================
+--- a/channels/chan_iax2.c
++++ b/channels/chan_iax2.c
+@@ -1282,7 +1283,7 @@
+ }
+
+ /* Look for an existing connection first */
+- for (x=1;(res < 1) && (x<maxnontrunkcall);x++) {
++ for (x=2;(res < 1) && (x<maxnontrunkcall);x++) {
+ ast_mutex_lock(&iaxsl[x]);
+ if (iaxs[x]) {
+ /* Look for an exact match */
+@@ -3098,6 +3099,15 @@
+ char *options;
+ };
+
++static int send_apathetic_reply(unsigned short callno, unsigned short dcallno, struct sockaddr_in *sin, int command, int ts, unsigned char seqno)
++{
++ struct ast_iax2_full_hdr f = { .scallno = htons(0x8000 | callno), .dcallno = htons(dcallno),
++ .ts = htonl(ts), .iseqno = seqno, .oseqno = seqno, .type = AST_FRAME_IAX,
++ .csub = compress_subclass(command) };
++
++ return sendto(defaultsockfd, &f, sizeof(f), 0, (struct sockaddr *)sin, sizeof(*sin));
++}
++
+ /*!
+ * \brief Parses an IAX dial string into its component parts.
+ * \param data the string to be parsed
+@@ -6828,6 +6838,17 @@
+ } else {
+ f.subclass = uncompress_subclass(fh->csub);
+ }
++
++ /* Deal with POKE/PONG without allocating a callno */
++ if (f.frametype == AST_FRAME_IAX && f.subclass == IAX_COMMAND_POKE) {
++ /* Reply back with a PONG, but don't care about the result. */
++ send_apathetic_reply(1, ntohs(fh->scallno), &sin, IAX_COMMAND_PONG, ntohs(fh->ts), fh->oseqno);
++ return 1;
++ } else if (f.frametype == AST_FRAME_IAX && f.subclass == IAX_COMMAND_ACK && dcallno == 1) {
++ /* Ignore */
++ return 1;
++ }
++
+ if ((f.frametype == AST_FRAME_IAX) && ((f.subclass == IAX_COMMAND_NEW) || (f.subclass == IAX_COMMAND_REGREQ) ||
+ (f.subclass == IAX_COMMAND_POKE) || (f.subclass == IAX_COMMAND_FWDOWNL) ||
+ (f.subclass == IAX_COMMAND_REGREL)))
Added: asterisk/branches/etch/debian/patches/AST-2008-011.dpatch
URL: http://svn.debian.org/wsvn/pkg-voip/asterisk/branches/etch/debian/patches/AST-2008-011.dpatch?rev=5983&op=file
==============================================================================
--- asterisk/branches/etch/debian/patches/AST-2008-011.dpatch (added)
+++ asterisk/branches/etch/debian/patches/AST-2008-011.dpatch Wed Jul 23 19:05:44 2008
@@ -1,0 +1,42 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## AST-2008-008.dpatch by Faidon Liambotis <paravoid at debian.org>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Fix Traffic amplification in IAX2 firmware provisioning system.
+## DP: AST-2008-011/CVE-2008-3264
+## DP: upstream r132711
+
+ at DPATCH@
+Index: channels/chan_iax2.c
+===================================================================
+--- a/channels/chan_iax2.c
++++ b/channels/chan_iax2.c
+@@ -268,6 +268,7 @@
+ IAX_RTIGNOREREGEXPIRE = (1 << 21), /*!< When using realtime, ignore registration expiration */
+ IAX_TRUNKTIMESTAMPS = (1 << 22), /*!< Send trunk timestamps */
+- IAX_MAXAUTHREQ = (1 << 23) /*!< Maximum outstanding AUTHREQ restriction is in place */
++ IAX_MAXAUTHREQ = (1 << 23), /*!< Maximum outstanding AUTHREQ restriction is in place */
++ IAX_ALLOWFWDOWNLOAD = (1 << 26) /*!< Allow the FWDOWNL command? */
+ } iax2_flags;
+
+ static int global_rtautoclear = 120;
+@@ -7921,6 +7942,10 @@
+ break;
+ case IAX_COMMAND_FWDOWNL:
+ /* Firmware download */
++ if (!ast_test_flag(&globalflags, IAX_ALLOWFWDOWNLOAD)) {
++ send_command_final(iaxs[fr->callno], AST_FRAME_IAX, IAX_COMMAND_UNSUPPORT, 0, NULL, 0, -1);
++ break;
++ }
+ memset(&ied0, 0, sizeof(ied0));
+ res = iax_firmware_append(&ied0, (unsigned char *)ies.devicetype, ies.fwdesc);
+ if (res < 0)
+@@ -9188,6 +9213,8 @@
+ delayreject = ast_true(v->value);
+ else if (!strcasecmp(v->name, "mailboxdetail"))
+ ast_set2_flag((&globalflags), ast_true(v->value), IAX_MESSAGEDETAIL);
++ else if (!strcasecmp(v->name, "allowfwdownload"))
++ ast_set2_flag((&globalflags), ast_true(v->value), IAX_ALLOWFWDOWNLOAD);
+ else if (!strcasecmp(v->name, "rtcachefriends"))
+ ast_set2_flag((&globalflags), ast_true(v->value), IAX_RTCACHEFRIENDS);
+ else if (!strcasecmp(v->name, "rtignoreregexpire"))
More information about the Pkg-voip-commits
mailing list