[Pkg-voip-commits] r5983 - in /asterisk/branches/etch/debian: changelog patches/00list patches/AST-2008-010.dpatch patches/AST-2008-011.dpatch

tzafrir-guest at alioth.debian.org tzafrir-guest at alioth.debian.org
Wed Jul 23 19:05:44 UTC 2008 

Author: tzafrir-guest
Date: Wed Jul 23 19:05:44 2008
New Revision: 5983

URL: http://svn.debian.org/wsvn/pkg-voip/?sc=1&rev=5983
Log:
* Fix for AST-2008-010 (CVE-2008-3263) IAX potential DoS attack,
* Fix for AST-2008-011 (CVE-2008-3264) - IAX provisioning firmware 
  downloading protocol is a traffic amplifier. It has been disabled by 
  default. 
* To re-enable it set "allowfwdownload = yes" in iaxprov.conf

Added:
    asterisk/branches/etch/debian/patches/AST-2008-010.dpatch
    asterisk/branches/etch/debian/patches/AST-2008-011.dpatch
Modified:
    asterisk/branches/etch/debian/changelog
    asterisk/branches/etch/debian/patches/00list

Modified: asterisk/branches/etch/debian/changelog
URL: http://svn.debian.org/wsvn/pkg-voip/asterisk/branches/etch/debian/changelog?rev=5983&op=diff
==============================================================================
--- asterisk/branches/etch/debian/changelog (original)
+++ asterisk/branches/etch/debian/changelog Wed Jul 23 19:05:44 2008
@@ -1,3 +1,13 @@
+asterisk (1:1.2.13~dfsg-2etch6) UNRELEASED; urgency=high
+
+  * Fix for AST-2008-010 (CVE-2008-3263) IAX potential DoS attack,
+  * Fix for AST-2008-011 (CVE-2008-3264) - IAX provisioning firmware 
+    downloading protocol is a traffic amplifier. It has been disabled by 
+    default. 
+  * To re-enable it set "allowfwdownload = yes" in iaxprov.conf
+
+ -- Tzafrir Cohen <tzafrir.cohen at xorcom.com>  Wed, 23 Jul 2008 21:33:41 +0300
+
 asterisk (1:1.2.13~dfsg-2etch5) stable-security; urgency=high
 
   * Fix a remote crash vulnerability in chan_sip when running in pedantic

Modified: asterisk/branches/etch/debian/patches/00list
URL: http://svn.debian.org/wsvn/pkg-voip/asterisk/branches/etch/debian/patches/00list?rev=5983&op=diff
==============================================================================
--- asterisk/branches/etch/debian/patches/00list (original)
+++ asterisk/branches/etch/debian/patches/00list Wed Jul 23 19:05:44 2008
@@ -14,6 +14,8 @@
 AST-2008-006.dpatch
 security-IAX2-performance.dpatch
 AST-2008-008.dpatch
+AST-2008-010.dpatch
+AST-2008-011.dpatch
 # ukcid probably conflicts with bristuff
 ukcid
 option_detach

Added: asterisk/branches/etch/debian/patches/AST-2008-010.dpatch
URL: http://svn.debian.org/wsvn/pkg-voip/asterisk/branches/etch/debian/patches/AST-2008-010.dpatch?rev=5983&op=file
==============================================================================
--- asterisk/branches/etch/debian/patches/AST-2008-010.dpatch (added)
+++ asterisk/branches/etch/debian/patches/AST-2008-010.dpatch Wed Jul 23 19:05:44 2008
@@ -1,0 +1,56 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## AST-2008-008.dpatch by Faidon Liambotis <paravoid at debian.org>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Fix IAX 'POKE' resource exhaustion
+## DP: AST-2008-010/CVE-2008-3263
+## DP: upstream r132711
+
+ at DPATCH@
+Index: channels/chan_iax2.c
+===================================================================
+--- a/channels/chan_iax2.c
++++ b/channels/chan_iax2.c
+@@ -1282,7 +1283,7 @@
+  		}
+ 
+ 		/* Look for an existing connection first */
+-		for (x=1;(res < 1) && (x<maxnontrunkcall);x++) {
++		for (x=2;(res < 1) && (x<maxnontrunkcall);x++) {
+ 			ast_mutex_lock(&iaxsl[x]);
+ 			if (iaxs[x]) {
+ 				/* Look for an exact match */
+@@ -3098,6 +3099,15 @@
+ 	char *options;
+ };
+ 
++static int send_apathetic_reply(unsigned short callno, unsigned short dcallno, struct sockaddr_in *sin, int command, int ts, unsigned char seqno)
++{
++	struct ast_iax2_full_hdr f = { .scallno = htons(0x8000 | callno), .dcallno = htons(dcallno),
++		.ts = htonl(ts), .iseqno = seqno, .oseqno = seqno, .type = AST_FRAME_IAX,
++		.csub = compress_subclass(command) };
++
++	return sendto(defaultsockfd, &f, sizeof(f), 0, (struct sockaddr *)sin, sizeof(*sin));
++}
++
+ /*!
+  * \brief Parses an IAX dial string into its component parts.
+  * \param data the string to be parsed
+@@ -6828,6 +6838,17 @@
+ 		} else {
+ 			f.subclass = uncompress_subclass(fh->csub);
+ 		}
++
++		/* Deal with POKE/PONG without allocating a callno */
++		if (f.frametype == AST_FRAME_IAX && f.subclass == IAX_COMMAND_POKE) {
++			/* Reply back with a PONG, but don't care about the result. */
++			send_apathetic_reply(1, ntohs(fh->scallno), &sin, IAX_COMMAND_PONG, ntohs(fh->ts), fh->oseqno);
++			return 1;
++		} else if (f.frametype == AST_FRAME_IAX && f.subclass == IAX_COMMAND_ACK && dcallno == 1) {
++			/* Ignore */
++			return 1;
++		}
++
+ 		if ((f.frametype == AST_FRAME_IAX) && ((f.subclass == IAX_COMMAND_NEW) || (f.subclass == IAX_COMMAND_REGREQ) ||
+ 						       (f.subclass == IAX_COMMAND_POKE) || (f.subclass == IAX_COMMAND_FWDOWNL) ||
+ 						       (f.subclass == IAX_COMMAND_REGREL)))

Added: asterisk/branches/etch/debian/patches/AST-2008-011.dpatch
URL: http://svn.debian.org/wsvn/pkg-voip/asterisk/branches/etch/debian/patches/AST-2008-011.dpatch?rev=5983&op=file
==============================================================================
--- asterisk/branches/etch/debian/patches/AST-2008-011.dpatch (added)
+++ asterisk/branches/etch/debian/patches/AST-2008-011.dpatch Wed Jul 23 19:05:44 2008
@@ -1,0 +1,42 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## AST-2008-008.dpatch by Faidon Liambotis <paravoid at debian.org>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Fix Traffic amplification in IAX2 firmware provisioning system.
+## DP: AST-2008-011/CVE-2008-3264
+## DP: upstream r132711
+
+ at DPATCH@
+Index: channels/chan_iax2.c
+===================================================================
+--- a/channels/chan_iax2.c
++++ b/channels/chan_iax2.c
+@@ -268,6 +268,7 @@
+ 	IAX_RTIGNOREREGEXPIRE =	(1 << 21),	/*!< When using realtime, ignore registration expiration */
+ 	IAX_TRUNKTIMESTAMPS =	(1 << 22),	/*!< Send trunk timestamps */
+-	IAX_MAXAUTHREQ =        (1 << 23)       /*!< Maximum outstanding AUTHREQ restriction is in place */
++ 	IAX_MAXAUTHREQ =        (1 << 23),       /*!< Maximum outstanding AUTHREQ restriction is in place */
++	IAX_ALLOWFWDOWNLOAD =   (1 << 26)        /*!< Allow the FWDOWNL command? */
+ } iax2_flags;
+ 
+ static int global_rtautoclear = 120;
+@@ -7921,6 +7942,10 @@
+ 				break;
+ 			case IAX_COMMAND_FWDOWNL:
+ 				/* Firmware download */
++				if (!ast_test_flag(&globalflags, IAX_ALLOWFWDOWNLOAD)) {
++					send_command_final(iaxs[fr->callno], AST_FRAME_IAX, IAX_COMMAND_UNSUPPORT, 0, NULL, 0, -1);
++					break;
++				}
+ 				memset(&ied0, 0, sizeof(ied0));
+ 				res = iax_firmware_append(&ied0, (unsigned char *)ies.devicetype, ies.fwdesc);
+ 				if (res < 0)
+@@ -9188,6 +9213,8 @@
+ 			delayreject = ast_true(v->value);
+ 		else if (!strcasecmp(v->name, "mailboxdetail"))
+ 			ast_set2_flag((&globalflags), ast_true(v->value), IAX_MESSAGEDETAIL);	
++		else if (!strcasecmp(v->name, "allowfwdownload"))
++			ast_set2_flag((&globalflags), ast_true(v->value), IAX_ALLOWFWDOWNLOAD);
+ 		else if (!strcasecmp(v->name, "rtcachefriends"))
+ 			ast_set2_flag((&globalflags), ast_true(v->value), IAX_RTCACHEFRIENDS);	
+ 		else if (!strcasecmp(v->name, "rtignoreregexpire"))

More information about the Pkg-voip-commits mailing list