[Pkg-voip-commits] r5317 - in /asterisk/branches/etch/debian: changelog patches/00list patches/AST-2007-027.dpatch
paravoid at alioth.debian.org
paravoid at alioth.debian.org
Tue Mar 18 23:02:28 UTC 2008
Author: paravoid
Date: Tue Mar 18 23:02:28 2008
New Revision: 5317
URL: http://svn.debian.org/wsvn/pkg-voip/?sc=1&rev=5317
Log:
* Fix an authentication bypass vulnerability that could be exploited when
using passwordless host-based authentication with realtime on SIP and IAX
channels (AST-2007-027, CVE-2007-6430).
Added:
asterisk/branches/etch/debian/patches/AST-2007-027.dpatch
Modified:
asterisk/branches/etch/debian/changelog
asterisk/branches/etch/debian/patches/00list
Modified: asterisk/branches/etch/debian/changelog
URL: http://svn.debian.org/wsvn/pkg-voip/asterisk/branches/etch/debian/changelog?rev=5317&op=diff
==============================================================================
--- asterisk/branches/etch/debian/changelog (original)
+++ asterisk/branches/etch/debian/changelog Tue Mar 18 23:02:28 2008
@@ -1,11 +1,14 @@
asterisk (1:1.2.13~dfsg-2etch3) stable-security; urgency=high
+ * Fix an authentication bypass vulnerability that could be exploited when
+ using passwordless host-based authentication with realtime on SIP and IAX
+ channels (AST-2007-027, CVE-2007-6430).
* Fix a critical vulnerability that could be exploited to bypass SIP
authentication (AST-2008-003, CVE-2008-1332).
* Fix a potential DoS vulnerability in the Manager interface
(AST-2008-004, CVE-2008-1333).
- -- Faidon Liambotis <paravoid at debian.org> Wed, 19 Mar 2008 00:46:24 +0200
+ -- Faidon Liambotis <paravoid at debian.org> Wed, 19 Mar 2008 00:58:25 +0200
asterisk (1:1.2.13~dfsg-2etch2) stable-security; urgency=high
Modified: asterisk/branches/etch/debian/patches/00list
URL: http://svn.debian.org/wsvn/pkg-voip/asterisk/branches/etch/debian/patches/00list?rev=5317&op=diff
==============================================================================
--- asterisk/branches/etch/debian/patches/00list (original)
+++ asterisk/branches/etch/debian/patches/00list Tue Mar 18 23:02:28 2008
@@ -8,6 +8,7 @@
ASA-2007-015.dpatch
ASA-2007-016.dpatch
AST-2007-026.dpatch
+AST-2007-027.dpatch
AST-2008-003.dpatch
AST-2008-004.dpatch
# ukcid probably conflicts with bristuff
Added: asterisk/branches/etch/debian/patches/AST-2007-027.dpatch
URL: http://svn.debian.org/wsvn/pkg-voip/asterisk/branches/etch/debian/patches/AST-2007-027.dpatch?rev=5317&op=file
==============================================================================
--- asterisk/branches/etch/debian/patches/AST-2007-027.dpatch (added)
+++ asterisk/branches/etch/debian/patches/AST-2007-027.dpatch Tue Mar 18 23:02:28 2008
@@ -1,0 +1,130 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## AST-2007-027.dpatch by Faidon Liambotis <paravoid at debian.org>
+##
+## DP: chan_sip/chan_iax2: fix a potential realtime vulnerability
+## DP: exploitable only with host-based authentication
+## DP: Fix a potential NULL-pointer dereference crash at the same time.
+## DP: r93667:94661 in upstream's SVN
+## DP: Security fix, AST-2007-027, CVE-2007-6430
+
+ at DPATCH@
+Index: channels/chan_sip.c
+===================================================================
+--- channels/chan_sip.c (revision 93667)
++++ channels/chan_sip.c (revision 94661)
+@@ -1693,7 +1693,7 @@
+ static struct sip_peer *realtime_peer(const char *peername, struct sockaddr_in *sin)
+ {
+ struct sip_peer *peer=NULL;
+- struct ast_variable *var;
++ struct ast_variable *var = NULL;
+ struct ast_variable *tmp;
+ char *newpeername = (char *) peername;
+ char iabuf[80];
+@@ -1701,40 +1701,39 @@
+ /* First check on peer name */
+ if (newpeername) {
+ var = ast_load_realtime("sippeers", "name", newpeername, "host", "dynamic", NULL);
+- if (!var && sin) {
++ if (!var && sin)
+ var = ast_load_realtime("sippeers", "name", newpeername, "host", ast_inet_ntoa(iabuf, sizeof(iabuf), sin->sin_addr), NULL);
+- if (!var) {
+- var = ast_load_realtime("sippeers", "name", newpeername, NULL);
+- /*!\note
+- * If this one loaded something, then we need to ensure that the host
+- * field matched. The only reason why we can't have this as a criteria
+- * is because we only have the IP address and the host field might be
+- * set as a name (and the reverse PTR might not match).
+- */
+- if (var) {
+- for (tmp = var; tmp; tmp = tmp->next) {
+- if (!strcasecmp(var->name, "host")) {
+- struct in_addr sin2 = { 0, };
+- struct ast_dnsmgr_entry *dnsmgr = NULL;
+- if ((ast_dnsmgr_lookup(tmp->value, &sin2, &dnsmgr) < 0) || (memcmp(&sin2, &sin->sin_addr, sizeof(sin2)) != 0)) {
+- /* No match */
+- ast_variables_destroy(var);
+- var = NULL;
+- }
+- break;
++ if (!var) {
++ var = ast_load_realtime("sippeers", "name", newpeername, NULL);
++ /*!\note
++ * If this one loaded something, then we need to ensure that the host
++ * field matched. The only reason why we can't have this as a criteria
++ * is because we only have the IP address and the host field might be
++ * set as a name (and the reverse PTR might not match).
++ */
++ if (var) {
++ for (tmp = var; tmp; tmp = tmp->next) {
++ if (!strcasecmp(var->name, "host")) {
++ struct in_addr sin2 = { 0, };
++ struct ast_dnsmgr_entry *dnsmgr = NULL;
++ if ((ast_dnsmgr_lookup(tmp->value, &sin2, &dnsmgr) < 0) || (memcmp(&sin2, &sin->sin_addr, sizeof(sin2)) != 0)) {
++ /* No match */
++ ast_variables_destroy(var);
++ var = NULL;
+ }
++ break;
+ }
+ }
+ }
+ }
+- } else if (sin) { /* Then check on IP address */
++ }
++
++ if (!var && sin) { /* Then check on IP address */
+ ast_inet_ntoa(iabuf, sizeof(iabuf), sin->sin_addr);
+ var = ast_load_realtime("sippeers", "host", iabuf, NULL); /* First check for fixed IP hosts */
+ if (!var)
+ var = ast_load_realtime("sippeers", "ipaddr", iabuf, NULL); /* Then check for registred hosts */
+-
+- } else
+- return NULL;
++ }
+
+ if (!var)
+ return NULL;
+Index: channels/chan_iax2.c
+===================================================================
+--- channels/chan_iax2.c (revision 93667)
++++ channels/chan_iax2.c (revision 94661)
+@@ -2620,7 +2620,7 @@
+
+ static struct iax2_peer *realtime_peer(const char *peername, struct sockaddr_in *sin)
+ {
+- struct ast_variable *var;
++ struct ast_variable *var = NULL;
+ struct ast_variable *tmp;
+ struct iax2_peer *peer=NULL;
+ time_t regseconds, nowtime;
+@@ -2629,9 +2629,9 @@
+
+ if (peername) {
+ var = ast_load_realtime("iaxpeers", "name", peername, "host", "dynamic", NULL);
+- if (!var)
++ if (!var && sin)
+ var = ast_load_realtime("iaxpeers", "name", peername, "host", ast_inet_ntoa(iabuf, sizeof(iabuf), sin->sin_addr));
+- } else {
++ } else if (sin) {
+ char porta[25];
+ ast_inet_ntoa(iabuf, sizeof(iabuf), sin->sin_addr);
+ sprintf(porta, "%d", ntohs(sin->sin_port));
+@@ -2646,7 +2646,7 @@
+ }
+ }
+ }
+- if (!var) { /* Last ditch effort */
++ if (!var && peername) { /* Last ditch effort */
+ var = ast_load_realtime("iaxpeers", "name", peername, NULL);
+ /*!\note
+ * If this one loaded something, then we need to ensure that the host
+@@ -2654,7 +2654,7 @@
+ * is because we only have the IP address and the host field might be
+ * set as a name (and the reverse PTR might not match).
+ */
+- if (var) {
++ if (var && sin) {
+ for (tmp = var; tmp; tmp = tmp->next) {
+ if (!strcasecmp(tmp->name, "host")) {
+ struct in_addr sin2 = { 0, };
More information about the Pkg-voip-commits
mailing list