[Pkg-voip-commits] r5317 - in /asterisk/branches/etch/debian: changelog patches/00list patches/AST-2007-027.dpatch

paravoid at alioth.debian.org paravoid at alioth.debian.org
Tue Mar 18 23:02:28 UTC 2008 

Author: paravoid
Date: Tue Mar 18 23:02:28 2008
New Revision: 5317

URL: http://svn.debian.org/wsvn/pkg-voip/?sc=1&rev=5317
Log:
* Fix an authentication bypass vulnerability that could be exploited when
  using passwordless host-based authentication with realtime on SIP and IAX
  channels (AST-2007-027, CVE-2007-6430).

Added:
    asterisk/branches/etch/debian/patches/AST-2007-027.dpatch
Modified:
    asterisk/branches/etch/debian/changelog
    asterisk/branches/etch/debian/patches/00list

Modified: asterisk/branches/etch/debian/changelog
URL: http://svn.debian.org/wsvn/pkg-voip/asterisk/branches/etch/debian/changelog?rev=5317&op=diff
==============================================================================
--- asterisk/branches/etch/debian/changelog (original)
+++ asterisk/branches/etch/debian/changelog Tue Mar 18 23:02:28 2008
@@ -1,11 +1,14 @@
 asterisk (1:1.2.13~dfsg-2etch3) stable-security; urgency=high
 
+  * Fix an authentication bypass vulnerability that could be exploited when
+    using passwordless host-based authentication with realtime on SIP and IAX
+    channels (AST-2007-027, CVE-2007-6430).
   * Fix a critical vulnerability that could be exploited to bypass SIP
     authentication (AST-2008-003, CVE-2008-1332).
   * Fix a potential DoS vulnerability in the Manager interface
     (AST-2008-004, CVE-2008-1333).
 
- -- Faidon Liambotis <paravoid at debian.org>  Wed, 19 Mar 2008 00:46:24 +0200
+ -- Faidon Liambotis <paravoid at debian.org>  Wed, 19 Mar 2008 00:58:25 +0200
 
 asterisk (1:1.2.13~dfsg-2etch2) stable-security; urgency=high
 

Modified: asterisk/branches/etch/debian/patches/00list
URL: http://svn.debian.org/wsvn/pkg-voip/asterisk/branches/etch/debian/patches/00list?rev=5317&op=diff
==============================================================================
--- asterisk/branches/etch/debian/patches/00list (original)
+++ asterisk/branches/etch/debian/patches/00list Tue Mar 18 23:02:28 2008
@@ -8,6 +8,7 @@
 ASA-2007-015.dpatch
 ASA-2007-016.dpatch
 AST-2007-026.dpatch
+AST-2007-027.dpatch
 AST-2008-003.dpatch
 AST-2008-004.dpatch
 # ukcid probably conflicts with bristuff

Added: asterisk/branches/etch/debian/patches/AST-2007-027.dpatch
URL: http://svn.debian.org/wsvn/pkg-voip/asterisk/branches/etch/debian/patches/AST-2007-027.dpatch?rev=5317&op=file
==============================================================================
--- asterisk/branches/etch/debian/patches/AST-2007-027.dpatch (added)
+++ asterisk/branches/etch/debian/patches/AST-2007-027.dpatch Tue Mar 18 23:02:28 2008
@@ -1,0 +1,130 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## AST-2007-027.dpatch by Faidon Liambotis <paravoid at debian.org>
+##
+## DP: chan_sip/chan_iax2: fix a potential realtime vulnerability
+## DP: exploitable only with host-based authentication
+## DP: Fix a potential NULL-pointer dereference crash at the same time.
+## DP: r93667:94661 in upstream's SVN
+## DP: Security fix, AST-2007-027, CVE-2007-6430
+
+ at DPATCH@
+Index: channels/chan_sip.c
+===================================================================
+--- channels/chan_sip.c	(revision 93667)
++++ channels/chan_sip.c	(revision 94661)
+@@ -1693,7 +1693,7 @@
+ static struct sip_peer *realtime_peer(const char *peername, struct sockaddr_in *sin)
+ {
+ 	struct sip_peer *peer=NULL;
+-	struct ast_variable *var;
++	struct ast_variable *var = NULL;
+ 	struct ast_variable *tmp;
+ 	char *newpeername = (char *) peername;
+ 	char iabuf[80];
+@@ -1701,40 +1701,39 @@
+ 	/* First check on peer name */
+ 	if (newpeername) {
+ 		var = ast_load_realtime("sippeers", "name", newpeername, "host", "dynamic", NULL);
+-		if (!var && sin) {
++		if (!var && sin)
+ 			var = ast_load_realtime("sippeers", "name", newpeername, "host", ast_inet_ntoa(iabuf, sizeof(iabuf), sin->sin_addr), NULL);
+-			if (!var) {
+-				var = ast_load_realtime("sippeers", "name", newpeername, NULL);
+-				/*!\note
+-				 * If this one loaded something, then we need to ensure that the host
+-				 * field matched.  The only reason why we can't have this as a criteria
+-				 * is because we only have the IP address and the host field might be
+-				 * set as a name (and the reverse PTR might not match).
+-				 */
+-				if (var) {
+-					for (tmp = var; tmp; tmp = tmp->next) {
+-						if (!strcasecmp(var->name, "host")) {
+-							struct in_addr sin2 = { 0, };
+-							struct ast_dnsmgr_entry *dnsmgr = NULL;
+-							if ((ast_dnsmgr_lookup(tmp->value, &sin2, &dnsmgr) < 0) || (memcmp(&sin2, &sin->sin_addr, sizeof(sin2)) != 0)) {
+-								/* No match */
+-								ast_variables_destroy(var);
+-								var = NULL;
+-							}
+-							break;
++		if (!var) {
++			var = ast_load_realtime("sippeers", "name", newpeername, NULL);
++			/*!\note
++			 * If this one loaded something, then we need to ensure that the host
++			 * field matched.  The only reason why we can't have this as a criteria
++			 * is because we only have the IP address and the host field might be
++			 * set as a name (and the reverse PTR might not match).
++			 */
++			if (var) {
++				for (tmp = var; tmp; tmp = tmp->next) {
++					if (!strcasecmp(var->name, "host")) {
++						struct in_addr sin2 = { 0, };
++						struct ast_dnsmgr_entry *dnsmgr = NULL;
++						if ((ast_dnsmgr_lookup(tmp->value, &sin2, &dnsmgr) < 0) || (memcmp(&sin2, &sin->sin_addr, sizeof(sin2)) != 0)) {
++							/* No match */
++							ast_variables_destroy(var);
++							var = NULL;
+ 						}
++						break;
+ 					}
+ 				}
+ 			}
+ 		}
+-	} else if (sin) {	/* Then check on IP address */
++	}
++
++	if (!var && sin) {	/* Then check on IP address */
+ 		ast_inet_ntoa(iabuf, sizeof(iabuf), sin->sin_addr);
+ 		var = ast_load_realtime("sippeers", "host", iabuf, NULL);	/* First check for fixed IP hosts */
+ 		if (!var)
+ 			var = ast_load_realtime("sippeers", "ipaddr", iabuf, NULL);	/* Then check for registred hosts */
+-	
+-	} else
+-		return NULL;
++	}
+ 
+ 	if (!var)
+ 		return NULL;
+Index: channels/chan_iax2.c
+===================================================================
+--- channels/chan_iax2.c	(revision 93667)
++++ channels/chan_iax2.c	(revision 94661)
+@@ -2620,7 +2620,7 @@
+ 
+ static struct iax2_peer *realtime_peer(const char *peername, struct sockaddr_in *sin)
+ {
+-	struct ast_variable *var;
++	struct ast_variable *var = NULL;
+ 	struct ast_variable *tmp;
+ 	struct iax2_peer *peer=NULL;
+ 	time_t regseconds, nowtime;
+@@ -2629,9 +2629,9 @@
+ 
+ 	if (peername) {
+ 		var = ast_load_realtime("iaxpeers", "name", peername, "host", "dynamic", NULL);
+-		if (!var)
++		if (!var && sin)
+ 			var = ast_load_realtime("iaxpeers", "name", peername, "host", ast_inet_ntoa(iabuf, sizeof(iabuf), sin->sin_addr));
+-	} else {
++	} else if (sin) {
+ 		char porta[25];
+ 		ast_inet_ntoa(iabuf, sizeof(iabuf), sin->sin_addr);
+ 		sprintf(porta, "%d", ntohs(sin->sin_port));
+@@ -2646,7 +2646,7 @@
+ 			}
+ 		}
+ 	}
+-	if (!var) { /* Last ditch effort */
++	if (!var && peername) { /* Last ditch effort */
+ 		var = ast_load_realtime("iaxpeers", "name", peername, NULL);
+ 		/*!\note
+ 		 * If this one loaded something, then we need to ensure that the host
+@@ -2654,7 +2654,7 @@
+ 		 * is because we only have the IP address and the host field might be
+ 		 * set as a name (and the reverse PTR might not match).
+ 		 */
+-		if (var) {
++		if (var && sin) {
+ 			for (tmp = var; tmp; tmp = tmp->next) {
+ 				if (!strcasecmp(tmp->name, "host")) {
+ 					struct in_addr sin2 = { 0, };

More information about the Pkg-voip-commits mailing list