[Pkg-voip-commits] r6789 - in /asterisk/branches/etch/debian: changelog patches/00list patches/AST-2009-001.dpatch
tzafrir-guest at alioth.debian.org
tzafrir-guest at alioth.debian.org
Sat Feb 21 13:58:36 UTC 2009
Author: tzafrir-guest
Date: Sat Feb 21 13:58:36 2009
New Revision: 6789
URL: http://svn.debian.org/wsvn/pkg-voip/?sc=1&rev=6789
Log:
Fix for AST-2009-001 (CVE-2009-0041) - Information leak in IAX2
authentication.
Added:
asterisk/branches/etch/debian/patches/AST-2009-001.dpatch (with props)
Modified:
asterisk/branches/etch/debian/changelog
asterisk/branches/etch/debian/patches/00list
Modified: asterisk/branches/etch/debian/changelog
URL: http://svn.debian.org/wsvn/pkg-voip/asterisk/branches/etch/debian/changelog?rev=6789&op=diff
==============================================================================
--- asterisk/branches/etch/debian/changelog (original)
+++ asterisk/branches/etch/debian/changelog Sat Feb 21 13:58:36 2009
@@ -7,8 +7,10 @@
default.
* Fix for AST-2008-012 (CVE-2008-5558) - Some more IAX crashes.
* To re-enable it set "allowfwdownload = yes" in iaxprov.conf
-
- -- Tzafrir Cohen <tzafrir.cohen at xorcom.com> Wed, 24 Dec 2008 21:26:56 +0200
+ * Fix for AST-2009-001 (CVE-2009-0041) - Information leak in IAX2
+ authentication.
+
+ -- Tzafrir Cohen <tzafrir.cohen at xorcom.com> Sat, 21 Feb 2009 15:56:30 +0200
asterisk (1:1.2.13~dfsg-2etch5) stable-security; urgency=high
Modified: asterisk/branches/etch/debian/patches/00list
URL: http://svn.debian.org/wsvn/pkg-voip/asterisk/branches/etch/debian/patches/00list?rev=6789&op=diff
==============================================================================
--- asterisk/branches/etch/debian/patches/00list (original)
+++ asterisk/branches/etch/debian/patches/00list Sat Feb 21 13:58:36 2009
@@ -17,6 +17,7 @@
AST-2008-010.dpatch
AST-2008-011.dpatch
AST-2008-012.dpatch
+AST-2009-001.dpatch
# ukcid probably conflicts with bristuff
ukcid
option_detach
Added: asterisk/branches/etch/debian/patches/AST-2009-001.dpatch
URL: http://svn.debian.org/wsvn/pkg-voip/asterisk/branches/etch/debian/patches/AST-2009-001.dpatch?rev=6789&op=file
==============================================================================
--- asterisk/branches/etch/debian/patches/AST-2009-001.dpatch (added)
+++ asterisk/branches/etch/debian/patches/AST-2009-001.dpatch Sat Feb 21 13:58:36 2009
@@ -1,0 +1,132 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## AST-2008-003.dpatch by Tzafrir Cohen <tzafrir.cohen at xorcom.com>
+##
+## DP: Information leak in IAX2 authentication
+## DP:
+## DP: See http://downloads.digium.com/pub/security/AST-2009-001.html
+## DP: Source: http://downloads.digium.com/pub/security/AST-2009-001-1.2.diff
+## DP: CVE: CVE-2009-0041
+
+ at DPATCH@
+Index: channels/chan_iax2.c
+===================================================================
+--- a/channels/chan_iax2.c (revision 162868)
++++ b/channels/chan_iax2.c (revision 170580)
+@@ -164,6 +164,7 @@
+ static int authdebug = 1;
+ static int autokill = 0;
+ static int iaxcompat = 0;
++static int lastauthmethod = 0;
+
+ static int iaxdefaultdpcache=10 * 60; /* Cache dialplan entries for 10 minutes by default */
+
+@@ -5376,6 +5377,12 @@
+ ast_log(LOG_NOTICE, "Empty registration from %s\n", ast_inet_ntoa(iabuf, sizeof(iabuf), sin->sin_addr));
+ return -1;
+ }
++
++ ast_copy_string(iaxs[callno]->peer, peer, sizeof(iaxs[callno]->peer));
++ /* Choose lowest expiry number */
++ if (expire && (expire < iaxs[callno]->expiry))
++ iaxs[callno]->expiry = expire;
++
+ /* We release the lock for the call to prevent a deadlock, but it's okay because
+ only the current thread could possibly make it go away or make changes */
+ ast_mutex_unlock(&iaxsl[callno]);
+@@ -5386,6 +5393,7 @@
+ if (!p) {
+ if (authdebug)
+ ast_log(LOG_NOTICE, "No registration for peer '%s' (from %s)\n", peer, ast_inet_ntoa(iabuf, sizeof(iabuf), sin->sin_addr));
++ ast_copy_string(iaxs[callno]->secret, "invalidpassword", sizeof(iaxs[callno]->secret));
+ return -1;
+ }
+
+@@ -5473,18 +5481,16 @@
+ destroy_peer(p);
+ return -1;
+ }
+- } else if (!ast_strlen_zero(md5secret) || !ast_strlen_zero(secret)) {
+- if (authdebug)
+- ast_log(LOG_NOTICE, "Inappropriate authentication received\n");
++ } else if (!ast_strlen_zero(p->secret) || !ast_strlen_zero(p->inkeys)) {
++ if (authdebug &&
++ ((!ast_strlen_zero(p->secret) && (p->authmethods & IAX_AUTH_MD5) && !ast_strlen_zero(iaxs[callno]->challenge)) ||
++ (!ast_strlen_zero(p->inkeys) && (p->authmethods & IAX_AUTH_RSA) && !ast_strlen_zero(iaxs[callno]->challenge)))) {
++ ast_log(LOG_NOTICE, "Inappropriate authentication received for '%s'\n", p->name);
++ }
+ if (ast_test_flag(p, IAX_TEMPONLY))
+ destroy_peer(p);
+ return -1;
+ }
+- ast_copy_string(iaxs[callno]->peer, peer, sizeof(iaxs[callno]->peer));
+- /* Choose lowest expiry number */
+- if (expire && (expire < iaxs[callno]->expiry))
+- iaxs[callno]->expiry = expire;
+-
+ ast_device_state_changed("IAX2/%s", p->name); /* Activate notification */
+
+ if (ast_test_flag(p, IAX_TEMPONLY))
+@@ -6087,23 +6093,34 @@
+ {
+ struct iax_ie_data ied;
+ struct iax2_peer *p;
++ int authmethods;
++
++ if (!callno || !iaxs[callno]) {
++ return 0;
++ }
++
+ /* SLD: third call to find_peer in registration */
+- p = find_peer(name, 1);
+- if (p) {
+- memset(&ied, 0, sizeof(ied));
+- iax_ie_append_short(&ied, IAX_IE_AUTHMETHODS, p->authmethods);
+- if (p->authmethods & (IAX_AUTH_RSA | IAX_AUTH_MD5)) {
+- /* Build the challenge */
+- snprintf(iaxs[callno]->challenge, sizeof(iaxs[callno]->challenge), "%d", rand());
+- iax_ie_append_str(&ied, IAX_IE_CHALLENGE, iaxs[callno]->challenge);
+- }
+- iax_ie_append_str(&ied, IAX_IE_USERNAME, name);
+- if (ast_test_flag(p, IAX_TEMPONLY))
+- destroy_peer(p);
+- return send_command(iaxs[callno], AST_FRAME_IAX, IAX_COMMAND_REGAUTH, 0, ied.buf, ied.pos, -1);;
+- }
+- ast_log(LOG_WARNING, "No such peer '%s'\n", name);
+- return 0;
++ if ((p = find_peer(name, 1))) {
++ lastauthmethod = p->authmethods;
++ }
++
++ authmethods = p ? p->authmethods : lastauthmethod ? lastauthmethod : (IAX_AUTH_PLAINTEXT | IAX_AUTH_MD5);
++ if (p && ast_test_flag(p, IAX_TEMPONLY)) {
++ destroy_peer(p);
++ } else if (!p && !delayreject) {
++ ast_log(LOG_WARNING, "No such peer '%s'\n", name);
++ return 0;
++ }
++
++ memset(&ied, 0, sizeof(ied));
++ iax_ie_append_short(&ied, IAX_IE_AUTHMETHODS, authmethods);
++ if (authmethods & (IAX_AUTH_RSA | IAX_AUTH_MD5)) {
++ /* Build the challenge */
++ snprintf(iaxs[callno]->challenge, sizeof(iaxs[callno]->challenge), "%d", rand());
++ iax_ie_append_str(&ied, IAX_IE_CHALLENGE, iaxs[callno]->challenge);
++ }
++ iax_ie_append_str(&ied, IAX_IE_USERNAME, name);
++ return send_command(iaxs[callno], AST_FRAME_IAX, IAX_COMMAND_REGAUTH, 0, ied.buf, ied.pos, -1);;
+ }
+
+ static int registry_rerequest(struct iax_ies *ies, int callno, struct sockaddr_in *sin)
+@@ -7833,11 +7850,7 @@
+ /* For security, always ack immediately */
+ if (delayreject)
+ send_command_immediate(iaxs[fr->callno], AST_FRAME_IAX, IAX_COMMAND_ACK, fr->ts, NULL, 0,fr->iseqno);
+- if (register_verify(fr->callno, &sin, &ies)) {
+- /* Send delayed failure */
+- auth_fail(fr->callno, IAX_COMMAND_REGREJ);
+- break;
+- }
++ register_verify(fr->callno, &sin, &ies);
+ if ((ast_strlen_zero(iaxs[fr->callno]->secret) && ast_strlen_zero(iaxs[fr->callno]->inkeys)) || ast_test_flag(&iaxs[fr->callno]->state, IAX_STATE_AUTHENTICATED)) {
+ if (f.subclass == IAX_COMMAND_REGREL)
+ memset(&sin, 0, sizeof(sin));
Propchange: asterisk/branches/etch/debian/patches/AST-2009-001.dpatch
------------------------------------------------------------------------------
svn:executable = *
More information about the Pkg-voip-commits
mailing list