[Pkg-voip-commits] r6789 - in /asterisk/branches/etch/debian: changelog patches/00list patches/AST-2009-001.dpatch

tzafrir-guest at alioth.debian.org tzafrir-guest at alioth.debian.org
Sat Feb 21 13:58:36 UTC 2009 

Author: tzafrir-guest
Date: Sat Feb 21 13:58:36 2009
New Revision: 6789

URL: http://svn.debian.org/wsvn/pkg-voip/?sc=1&rev=6789
Log:
Fix for AST-2009-001 (CVE-2009-0041) - Information leak in IAX2 
authentication.

Added:
    asterisk/branches/etch/debian/patches/AST-2009-001.dpatch   (with props)
Modified:
    asterisk/branches/etch/debian/changelog
    asterisk/branches/etch/debian/patches/00list

Modified: asterisk/branches/etch/debian/changelog
URL: http://svn.debian.org/wsvn/pkg-voip/asterisk/branches/etch/debian/changelog?rev=6789&op=diff
==============================================================================
--- asterisk/branches/etch/debian/changelog (original)
+++ asterisk/branches/etch/debian/changelog Sat Feb 21 13:58:36 2009
@@ -7,8 +7,10 @@
     default. 
   * Fix for AST-2008-012 (CVE-2008-5558) - Some more IAX crashes.
   * To re-enable it set "allowfwdownload = yes" in iaxprov.conf
-
- -- Tzafrir Cohen <tzafrir.cohen at xorcom.com>  Wed, 24 Dec 2008 21:26:56 +0200
+  * Fix for AST-2009-001 (CVE-2009-0041) - Information leak in IAX2 
+    authentication.
+
+ -- Tzafrir Cohen <tzafrir.cohen at xorcom.com>  Sat, 21 Feb 2009 15:56:30 +0200
 
 asterisk (1:1.2.13~dfsg-2etch5) stable-security; urgency=high
 

Modified: asterisk/branches/etch/debian/patches/00list
URL: http://svn.debian.org/wsvn/pkg-voip/asterisk/branches/etch/debian/patches/00list?rev=6789&op=diff
==============================================================================
--- asterisk/branches/etch/debian/patches/00list (original)
+++ asterisk/branches/etch/debian/patches/00list Sat Feb 21 13:58:36 2009
@@ -17,6 +17,7 @@
 AST-2008-010.dpatch
 AST-2008-011.dpatch
 AST-2008-012.dpatch
+AST-2009-001.dpatch
 # ukcid probably conflicts with bristuff
 ukcid
 option_detach

Added: asterisk/branches/etch/debian/patches/AST-2009-001.dpatch
URL: http://svn.debian.org/wsvn/pkg-voip/asterisk/branches/etch/debian/patches/AST-2009-001.dpatch?rev=6789&op=file
==============================================================================
--- asterisk/branches/etch/debian/patches/AST-2009-001.dpatch (added)
+++ asterisk/branches/etch/debian/patches/AST-2009-001.dpatch Sat Feb 21 13:58:36 2009
@@ -1,0 +1,132 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## AST-2008-003.dpatch by Tzafrir Cohen <tzafrir.cohen at xorcom.com>
+##
+## DP: Information leak in IAX2 authentication
+## DP: 
+## DP: See http://downloads.digium.com/pub/security/AST-2009-001.html
+## DP: Source: http://downloads.digium.com/pub/security/AST-2009-001-1.2.diff
+## DP: CVE: CVE-2009-0041
+
+ at DPATCH@
+Index: channels/chan_iax2.c
+===================================================================
+--- a/channels/chan_iax2.c	(revision 162868)
++++ b/channels/chan_iax2.c	(revision 170580)
+@@ -164,6 +164,7 @@
+ static int authdebug = 1;
+ static int autokill = 0;
+ static int iaxcompat = 0;
++static int lastauthmethod = 0;
+ 
+ static int iaxdefaultdpcache=10 * 60;	/* Cache dialplan entries for 10 minutes by default */
+ 
+@@ -5376,6 +5377,12 @@
+ 		ast_log(LOG_NOTICE, "Empty registration from %s\n", ast_inet_ntoa(iabuf, sizeof(iabuf), sin->sin_addr));
+ 		return -1;
+ 	}
++
++	ast_copy_string(iaxs[callno]->peer, peer, sizeof(iaxs[callno]->peer));
++	/* Choose lowest expiry number */
++	if (expire && (expire < iaxs[callno]->expiry)) 
++		iaxs[callno]->expiry = expire;
++
+ 	/* We release the lock for the call to prevent a deadlock, but it's okay because
+ 	   only the current thread could possibly make it go away or make changes */
+ 	ast_mutex_unlock(&iaxsl[callno]);
+@@ -5386,6 +5393,7 @@
+ 	if (!p) {
+ 		if (authdebug)
+ 			ast_log(LOG_NOTICE, "No registration for peer '%s' (from %s)\n", peer, ast_inet_ntoa(iabuf, sizeof(iabuf), sin->sin_addr));
++		ast_copy_string(iaxs[callno]->secret, "invalidpassword", sizeof(iaxs[callno]->secret));
+ 		return -1;
+ 	}
+ 
+@@ -5473,18 +5481,16 @@
+ 				destroy_peer(p);
+ 			return -1;
+ 		}
+-	} else if (!ast_strlen_zero(md5secret) || !ast_strlen_zero(secret)) {
+-		if (authdebug)
+-			ast_log(LOG_NOTICE, "Inappropriate authentication received\n");
++	} else if (!ast_strlen_zero(p->secret) || !ast_strlen_zero(p->inkeys)) {
++		if (authdebug &&
++				((!ast_strlen_zero(p->secret) && (p->authmethods & IAX_AUTH_MD5) && !ast_strlen_zero(iaxs[callno]->challenge)) ||
++				 (!ast_strlen_zero(p->inkeys) && (p->authmethods & IAX_AUTH_RSA) && !ast_strlen_zero(iaxs[callno]->challenge)))) {
++			ast_log(LOG_NOTICE, "Inappropriate authentication received for '%s'\n", p->name);
++		}
+ 		if (ast_test_flag(p, IAX_TEMPONLY))
+ 			destroy_peer(p);
+ 		return -1;
+ 	}
+-	ast_copy_string(iaxs[callno]->peer, peer, sizeof(iaxs[callno]->peer));
+-	/* Choose lowest expiry number */
+-	if (expire && (expire < iaxs[callno]->expiry)) 
+-		iaxs[callno]->expiry = expire;
+-
+ 	ast_device_state_changed("IAX2/%s", p->name); /* Activate notification */
+ 
+ 	if (ast_test_flag(p, IAX_TEMPONLY))
+@@ -6087,23 +6093,34 @@
+ {
+ 	struct iax_ie_data ied;
+ 	struct iax2_peer *p;
++	int authmethods;
++
++	if (!callno || !iaxs[callno]) {
++		return 0;
++	}
++
+ 	/* SLD: third call to find_peer in registration */
+-	p = find_peer(name, 1);
+-	if (p) {
+-		memset(&ied, 0, sizeof(ied));
+-		iax_ie_append_short(&ied, IAX_IE_AUTHMETHODS, p->authmethods);
+-		if (p->authmethods & (IAX_AUTH_RSA | IAX_AUTH_MD5)) {
+-			/* Build the challenge */
+-			snprintf(iaxs[callno]->challenge, sizeof(iaxs[callno]->challenge), "%d", rand());
+-			iax_ie_append_str(&ied, IAX_IE_CHALLENGE, iaxs[callno]->challenge);
+-		}
+-		iax_ie_append_str(&ied, IAX_IE_USERNAME, name);
+-		if (ast_test_flag(p, IAX_TEMPONLY))
+-			destroy_peer(p);
+-		return send_command(iaxs[callno], AST_FRAME_IAX, IAX_COMMAND_REGAUTH, 0, ied.buf, ied.pos, -1);;
+-	} 
+-	ast_log(LOG_WARNING, "No such peer '%s'\n", name);
+-	return 0;
++	if ((p = find_peer(name, 1))) {
++		lastauthmethod = p->authmethods;
++	}
++
++	authmethods = p ? p->authmethods : lastauthmethod ? lastauthmethod : (IAX_AUTH_PLAINTEXT | IAX_AUTH_MD5);
++	if (p && ast_test_flag(p, IAX_TEMPONLY)) {
++		destroy_peer(p);
++	} else if (!p && !delayreject) {
++		ast_log(LOG_WARNING, "No such peer '%s'\n", name);
++		return 0;
++	}
++	
++	memset(&ied, 0, sizeof(ied));
++	iax_ie_append_short(&ied, IAX_IE_AUTHMETHODS, authmethods);
++	if (authmethods & (IAX_AUTH_RSA | IAX_AUTH_MD5)) {
++		/* Build the challenge */
++		snprintf(iaxs[callno]->challenge, sizeof(iaxs[callno]->challenge), "%d", rand());
++		iax_ie_append_str(&ied, IAX_IE_CHALLENGE, iaxs[callno]->challenge);
++	}
++	iax_ie_append_str(&ied, IAX_IE_USERNAME, name);
++	return send_command(iaxs[callno], AST_FRAME_IAX, IAX_COMMAND_REGAUTH, 0, ied.buf, ied.pos, -1);;
+ }
+ 
+ static int registry_rerequest(struct iax_ies *ies, int callno, struct sockaddr_in *sin)
+@@ -7833,11 +7850,7 @@
+ 				/* For security, always ack immediately */
+ 				if (delayreject)
+ 					send_command_immediate(iaxs[fr->callno], AST_FRAME_IAX, IAX_COMMAND_ACK, fr->ts, NULL, 0,fr->iseqno);
+-				if (register_verify(fr->callno, &sin, &ies)) {
+-					/* Send delayed failure */
+-					auth_fail(fr->callno, IAX_COMMAND_REGREJ);
+-					break;
+-				}
++				register_verify(fr->callno, &sin, &ies);
+ 				if ((ast_strlen_zero(iaxs[fr->callno]->secret) && ast_strlen_zero(iaxs[fr->callno]->inkeys)) || ast_test_flag(&iaxs[fr->callno]->state, IAX_STATE_AUTHENTICATED)) {
+ 					if (f.subclass == IAX_COMMAND_REGREL)
+ 						memset(&sin, 0, sizeof(sin));

Propchange: asterisk/branches/etch/debian/patches/AST-2009-001.dpatch
------------------------------------------------------------------------------
    svn:executable = *

More information about the Pkg-voip-commits mailing list