[Pkg-voip-commits] r6790 - in /asterisk/trunk/debian: changelog patches/AST-2009-001 patches/series
tzafrir-guest at alioth.debian.org
tzafrir-guest at alioth.debian.org
Sat Feb 21 14:19:04 UTC 2009
Author: tzafrir-guest
Date: Sat Feb 21 14:19:03 2009
New Revision: 6790
URL: http://svn.debian.org/wsvn/pkg-voip/?sc=1&rev=6790
Log:
Patch AST-2009-001 - Fix CVE-2009-0041 (Information leak in IAX2
authentication)
Added:
asterisk/trunk/debian/patches/AST-2009-001
Modified:
asterisk/trunk/debian/changelog
asterisk/trunk/debian/patches/series
Modified: asterisk/trunk/debian/changelog
URL: http://svn.debian.org/wsvn/pkg-voip/asterisk/trunk/debian/changelog?rev=6790&op=diff
==============================================================================
--- asterisk/trunk/debian/changelog (original)
+++ asterisk/trunk/debian/changelog Sat Feb 21 14:19:03 2009
@@ -1,8 +1,10 @@
asterisk (1:1.4.21.2~dfsg-4) unstable; urgency=low
* Remove asterisk-dev Recommends of asterisk.
-
- -- Tzafrir Cohen <tzafrir.cohen at xorcom.com> Tue, 03 Feb 2009 14:17:52 +0200
+ * Patch AST-2009-001 - Fix CVE-2009-0041 (Information leak in IAX2
+ authentication)
+
+ -- Tzafrir Cohen <tzafrir.cohen at xorcom.com> Sat, 21 Feb 2009 16:08:59 +0200
asterisk (1:1.4.21.2~dfsg-3) unstable; urgency=medium
Added: asterisk/trunk/debian/patches/AST-2009-001
URL: http://svn.debian.org/wsvn/pkg-voip/asterisk/trunk/debian/patches/AST-2009-001?rev=6790&op=file
==============================================================================
--- asterisk/trunk/debian/patches/AST-2009-001 (added)
+++ asterisk/trunk/debian/patches/AST-2009-001 Sat Feb 21 14:19:03 2009
@@ -1,0 +1,112 @@
+Fix for AST-2009-001 (CVE-2009-0041) - Information leak in IAX2 authentication
+
+From: http://downloads.digium.com/pub/security/AST-2009-001-1.4.diff
+
+--- a/channels/chan_iax2.c
++++ b/channels/chan_iax2.c
+@@ -155,6 +155,7 @@ static int trunkfreq = 20;
+ static int authdebug = 1;
+ static int autokill = 0;
+ static int iaxcompat = 0;
++static int last_authmethod = 0;
+
+ static int iaxdefaultdpcache=10 * 60; /* Cache dialplan entries for 10 minutes by default */
+
+@@ -5491,6 +5492,9 @@ static int register_verify(int callno, s
+ p = find_peer(peer, 1);
+ ast_mutex_lock(&iaxsl[callno]);
+ if (!p || !iaxs[callno]) {
++ if (iaxs[callno]) {
++ ast_string_field_set(iaxs[callno], secret, "badsecret");
++ }
+ if (authdebug && !p)
+ ast_log(LOG_NOTICE, "No registration for peer '%s' (from %s)\n", peer, ast_inet_ntoa(sin->sin_addr));
+ goto return_unref;
+@@ -5570,21 +5574,24 @@ static int register_verify(int callno, s
+ goto return_unref;
+ } else
+ ast_set_flag(&iaxs[callno]->state, IAX_STATE_AUTHENTICATED);
+- } else if (!ast_strlen_zero(md5secret) || !ast_strlen_zero(secret)) {
+- if (authdebug)
+- ast_log(LOG_NOTICE, "Inappropriate authentication received\n");
++ } else if (!ast_strlen_zero(iaxs[callno]->secret) || !ast_strlen_zero(iaxs[callno]->inkeys)) {
++ if (authdebug &&
++ ((!ast_strlen_zero(iaxs[callno]->secret) && (p->authmethods & IAX_AUTH_MD5) && !ast_strlen_zero(iaxs[callno]->challenge)) ||
++ (!ast_strlen_zero(iaxs[callno]->inkeys) && (p->authmethods & IAX_AUTH_RSA) && !ast_strlen_zero(iaxs[callno]->challenge)))) {
++ ast_log(LOG_NOTICE, "Inappropriate authentication received for '%s'\n", p->name);
++ } /* ELSE this is the first time through and no challenge exists, so it's not quite yet a failure. */
+ goto return_unref;
+ }
++ ast_device_state_changed("IAX2/%s", p->name); /* Activate notification */
++
++return_unref:
+ ast_string_field_set(iaxs[callno], peer, peer);
+ /* Choose lowest expiry number */
+ if (expire && (expire < iaxs[callno]->expiry))
+ iaxs[callno]->expiry = expire;
+
+- ast_device_state_changed("IAX2/%s", p->name); /* Activate notification */
+-
+ res = 0;
+
+-return_unref:
+ if (p)
+ peer_unref(p);
+
+@@ -6256,24 +6263,30 @@ static int registry_authrequest(int call
+ struct iax2_peer *p;
+ char challenge[10];
+ const char *peer_name;
+- int res = -1;
++ int sentauthmethod;
+
+ peer_name = ast_strdupa(iaxs[callno]->peer);
+
+ /* SLD: third call to find_peer in registration */
+ ast_mutex_unlock(&iaxsl[callno]);
+- p = find_peer(peer_name, 1);
++ if ((p = find_peer(peer_name, 1))) {
++ last_authmethod = p->authmethods;
++ }
++
+ ast_mutex_lock(&iaxsl[callno]);
+ if (!iaxs[callno])
+ goto return_unref;
+- if (!p) {
+- ast_log(LOG_WARNING, "No such peer '%s'\n", peer_name);
+- goto return_unref;
+- }
+-
++
+ memset(&ied, 0, sizeof(ied));
+- iax_ie_append_short(&ied, IAX_IE_AUTHMETHODS, p->authmethods);
+- if (p->authmethods & (IAX_AUTH_RSA | IAX_AUTH_MD5)) {
++ /* The selection of which delayed reject is sent may leak information,
++ * if it sets a static response. For example, if a host is known to only
++ * use MD5 authentication, then an RSA response would indicate that the
++ * peer does not exist, and vice-versa.
++ * Therefore, we use whatever the last peer used (which may vary over the
++ * course of a server, which should leak minimal information). */
++ sentauthmethod = p ? p->authmethods : last_authmethod ? last_authmethod : (IAX_AUTH_MD5 | IAX_AUTH_PLAINTEXT);
++ iax_ie_append_short(&ied, IAX_IE_AUTHMETHODS, sentauthmethod);
++ if (sentauthmethod & (IAX_AUTH_RSA | IAX_AUTH_MD5)) {
+ /* Build the challenge */
+ snprintf(challenge, sizeof(challenge), "%d", (int)ast_random());
+ ast_string_field_set(iaxs[callno], challenge, challenge);
+@@ -6281,12 +6294,12 @@ static int registry_authrequest(int call
+ }
+ iax_ie_append_str(&ied, IAX_IE_USERNAME, peer_name);
+
+- res = 0;
+-
+ return_unref:
+- peer_unref(p);
++ if (p) {
++ peer_unref(p);
++ }
+
+- return res ? res : send_command(iaxs[callno], AST_FRAME_IAX, IAX_COMMAND_REGAUTH, 0, ied.buf, ied.pos, -1);;
++ return iaxs[callno] ? send_command(iaxs[callno], AST_FRAME_IAX, IAX_COMMAND_REGAUTH, 0, ied.buf, ied.pos, -1) : -1;
+ }
+
+ static int registry_rerequest(struct iax_ies *ies, int callno, struct sockaddr_in *sin)
Modified: asterisk/trunk/debian/patches/series
URL: http://svn.debian.org/wsvn/pkg-voip/asterisk/trunk/debian/patches/series?rev=6790&op=diff
==============================================================================
--- asterisk/trunk/debian/patches/series (original)
+++ asterisk/trunk/debian/patches/series Sat Feb 21 14:19:03 2009
@@ -1,3 +1,6 @@
+# Some simple security fixes:
+AST-2009-001
+
### upstream fixes
allow-tilde-destdir
More information about the Pkg-voip-commits
mailing list