[Pkg-voip-commits] r6790 - in /asterisk/trunk/debian: changelog patches/AST-2009-001 patches/series

tzafrir-guest at alioth.debian.org tzafrir-guest at alioth.debian.org
Sat Feb 21 14:19:04 UTC 2009 

Author: tzafrir-guest
Date: Sat Feb 21 14:19:03 2009
New Revision: 6790

URL: http://svn.debian.org/wsvn/pkg-voip/?sc=1&rev=6790
Log:
Patch AST-2009-001 - Fix CVE-2009-0041 (Information leak in IAX2 
authentication)

Added:
    asterisk/trunk/debian/patches/AST-2009-001
Modified:
    asterisk/trunk/debian/changelog
    asterisk/trunk/debian/patches/series

Modified: asterisk/trunk/debian/changelog
URL: http://svn.debian.org/wsvn/pkg-voip/asterisk/trunk/debian/changelog?rev=6790&op=diff
==============================================================================
--- asterisk/trunk/debian/changelog (original)
+++ asterisk/trunk/debian/changelog Sat Feb 21 14:19:03 2009
@@ -1,8 +1,10 @@
 asterisk (1:1.4.21.2~dfsg-4) unstable; urgency=low
 
   * Remove asterisk-dev Recommends of asterisk. 
-
- -- Tzafrir Cohen <tzafrir.cohen at xorcom.com>  Tue, 03 Feb 2009 14:17:52 +0200
+  * Patch AST-2009-001 - Fix CVE-2009-0041 (Information leak in IAX2 
+    authentication)
+
+ -- Tzafrir Cohen <tzafrir.cohen at xorcom.com>  Sat, 21 Feb 2009 16:08:59 +0200
 
 asterisk (1:1.4.21.2~dfsg-3) unstable; urgency=medium
 

Added: asterisk/trunk/debian/patches/AST-2009-001
URL: http://svn.debian.org/wsvn/pkg-voip/asterisk/trunk/debian/patches/AST-2009-001?rev=6790&op=file
==============================================================================
--- asterisk/trunk/debian/patches/AST-2009-001 (added)
+++ asterisk/trunk/debian/patches/AST-2009-001 Sat Feb 21 14:19:03 2009
@@ -1,0 +1,112 @@
+Fix for AST-2009-001 (CVE-2009-0041) - Information leak in IAX2 authentication
+
+From: http://downloads.digium.com/pub/security/AST-2009-001-1.4.diff
+
+--- a/channels/chan_iax2.c
++++ b/channels/chan_iax2.c
+@@ -155,6 +155,7 @@ static int trunkfreq = 20;
+ static int authdebug = 1;
+ static int autokill = 0;
+ static int iaxcompat = 0;
++static int last_authmethod = 0;
+ 
+ static int iaxdefaultdpcache=10 * 60;	/* Cache dialplan entries for 10 minutes by default */
+ 
+@@ -5491,6 +5492,9 @@ static int register_verify(int callno, s
+ 	p = find_peer(peer, 1);
+ 	ast_mutex_lock(&iaxsl[callno]);
+ 	if (!p || !iaxs[callno]) {
++		if (iaxs[callno]) {
++			ast_string_field_set(iaxs[callno], secret, "badsecret");
++		}
+ 		if (authdebug && !p)
+ 			ast_log(LOG_NOTICE, "No registration for peer '%s' (from %s)\n", peer, ast_inet_ntoa(sin->sin_addr));
+ 		goto return_unref;
+@@ -5570,21 +5574,24 @@ static int register_verify(int callno, s
+ 			goto return_unref;
+ 		} else
+ 			ast_set_flag(&iaxs[callno]->state, IAX_STATE_AUTHENTICATED);
+-	} else if (!ast_strlen_zero(md5secret) || !ast_strlen_zero(secret)) {
+-		if (authdebug)
+-			ast_log(LOG_NOTICE, "Inappropriate authentication received\n");
++	} else if (!ast_strlen_zero(iaxs[callno]->secret) || !ast_strlen_zero(iaxs[callno]->inkeys)) {
++		if (authdebug &&
++			((!ast_strlen_zero(iaxs[callno]->secret) && (p->authmethods & IAX_AUTH_MD5) && !ast_strlen_zero(iaxs[callno]->challenge)) ||
++			 (!ast_strlen_zero(iaxs[callno]->inkeys) && (p->authmethods & IAX_AUTH_RSA) && !ast_strlen_zero(iaxs[callno]->challenge)))) {
++			ast_log(LOG_NOTICE, "Inappropriate authentication received for '%s'\n", p->name);
++		} /* ELSE this is the first time through and no challenge exists, so it's not quite yet a failure. */
+ 		goto return_unref;
+ 	}
++	ast_device_state_changed("IAX2/%s", p->name); /* Activate notification */
++
++return_unref:
+ 	ast_string_field_set(iaxs[callno], peer, peer);
+ 	/* Choose lowest expiry number */
+ 	if (expire && (expire < iaxs[callno]->expiry)) 
+ 		iaxs[callno]->expiry = expire;
+ 
+-	ast_device_state_changed("IAX2/%s", p->name); /* Activate notification */
+-
+ 	res = 0;
+ 
+-return_unref:
+ 	if (p)
+ 		peer_unref(p);
+ 
+@@ -6256,24 +6263,30 @@ static int registry_authrequest(int call
+ 	struct iax2_peer *p;
+ 	char challenge[10];
+ 	const char *peer_name;
+-	int res = -1;
++	int sentauthmethod;
+ 
+ 	peer_name = ast_strdupa(iaxs[callno]->peer);
+ 
+ 	/* SLD: third call to find_peer in registration */
+ 	ast_mutex_unlock(&iaxsl[callno]);
+-	p = find_peer(peer_name, 1);
++	if ((p = find_peer(peer_name, 1))) {
++		last_authmethod = p->authmethods;
++	}
++
+ 	ast_mutex_lock(&iaxsl[callno]);
+ 	if (!iaxs[callno])
+ 		goto return_unref;
+-	if (!p) {
+-		ast_log(LOG_WARNING, "No such peer '%s'\n", peer_name);
+-		goto return_unref;
+-	}
+-	
++
+ 	memset(&ied, 0, sizeof(ied));
+-	iax_ie_append_short(&ied, IAX_IE_AUTHMETHODS, p->authmethods);
+-	if (p->authmethods & (IAX_AUTH_RSA | IAX_AUTH_MD5)) {
++	/* The selection of which delayed reject is sent may leak information,
++	 * if it sets a static response.  For example, if a host is known to only
++	 * use MD5 authentication, then an RSA response would indicate that the
++	 * peer does not exist, and vice-versa.
++	 * Therefore, we use whatever the last peer used (which may vary over the
++	 * course of a server, which should leak minimal information). */
++	sentauthmethod = p ? p->authmethods : last_authmethod ? last_authmethod : (IAX_AUTH_MD5 | IAX_AUTH_PLAINTEXT);
++	iax_ie_append_short(&ied, IAX_IE_AUTHMETHODS, sentauthmethod);
++	if (sentauthmethod & (IAX_AUTH_RSA | IAX_AUTH_MD5)) {
+ 		/* Build the challenge */
+ 		snprintf(challenge, sizeof(challenge), "%d", (int)ast_random());
+ 		ast_string_field_set(iaxs[callno], challenge, challenge);
+@@ -6281,12 +6294,12 @@ static int registry_authrequest(int call
+ 	}
+ 	iax_ie_append_str(&ied, IAX_IE_USERNAME, peer_name);
+ 
+-	res = 0;
+-
+ return_unref:
+-	peer_unref(p);
++	if (p) {
++		peer_unref(p);
++	}
+ 
+-	return res ? res : send_command(iaxs[callno], AST_FRAME_IAX, IAX_COMMAND_REGAUTH, 0, ied.buf, ied.pos, -1);;
++	return iaxs[callno] ? send_command(iaxs[callno], AST_FRAME_IAX, IAX_COMMAND_REGAUTH, 0, ied.buf, ied.pos, -1) : -1;
+ }
+ 
+ static int registry_rerequest(struct iax_ies *ies, int callno, struct sockaddr_in *sin)

Modified: asterisk/trunk/debian/patches/series
URL: http://svn.debian.org/wsvn/pkg-voip/asterisk/trunk/debian/patches/series?rev=6790&op=diff
==============================================================================
--- asterisk/trunk/debian/patches/series (original)
+++ asterisk/trunk/debian/patches/series Sat Feb 21 14:19:03 2009
@@ -1,3 +1,6 @@
+# Some simple security fixes:
+AST-2009-001
+
 ### upstream fixes
 allow-tilde-destdir

More information about the Pkg-voip-commits mailing list