[Pkg-voip-commits] r8884 - in /asterisk/branches/lenny-security/debian: changelog patches/AST-2011-005-p2 patches/AST-2011-006
tzafrir at alioth.debian.org
tzafrir at alioth.debian.org
Fri Apr 22 06:08:51 UTC 2011
Author: tzafrir
Date: Fri Apr 22 06:08:49 2011
New Revision: 8884
URL: http://svn.debian.org/wsvn/pkg-voip/?sc=1&rev=8884
Log:
Rearange the patches according to the actual issues
Added:
asterisk/branches/lenny-security/debian/patches/AST-2011-005-p2
- copied, changed from r8883, asterisk/branches/lenny-security/debian/patches/AST-2011-006
Modified:
asterisk/branches/lenny-security/debian/changelog
asterisk/branches/lenny-security/debian/patches/AST-2011-006
Modified: asterisk/branches/lenny-security/debian/changelog
URL: http://svn.debian.org/wsvn/pkg-voip/asterisk/branches/lenny-security/debian/changelog?rev=8884&op=diff
==============================================================================
--- asterisk/branches/lenny-security/debian/changelog (original)
+++ asterisk/branches/lenny-security/debian/changelog Fri Apr 22 06:08:49 2011
@@ -3,8 +3,9 @@
* AST-2011-002 (CVE-2011-1147): Multiple crash vulnerabilities in UDPTL code
(Closes: #614580).
* Patch AST-2011-005: Resource exhaustion in Asterisk Manager Interface
- * Patch AST-2011-006: Resource exhaustion in chan_skinny and AJAM
+ * Patch AST-2011-005-p2: Resource exhaustion in chan_skinny and AJAM
(Closes: #618790).
+ * Patch AST-2011-006: Check for "system" privilege in the manager interface
* Patches AST-2011-003, manager_manager_bugfix_reload - its pre-requirements.
* My new @debian.org address
Copied: asterisk/branches/lenny-security/debian/patches/AST-2011-005-p2 (from r8883, asterisk/branches/lenny-security/debian/patches/AST-2011-006)
URL: http://svn.debian.org/wsvn/pkg-voip/asterisk/branches/lenny-security/debian/patches/AST-2011-005-p2?rev=8884&op=diff
==============================================================================
--- asterisk/branches/lenny-security/debian/patches/AST-2011-006 (original)
+++ asterisk/branches/lenny-security/debian/patches/AST-2011-005-p2 Fri Apr 22 06:08:49 2011
@@ -8,11 +8,8 @@
are allowed to have open simultaneously. Also added timeouts for
unauthenticated sessions where it made sense to do so.
-Unrelated, the manager interface now properly checks if the user has the
-"system" privilege before executing shell commands via the Originate action.
-
-This is a followup to AST-2011-005. It applies a similar fix to chan_skinny
-and to manager interface over HTTP.
+This patch is the secon upstream patch that fixes AST-2011-005. It applies
+a similar fix to chan_skinny and to manager interface over HTTP.
Skinny, or SCCP, is enabled by default (though not used in most settings).
To disable: 'noload => chan_skinny.so' in /etc/asterisk/modules.conf .
@@ -22,15 +19,13 @@
See also:
https://issues.asterisk.org/view.php?id=18996
http://downloads.asterisk.org/pub/security/AST-2011-005.html
- http://downloads.asterisk.org/pub/security/AST-2011-006.html
---
channels/chan_skinny.c | 75 +++++++++++++++++++++++++++++++++++++++++--
configs/http.conf.sample | 7 +++-
configs/skinny.conf.sample | 9 +++++
main/http.c | 25 ++++++++++++++-
- main/manager.c | 18 ++++++++++
- 5 files changed, 128 insertions(+), 6 deletions(-)
+ 4 files changed, 110 insertions(+), 6 deletions(-)
--- a/channels/chan_skinny.c
+++ b/channels/chan_skinny.c
@@ -302,30 +297,3 @@
v = v->next;
}
ast_config_destroy(cfg);
---- a/main/manager.c
-+++ b/main/manager.c
-@@ -2003,6 +2003,24 @@ static int action_originate(struct manse
- l = NULL;
- }
- uniqueid = ast_alloc_uniqueid();
-+ if (!ast_strlen_zero(app)) {
-+ /* To run the System application (or anything else that goes to
-+ * shell), you must have the additional System privilege */
-+ if (!(s->writeperm & EVENT_FLAG_SYSTEM)
-+ && (
-+ strcasestr(app, "system") == 0 || /* System(rm -rf /)
-+ TrySystem(rm -rf /) */
-+ strcasestr(app, "exec") || /* Exec(System(rm -rf /))
-+ TryExec(System(rm -rf /)) */
-+ strcasestr(app, "agi") || /* AGI(/bin/rm,-rf /)
-+ EAGI(/bin/rm,-rf /) */
-+ strstr(appdata, "SHELL") || /* NoOp(${SHELL(rm -rf /)}) */
-+ strstr(appdata, "EVAL") /* NoOp(${EVAL(${some_var_containing_SHELL})}) */
-+ )) {
-+ astman_send_error(s, m, "Originate with certain 'Application' arguments requires the additional System privilege, which you do not have.");
-+ return 0;
-+ }
-+ }
- if (ast_true(async)) {
- struct fast_originate_helper *fast = ast_calloc(1, sizeof(*fast));
- if (!fast) {
Modified: asterisk/branches/lenny-security/debian/patches/AST-2011-006
URL: http://svn.debian.org/wsvn/pkg-voip/asterisk/branches/lenny-security/debian/patches/AST-2011-006?rev=8884&op=diff
==============================================================================
--- asterisk/branches/lenny-security/debian/patches/AST-2011-006 (original)
+++ asterisk/branches/lenny-security/debian/patches/AST-2011-006 Fri Apr 22 06:08:49 2011
@@ -2,306 +2,25 @@
Date: Thu, 21 Apr 2011 18:19:21 +0000
Bug: https://issues.asterisk.org/view.php?id=18787
Origin: http://svnview.digium.com/svn/asterisk?view=rev&rev=314607
-Subject: limits unauthenticated TCP sessions
+Subject: Check for "system" privilege in the manager interface
-Added limits to the number of unauthenticated sessions TCP based protocols
-are allowed to have open simultaneously. Also added timeouts for
-unauthenticated sessions where it made sense to do so.
+This fix adds the missing test (added in later version, though apparently
+in a slightly wrong location) for the "system" write permissions in case
+a manager user attempts to execute an action that may eventually execute
+a shell command.
-Unrelated, the manager interface now properly checks if the user has the
-"system" privilege before executing shell commands via the Originate action.
-
-This is a followup to AST-2011-005. It applies a similar fix to chan_skinny
-and to manager interface over HTTP.
-
-Skinny, or SCCP, is enabled by default (though not used in most settings).
-To disable: 'noload => chan_skinny.so' in /etc/asterisk/modules.conf .
-
-Manager over HTTP is not enabled by default on Debian.
+Note that:
+1. In order to explit this one must already gain authenticated access to
+ the manager interface with some sort of write access.
+2. Asterisk is never run as root in Debian (if you use standard init.d
+ script, which slightly reduces the impact of this.
+3. Many poorly-written sample manager.conf config files just give any
+ manager user all priviliges. There's all to big a chance the manager
+ user already has the 'system' write priv (write=system in manager.conf).
See also:
- https://issues.asterisk.org/view.php?id=18996
- http://downloads.asterisk.org/pub/security/AST-2011-005.html
http://downloads.asterisk.org/pub/security/AST-2011-006.html
----
- channels/chan_skinny.c | 75 +++++++++++++++++++++++++++++++++++++++++--
- configs/http.conf.sample | 7 +++-
- configs/skinny.conf.sample | 9 +++++
- main/http.c | 25 ++++++++++++++-
- main/manager.c | 18 ++++++++++
- 5 files changed, 128 insertions(+), 6 deletions(-)
-
---- a/channels/chan_skinny.c
-+++ b/channels/chan_skinny.c
-@@ -96,8 +96,13 @@ enum skinny_codecs {
- #define DEFAULT_SKINNY_PORT 2000
- #define DEFAULT_SKINNY_BACKLOG 2
- #define SKINNY_MAX_PACKET 1000
-+#define DEFAULT_AUTH_TIMEOUT 30
-+#define DEFAULT_AUTH_LIMIT 50
-
- static int keep_alive = 120;
-+static int auth_timeout = DEFAULT_AUTH_TIMEOUT;
-+static int auth_limit = DEFAULT_AUTH_LIMIT;
-+static int unauth_sessions = 0;
- static char date_format[6] = "D-M-Y";
- static char version_id[16] = "P002F202";
-
-@@ -1060,6 +1065,7 @@ struct skinny_paging_device {
- static struct skinnysession {
- pthread_t t;
- ast_mutex_t lock;
-+ time_t start;
- struct sockaddr_in sin;
- int fd;
- char inbuf[SKINNY_MAX_PACKET];
-@@ -3058,6 +3064,7 @@ static int handle_register_message(struc
- transmit_response(s, req);
- return 0;
- }
-+ ast_atomic_fetchadd_int(&unauth_sessions, -1);
- if (option_verbose > 2)
- ast_verbose(VERBOSE_PREFIX_3 "Device '%s' successfully registered\n", name);
-
-@@ -4421,6 +4428,9 @@ static void destroy_session(struct skinn
- if (s->fd > -1) {
- close(s->fd);
- }
-+ if (!s->device) {
-+ ast_atomic_fetchadd_int(&unauth_sessions, -1);
-+ }
- ast_mutex_destroy(&s->lock);
- free(s);
- } else {
-@@ -4433,12 +4443,29 @@ static int get_input(struct skinnysessio
- {
- int res;
- int dlen = 0;
-+ int timeout = keep_alive * 1100;
-+ time_t now;
- struct pollfd fds[1];
-
-+ if (!s->device) {
-+ if(time(&now) == -1) {
-+ ast_log(LOG_ERROR, "error executing time(): %s\n", strerror(errno));
-+ return -1;
-+ }
-+
-+ timeout = (auth_timeout - (now - s->start)) * 1000;
-+ if (timeout < 0) {
-+ /* we have timed out */
-+ if (skinnydebug)
-+ ast_verbose("Skinny Client failed to authenticate in %d seconds\n", auth_timeout);
-+ return -1;
-+ }
-+ }
-+
- fds[0].fd = s->fd;
- fds[0].events = POLLIN;
- fds[0].revents = 0;
-- res = poll(fds, 1, (keep_alive * 1100)); /* If nothing has happen, client is dead */
-+ res = poll(fds, 1, timeout); /* If nothing has happen, client is dead */
- /* we add 10% to the keep_alive to deal */
- /* with network delays, etc */
- if (res < 0) {
-@@ -4447,8 +4474,13 @@ static int get_input(struct skinnysessio
- return res;
- }
- } else if (res == 0) {
-- if (skinnydebug)
-- ast_verbose("Skinny Client was lost, unregistering\n");
-+ if (skinnydebug) {
-+ if (s->device) {
-+ ast_verbose("Skinny Client was lost, unregistering\n");
-+ } else {
-+ ast_verbose("Skinny Client failed to authenticate in %d seconds\n", auth_timeout);
-+ }
-+ }
- skinny_unregister(NULL, s);
- return -1;
- }
-@@ -4584,18 +4616,35 @@ static void *accept_thread(void *ignore)
- ast_log(LOG_NOTICE, "Accept returned -1: %s\n", strerror(errno));
- continue;
- }
-+
-+ if (ast_atomic_fetchadd_int(&unauth_sessions, +1) >= auth_limit) {
-+ close(as);
-+ ast_atomic_fetchadd_int(&unauth_sessions, -1);
-+ continue;
-+ }
-+
- p = getprotobyname("tcp");
- if(p) {
- if( setsockopt(as, p->p_proto, TCP_NODELAY, (char *)&arg, sizeof(arg) ) < 0 ) {
- ast_log(LOG_WARNING, "Failed to set Skinny tcp connection to TCP_NODELAY mode: %s\n", strerror(errno));
- }
- }
-- if (!(s = ast_calloc(1, sizeof(struct skinnysession))))
-+ if (!(s = ast_calloc(1, sizeof(struct skinnysession)))) {
-+ close(as);
-+ ast_atomic_fetchadd_int(&unauth_sessions, -1);
- continue;
-+ }
-
- memcpy(&s->sin, &sin, sizeof(sin));
- ast_mutex_init(&s->lock);
- s->fd = as;
-+
-+ if(time(&s->start) == -1) {
-+ ast_log(LOG_ERROR, "error executing time(): %s; disconnecting client\n", strerror(errno));
-+ destroy_session(s);
-+ continue;
-+ }
-+
- ast_mutex_lock(&sessionlock);
- s->next = sessions;
- sessions = s;
-@@ -4746,6 +4795,24 @@ static int reload_config(void)
- }
- } else if (!strcasecmp(v->name, "keepalive")) {
- keep_alive = atoi(v->value);
-+ } else if (!strcasecmp(v->name, "authtimeout")) {
-+ int timeout = atoi(v->value);
-+
-+ if (timeout < 1) {
-+ ast_log(LOG_WARNING, "Invalid authtimeout value '%s', using default value\n", v->value);
-+ auth_timeout = DEFAULT_AUTH_TIMEOUT;
-+ } else {
-+ auth_timeout = timeout;
-+ }
-+ } else if (!strcasecmp(v->name, "authlimit")) {
-+ int limit = atoi(v->value);
-+
-+ if (limit < 1) {
-+ ast_log(LOG_WARNING, "Invalid authlimit value '%s', using default value\n", v->value);
-+ auth_limit = DEFAULT_AUTH_LIMIT;
-+ } else {
-+ auth_limit = limit;
-+ }
- } else if (!strcasecmp(v->name, "dateformat")) {
- memcpy(date_format, v->value, sizeof(date_format));
- } else if (!strcasecmp(v->name, "allow")) {
---- a/configs/http.conf.sample
-+++ b/configs/http.conf.sample
-@@ -26,7 +26,12 @@ bindport=8088
- ; requests must begin with /asterisk
- ;
- ;prefix=asterisk
--
-+;
-+; sessionlimit specifies the maximum number of httpsessions that will be
-+; allowed to exist at any given time. (default: 100)
-+;
-+;sessionlimit=100
-+;
- ; The post_mappings section maps URLs to real paths on the filesystem. If a
- ; POST is done from within an authenticated manager session to one of the
- ; configured POST mappings, then any files in the POST will be placed in the
---- a/configs/skinny.conf.sample
-+++ b/configs/skinny.conf.sample
-@@ -9,6 +9,15 @@ dateformat=M-D-Y ; M,D,Y in any order (6
- ; Use M for month, D for day, Y for year, A for 12-hour time.
- keepalive=120
-
-+;authtimeout = 30 ; authtimeout specifies the maximum number of seconds a
-+ ; client has to authenticate. If the client does not
-+ ; authenticate beofre this timeout expires, the client
-+ ; will be disconnected. (default: 30 seconds)
-+
-+;authlimit = 50 ; authlimit specifies the maximum number of
-+ ; unauthenticated sessions that will be allowed to
-+ ; connect at any given time. (default: 50)
-+
- ;allow=all ; see doc/rtp-packetization for framing options
- ;disallow=
-
---- a/main/http.c
-+++ b/main/http.c
-@@ -59,6 +59,7 @@ ASTERISK_FILE_VERSION(__FILE__, "$Revisi
-
- #define MAX_PREFIX 80
- #define DEFAULT_PREFIX "/asterisk"
-+#define DEFAULT_SESSION_LIMIT 100
-
- struct ast_http_server_instance {
- FILE *f;
-@@ -76,6 +77,8 @@ static char prefix[MAX_PREFIX];
- static int prefix_len;
- static struct sockaddr_in oldsin;
- static int enablestatic;
-+static int session_limit = DEFAULT_SESSION_LIMIT;
-+static int session_count = 0;
-
- /*! \brief Limit the kinds of files we're willing to serve up */
- static struct {
-@@ -508,6 +511,7 @@ static void *ast_httpd_helper_thread(voi
- }
- fclose(ser->f);
- free(ser);
-+ ast_atomic_fetchadd_int(&session_count, -1);
- return NULL;
- }
-
-@@ -526,15 +530,23 @@ static void *http_root(void *data)
- ast_wait_for_input(httpfd, -1);
- sinlen = sizeof(sin);
- fd = accept(httpfd, (struct sockaddr *)&sin, &sinlen);
-+
- if (fd < 0) {
- if ((errno != EAGAIN) && (errno != EINTR))
- ast_log(LOG_WARNING, "Accept failed: %s\n", strerror(errno));
- continue;
- }
-+
-+ if (ast_atomic_fetchadd_int(&session_count, +1) >= session_limit) {
-+ close(fd);
-+ continue;
-+ }
-+
- ser = ast_calloc(1, sizeof(*ser));
- if (!ser) {
- ast_log(LOG_WARNING, "No memory for new session: %s\n", strerror(errno));
- close(fd);
-+ ast_atomic_fetchadd_int(&session_count, -1);
- continue;
- }
- flags = fcntl(fd, F_GETFL);
-@@ -549,12 +561,14 @@ static void *http_root(void *data)
- ast_log(LOG_WARNING, "Unable to launch helper thread: %s\n", strerror(errno));
- fclose(ser->f);
- free(ser);
-+ ast_atomic_fetchadd_int(&session_count, -1);
- }
- pthread_attr_destroy(&attr);
- } else {
- ast_log(LOG_WARNING, "fdopen failed!\n");
- close(ser->fd);
- free(ser);
-+ ast_atomic_fetchadd_int(&session_count, -1);
- }
- }
- return NULL;
-@@ -671,8 +685,17 @@ static int __ast_http_load(int reload)
- } else {
- newprefix[0] = '\0';
- }
--
-+ } else if (!strcasecmp(v->name, "sessionlimit")) {
-+ int limit = atoi(v->value);
-+
-+ if (limit < 1) {
-+ ast_log(LOG_WARNING, "Invalid sessionlimit value '%s', using default value\n", v->value);
-+ session_limit = DEFAULT_SESSION_LIMIT;
-+ } else {
-+ session_limit = limit;
-+ }
- }
-+
- v = v->next;
- }
- ast_config_destroy(cfg);
--- a/main/manager.c
+++ b/main/manager.c
@@ -2003,6 +2003,24 @@ static int action_originate(struct manse
More information about the Pkg-voip-commits
mailing list