[Pkg-voip-commits] r8884 - in /asterisk/branches/lenny-security/debian: changelog patches/AST-2011-005-p2 patches/AST-2011-006

tzafrir at alioth.debian.org tzafrir at alioth.debian.org
Fri Apr 22 06:08:51 UTC 2011 

Author: tzafrir
Date: Fri Apr 22 06:08:49 2011
New Revision: 8884

URL: http://svn.debian.org/wsvn/pkg-voip/?sc=1&rev=8884
Log:
Rearange the patches according to the actual issues

Added:
    asterisk/branches/lenny-security/debian/patches/AST-2011-005-p2
      - copied, changed from r8883, asterisk/branches/lenny-security/debian/patches/AST-2011-006
Modified:
    asterisk/branches/lenny-security/debian/changelog
    asterisk/branches/lenny-security/debian/patches/AST-2011-006

Modified: asterisk/branches/lenny-security/debian/changelog
URL: http://svn.debian.org/wsvn/pkg-voip/asterisk/branches/lenny-security/debian/changelog?rev=8884&op=diff
==============================================================================
--- asterisk/branches/lenny-security/debian/changelog (original)
+++ asterisk/branches/lenny-security/debian/changelog Fri Apr 22 06:08:49 2011
@@ -3,8 +3,9 @@
   * AST-2011-002 (CVE-2011-1147): Multiple crash vulnerabilities in UDPTL code
     (Closes: #614580).
   * Patch AST-2011-005: Resource exhaustion in Asterisk Manager Interface
-  * Patch AST-2011-006: Resource exhaustion in chan_skinny and AJAM
+  * Patch AST-2011-005-p2: Resource exhaustion in chan_skinny and AJAM
     (Closes: #618790).
+  * Patch AST-2011-006: Check for "system" privilege in the manager interface
   * Patches AST-2011-003, manager_manager_bugfix_reload - its pre-requirements.
   * My new @debian.org address
 

Copied: asterisk/branches/lenny-security/debian/patches/AST-2011-005-p2 (from r8883, asterisk/branches/lenny-security/debian/patches/AST-2011-006)
URL: http://svn.debian.org/wsvn/pkg-voip/asterisk/branches/lenny-security/debian/patches/AST-2011-005-p2?rev=8884&op=diff
==============================================================================
--- asterisk/branches/lenny-security/debian/patches/AST-2011-006 (original)
+++ asterisk/branches/lenny-security/debian/patches/AST-2011-005-p2 Fri Apr 22 06:08:49 2011
@@ -8,11 +8,8 @@
 are allowed to have open simultaneously.  Also added timeouts for
 unauthenticated sessions where it made sense to do so.
 
-Unrelated, the manager interface now properly checks if the user has the
-"system" privilege before executing shell commands via the Originate action.
-
-This is a followup to AST-2011-005. It applies a similar fix to chan_skinny
-and to manager interface over HTTP.
+This patch is the secon upstream patch that fixes AST-2011-005. It applies
+a similar fix to chan_skinny and to manager interface over HTTP.
 
 Skinny, or SCCP, is enabled by default (though not used in most settings).
 To disable: 'noload => chan_skinny.so' in /etc/asterisk/modules.conf .
@@ -22,15 +19,13 @@
 See also:
   https://issues.asterisk.org/view.php?id=18996
   http://downloads.asterisk.org/pub/security/AST-2011-005.html
-  http://downloads.asterisk.org/pub/security/AST-2011-006.html
 
 ---
  channels/chan_skinny.c     |   75 +++++++++++++++++++++++++++++++++++++++++--
  configs/http.conf.sample   |    7 +++-
  configs/skinny.conf.sample |    9 +++++
  main/http.c                |   25 ++++++++++++++-
- main/manager.c             |   18 ++++++++++
- 5 files changed, 128 insertions(+), 6 deletions(-)
+ 4 files changed, 110 insertions(+), 6 deletions(-)
 
 --- a/channels/chan_skinny.c
 +++ b/channels/chan_skinny.c
@@ -302,30 +297,3 @@
  			v = v->next;
  		}
  		ast_config_destroy(cfg);
---- a/main/manager.c
-+++ b/main/manager.c
-@@ -2003,6 +2003,24 @@ static int action_originate(struct manse
- 			l = NULL;
- 	}
-  	uniqueid = ast_alloc_uniqueid();
-+	if (!ast_strlen_zero(app)) {
-+		/* To run the System application (or anything else that goes to
-+		 * shell), you must have the additional System privilege */
-+		if (!(s->writeperm & EVENT_FLAG_SYSTEM)
-+			&& (
-+				strcasestr(app, "system") == 0 || /* System(rm -rf /)
-+				                                     TrySystem(rm -rf /)       */
-+				strcasestr(app, "exec") ||        /* Exec(System(rm -rf /))
-+				                                     TryExec(System(rm -rf /)) */
-+				strcasestr(app, "agi") ||         /* AGI(/bin/rm,-rf /)
-+				                                     EAGI(/bin/rm,-rf /)       */
-+				strstr(appdata, "SHELL") ||       /* NoOp(${SHELL(rm -rf /)})  */
-+				strstr(appdata, "EVAL")           /* NoOp(${EVAL(${some_var_containing_SHELL})}) */
-+				)) {
-+			astman_send_error(s, m, "Originate with certain 'Application' arguments requires the additional System privilege, which you do not have.");
-+			return 0;
-+		}
-+	}
- 	if (ast_true(async)) {
- 		struct fast_originate_helper *fast = ast_calloc(1, sizeof(*fast));
- 		if (!fast) {

Modified: asterisk/branches/lenny-security/debian/patches/AST-2011-006
URL: http://svn.debian.org/wsvn/pkg-voip/asterisk/branches/lenny-security/debian/patches/AST-2011-006?rev=8884&op=diff
==============================================================================
--- asterisk/branches/lenny-security/debian/patches/AST-2011-006 (original)
+++ asterisk/branches/lenny-security/debian/patches/AST-2011-006 Fri Apr 22 06:08:49 2011
@@ -2,306 +2,25 @@
 Date: Thu, 21 Apr 2011 18:19:21 +0000
 Bug: https://issues.asterisk.org/view.php?id=18787
 Origin: http://svnview.digium.com/svn/asterisk?view=rev&rev=314607
-Subject: limits unauthenticated TCP sessions
+Subject: Check for "system" privilege in the manager interface
 
-Added limits to the number of unauthenticated sessions TCP based protocols
-are allowed to have open simultaneously.  Also added timeouts for
-unauthenticated sessions where it made sense to do so.
+This fix adds the missing test (added in later version, though apparently
+in a slightly wrong location) for the "system" write permissions in case
+a manager user attempts to execute an action that may eventually execute
+a shell command.
 
-Unrelated, the manager interface now properly checks if the user has the
-"system" privilege before executing shell commands via the Originate action.
-
-This is a followup to AST-2011-005. It applies a similar fix to chan_skinny
-and to manager interface over HTTP.
-
-Skinny, or SCCP, is enabled by default (though not used in most settings).
-To disable: 'noload => chan_skinny.so' in /etc/asterisk/modules.conf .
-
-Manager over HTTP is not enabled by default on Debian.
+Note that:
+1. In order to explit this one must already gain authenticated access to
+   the manager interface with some sort of write access.
+2. Asterisk is never run as root in Debian (if you use standard init.d
+   script, which slightly reduces the impact of this.
+3. Many poorly-written sample manager.conf config files just give any
+   manager user all priviliges. There's all to big a chance the manager
+   user already has the 'system' write priv (write=system in manager.conf).
 
 See also:
-  https://issues.asterisk.org/view.php?id=18996
-  http://downloads.asterisk.org/pub/security/AST-2011-005.html
   http://downloads.asterisk.org/pub/security/AST-2011-006.html
 
----
- channels/chan_skinny.c     |   75 +++++++++++++++++++++++++++++++++++++++++--
- configs/http.conf.sample   |    7 +++-
- configs/skinny.conf.sample |    9 +++++
- main/http.c                |   25 ++++++++++++++-
- main/manager.c             |   18 ++++++++++
- 5 files changed, 128 insertions(+), 6 deletions(-)
-
---- a/channels/chan_skinny.c
-+++ b/channels/chan_skinny.c
-@@ -96,8 +96,13 @@ enum skinny_codecs {
- #define DEFAULT_SKINNY_PORT	2000
- #define DEFAULT_SKINNY_BACKLOG	2
- #define SKINNY_MAX_PACKET	1000
-+#define DEFAULT_AUTH_TIMEOUT	30
-+#define DEFAULT_AUTH_LIMIT	50
- 
- static int keep_alive = 120;
-+static int auth_timeout = DEFAULT_AUTH_TIMEOUT;
-+static int auth_limit = DEFAULT_AUTH_LIMIT;
-+static int unauth_sessions = 0;
- static char date_format[6] = "D-M-Y";
- static char version_id[16] = "P002F202";
- 
-@@ -1060,6 +1065,7 @@ struct skinny_paging_device {
- static struct skinnysession {
- 	pthread_t t;
- 	ast_mutex_t lock;
-+	time_t start;
- 	struct sockaddr_in sin;
- 	int fd;
- 	char inbuf[SKINNY_MAX_PACKET];
-@@ -3058,6 +3064,7 @@ static int handle_register_message(struc
- 		transmit_response(s, req);
- 		return 0;
- 	}
-+	ast_atomic_fetchadd_int(&unauth_sessions, -1);
- 	if (option_verbose > 2)
- 		ast_verbose(VERBOSE_PREFIX_3 "Device '%s' successfully registered\n", name);
- 
-@@ -4421,6 +4428,9 @@ static void destroy_session(struct skinn
- 		if (s->fd > -1) {
- 			close(s->fd);
- 		}
-+		if (!s->device) {
-+			ast_atomic_fetchadd_int(&unauth_sessions, -1);
-+		}
- 		ast_mutex_destroy(&s->lock);
- 		free(s);
- 	} else {
-@@ -4433,12 +4443,29 @@ static int get_input(struct skinnysessio
- {
- 	int res;
- 	int dlen = 0;
-+	int timeout = keep_alive * 1100;
-+	time_t now;
- 	struct pollfd fds[1];
- 
-+	if (!s->device) {
-+		if(time(&now) == -1) {
-+			ast_log(LOG_ERROR, "error executing time(): %s\n", strerror(errno));
-+			return -1;
-+		}
-+
-+		timeout = (auth_timeout - (now - s->start)) * 1000;
-+		if (timeout < 0) {
-+			/* we have timed out */
-+			if (skinnydebug)
-+				ast_verbose("Skinny Client failed to authenticate in %d seconds\n", auth_timeout);
-+			return -1;
-+		}
-+	}
-+
-  	fds[0].fd = s->fd;
- 	fds[0].events = POLLIN;
- 	fds[0].revents = 0;
--	res = poll(fds, 1, (keep_alive * 1100)); /* If nothing has happen, client is dead */
-+	res = poll(fds, 1, timeout); /* If nothing has happen, client is dead */
- 						 /* we add 10% to the keep_alive to deal */
- 						 /* with network delays, etc */
- 	if (res < 0) {
-@@ -4447,8 +4474,13 @@ static int get_input(struct skinnysessio
- 			return res;
- 		}
-  	} else if (res == 0) {
--		if (skinnydebug)
--			ast_verbose("Skinny Client was lost, unregistering\n");
-+		if (skinnydebug) {
-+			if (s->device) {
-+				ast_verbose("Skinny Client was lost, unregistering\n");
-+			} else {
-+				ast_verbose("Skinny Client failed to authenticate in %d seconds\n", auth_timeout);
-+			}
-+		}
- 		skinny_unregister(NULL, s);
- 		return -1;
- 	}
-@@ -4584,18 +4616,35 @@ static void *accept_thread(void *ignore)
- 			ast_log(LOG_NOTICE, "Accept returned -1: %s\n", strerror(errno));
- 			continue;
- 		}
-+
-+		if (ast_atomic_fetchadd_int(&unauth_sessions, +1) >= auth_limit) {
-+			close(as);
-+			ast_atomic_fetchadd_int(&unauth_sessions, -1);
-+			continue;
-+		}
-+
- 		p = getprotobyname("tcp");
- 		if(p) {
- 			if( setsockopt(as, p->p_proto, TCP_NODELAY, (char *)&arg, sizeof(arg) ) < 0 ) {
- 				ast_log(LOG_WARNING, "Failed to set Skinny tcp connection to TCP_NODELAY mode: %s\n", strerror(errno));
- 			}
- 		}
--		if (!(s = ast_calloc(1, sizeof(struct skinnysession))))
-+		if (!(s = ast_calloc(1, sizeof(struct skinnysession)))) {
-+			close(as);
-+			ast_atomic_fetchadd_int(&unauth_sessions, -1);
- 			continue;
-+		}
- 
- 		memcpy(&s->sin, &sin, sizeof(sin));
- 		ast_mutex_init(&s->lock);
- 		s->fd = as;
-+
-+		if(time(&s->start) == -1) {
-+			ast_log(LOG_ERROR, "error executing time(): %s; disconnecting client\n", strerror(errno));
-+			destroy_session(s);
-+			continue;
-+		}
-+
- 		ast_mutex_lock(&sessionlock);
- 		s->next = sessions;
- 		sessions = s;
-@@ -4746,6 +4795,24 @@ static int reload_config(void)
- 			}
- 		} else if (!strcasecmp(v->name, "keepalive")) {
- 			keep_alive = atoi(v->value);
-+		} else if (!strcasecmp(v->name, "authtimeout")) {
-+			int timeout = atoi(v->value);
-+
-+			if (timeout < 1) {
-+				ast_log(LOG_WARNING, "Invalid authtimeout value '%s', using default value\n", v->value);
-+				auth_timeout = DEFAULT_AUTH_TIMEOUT;
-+			} else {
-+				auth_timeout = timeout;
-+			}
-+		} else if (!strcasecmp(v->name, "authlimit")) {
-+			int limit = atoi(v->value);
-+
-+			if (limit < 1) {
-+				ast_log(LOG_WARNING, "Invalid authlimit value '%s', using default value\n", v->value);
-+				auth_limit = DEFAULT_AUTH_LIMIT;
-+			} else {
-+				auth_limit = limit;
-+			}
- 		} else if (!strcasecmp(v->name, "dateformat")) {
- 			memcpy(date_format, v->value, sizeof(date_format));
- 		} else if (!strcasecmp(v->name, "allow")) {
---- a/configs/http.conf.sample
-+++ b/configs/http.conf.sample
-@@ -26,7 +26,12 @@ bindport=8088
- ; requests must begin with /asterisk
- ;
- ;prefix=asterisk
--
-+;
-+; sessionlimit specifies the maximum number of httpsessions that will be
-+; allowed to exist at any given time. (default: 100)
-+;
-+;sessionlimit=100
-+;
- ; The post_mappings section maps URLs to real paths on the filesystem.  If a
- ; POST is done from within an authenticated manager session to one of the
- ; configured POST mappings, then any files in the POST will be placed in the
---- a/configs/skinny.conf.sample
-+++ b/configs/skinny.conf.sample
-@@ -9,6 +9,15 @@ dateformat=M-D-Y	; M,D,Y in any order (6
- 			; Use M for month, D for day, Y for year, A for 12-hour time.
- keepalive=120
- 
-+;authtimeout = 30       ; authtimeout specifies the maximum number of seconds a
-+			; client has to authenticate.  If the client does not
-+			; authenticate beofre this timeout expires, the client
-+                        ; will be disconnected.  (default: 30 seconds)
-+
-+;authlimit = 50         ; authlimit specifies the maximum number of
-+			; unauthenticated sessions that will be allowed to
-+                        ; connect at any given time. (default: 50)
-+
- ;allow=all		; see doc/rtp-packetization for framing options
- ;disallow=
- 
---- a/main/http.c
-+++ b/main/http.c
-@@ -59,6 +59,7 @@ ASTERISK_FILE_VERSION(__FILE__, "$Revisi
- 
- #define MAX_PREFIX 80
- #define DEFAULT_PREFIX "/asterisk"
-+#define DEFAULT_SESSION_LIMIT 100
- 
- struct ast_http_server_instance {
- 	FILE *f;
-@@ -76,6 +77,8 @@ static char prefix[MAX_PREFIX];
- static int prefix_len;
- static struct sockaddr_in oldsin;
- static int enablestatic;
-+static int session_limit = DEFAULT_SESSION_LIMIT;
-+static int session_count = 0;
- 
- /*! \brief Limit the kinds of files we're willing to serve up */
- static struct {
-@@ -508,6 +511,7 @@ static void *ast_httpd_helper_thread(voi
- 	}
- 	fclose(ser->f);
- 	free(ser);
-+	ast_atomic_fetchadd_int(&session_count, -1);
- 	return NULL;
- }
- 
-@@ -526,15 +530,23 @@ static void *http_root(void *data)
- 		ast_wait_for_input(httpfd, -1);
- 		sinlen = sizeof(sin);
- 		fd = accept(httpfd, (struct sockaddr *)&sin, &sinlen);
-+
- 		if (fd < 0) {
- 			if ((errno != EAGAIN) && (errno != EINTR))
- 				ast_log(LOG_WARNING, "Accept failed: %s\n", strerror(errno));
- 			continue;
- 		}
-+
-+		if (ast_atomic_fetchadd_int(&session_count, +1) >= session_limit) {
-+			close(fd);
-+			continue;
-+		}
-+
- 		ser = ast_calloc(1, sizeof(*ser));
- 		if (!ser) {
- 			ast_log(LOG_WARNING, "No memory for new session: %s\n", strerror(errno));
- 			close(fd);
-+			ast_atomic_fetchadd_int(&session_count, -1);
- 			continue;
- 		}
- 		flags = fcntl(fd, F_GETFL);
-@@ -549,12 +561,14 @@ static void *http_root(void *data)
- 				ast_log(LOG_WARNING, "Unable to launch helper thread: %s\n", strerror(errno));
- 				fclose(ser->f);
- 				free(ser);
-+				ast_atomic_fetchadd_int(&session_count, -1);
- 			}
- 			pthread_attr_destroy(&attr);
- 		} else {
- 			ast_log(LOG_WARNING, "fdopen failed!\n");
- 			close(ser->fd);
- 			free(ser);
-+			ast_atomic_fetchadd_int(&session_count, -1);
- 		}
- 	}
- 	return NULL;
-@@ -671,8 +685,17 @@ static int __ast_http_load(int reload)
- 				} else {
- 					newprefix[0] = '\0';
- 				}
--					
-+			} else if (!strcasecmp(v->name, "sessionlimit")) {
-+				int limit = atoi(v->value);
-+
-+				if (limit < 1) {
-+					ast_log(LOG_WARNING, "Invalid sessionlimit value '%s', using default value\n", v->value);
-+					session_limit = DEFAULT_SESSION_LIMIT;
-+				} else {
-+					session_limit = limit;
-+				}
- 			}
-+
- 			v = v->next;
- 		}
- 		ast_config_destroy(cfg);
 --- a/main/manager.c
 +++ b/main/manager.c
 @@ -2003,6 +2003,24 @@ static int action_originate(struct manse

More information about the Pkg-voip-commits mailing list