[Pkg-voip-commits] r8751 - in /asterisk/branches/squeeze/debian: changelog patches/AST-2011-001 patches/series

Thu Feb 10 18:02:03 UTC 2011

Author: paravoid
Date: Thu Feb 10 18:01:48 2011
New Revision: 8751

URL: http://svn.debian.org/wsvn/pkg-voip/?sc=1&rev=8751
Log:
AST-2011-001/CVE-2011-0495: Stack buffer overflow in SIP channel driver
(Closes: #610487)

Added:
    asterisk/branches/squeeze/debian/patches/AST-2011-001
Modified:
    asterisk/branches/squeeze/debian/changelog
    asterisk/branches/squeeze/debian/patches/series

Modified: asterisk/branches/squeeze/debian/changelog
URL: http://svn.debian.org/wsvn/pkg-voip/asterisk/branches/squeeze/debian/changelog?rev=8751&op=diff
==============================================================================

--- asterisk/branches/squeeze/debian/changelog (original)
+++ asterisk/branches/squeeze/debian/changelog Thu Feb 10 18:01:48 2011
@@ -1,3 +1,10 @@
+asterisk (1:1.6.2.9-2+squeeze1) stable-security; urgency=high
+
+  * AST-2011-001/CVE-2011-0495: Stack buffer overflow in SIP channel driver
+    (Closes: #610487)
+
+ -- Faidon Liambotis <paravoid at debian.org>  Thu, 10 Feb 2011 19:03:02 +0200
+
 asterisk (1:1.6.2.9-2) unstable; urgency=high
 
   [ Tzafrir Cohen ]

Added: asterisk/branches/squeeze/debian/patches/AST-2011-001
URL: http://svn.debian.org/wsvn/pkg-voip/asterisk/branches/squeeze/debian/patches/AST-2011-001?rev=8751&op=file
==============================================================================
--- asterisk/branches/squeeze/debian/patches/AST-2011-001 (added)
+++ asterisk/branches/squeeze/debian/patches/AST-2011-001 Thu Feb 10 18:01:48 2011
@@ -1,0 +1,55 @@
+Description: Prevent buffer overflows in ast_uri_encode()
+Origin: http://downloads.asterisk.org/pub/security/AST-2011-001-1.6.2.diff
+Bug-Debian: http://bugs.debian.org/610487
+
+When forming an outgoing SIP request while in pedantic mode, a stack
+buffer can be made to overflow if supplied with carefully crafted caller
+ID information. This vulnerability also affects the URIENCODE dialplan
+function and in some versions of asterisk, the AGI dialplan application
+as well. The ast_uri_encode function does not properly respect the size
+of its output buffer and can write past the end of it when encoding URIs.
+
+--- a/main/utils.c
++++ b/main/utils.c
+@@ -385,28 +385,27 @@ char *ast_uri_encode(const char *string,
+ 	char *reserved = ";/?:@&=+$,# ";	/* Reserved chars */
+ 
+  	const char *ptr  = string;	/* Start with the string */
+-	char *out = NULL;
+-	char *buf = NULL;
++	char *out = outbuf;
+ 
+-	ast_copy_string(outbuf, string, buflen);
+-
+-	/* If there's no characters to convert, just go through and don't do anything */
+-	while (*ptr) {
++	/* If there's no characters to convert, just go through and copy the string */
++	while (*ptr && out - outbuf < buflen - 1) {
+ 		if ((*ptr < 32) || (doreserved && strchr(reserved, *ptr))) {
+-			/* Oops, we need to start working here */
+-			if (!buf) {
+-				buf = outbuf;
+-				out = buf + (ptr - string) ;	/* Set output ptr */
++			if (out - outbuf >= buflen - 3) {
++				break;
+ 			}
++
+ 			out += sprintf(out, "%%%02x", (unsigned char) *ptr);
+-		} else if (buf) {
+-			*out = *ptr;	/* Continue copying the string */
++		} else {
++			*out = *ptr;	/* copy the character */
+ 			out++;
+-		} 
++		}
+ 		ptr++;
+ 	}
+-	if (buf)
++
++	if (buflen) {
+ 		*out = '\0';
++	}
++
+ 	return outbuf;
+ }
+ 

Modified: asterisk/branches/squeeze/debian/patches/series
URL: http://svn.debian.org/wsvn/pkg-voip/asterisk/branches/squeeze/debian/patches/series?rev=8751&op=diff
==============================================================================
--- asterisk/branches/squeeze/debian/patches/series (original)
+++ asterisk/branches/squeeze/debian/patches/series Thu Feb 10 18:01:48 2011
@@ -25,3 +25,5 @@
 man_hyphen
 typos
 rtcp_cli_fix
+
+AST-2011-001


