[Pkg-voip-commits] r9070 - in /asterisk/branches/lenny-security/debian: changelog patches/AST-2011-010 patches/AST-2011-011

tzafrir at alioth.debian.org tzafrir at alioth.debian.org
Fri Jul 1 11:55:50 UTC 2011 

Author: tzafrir
Date: Fri Jul  1 11:55:49 2011
New Revision: 9070

URL: http://svn.debian.org/wsvn/pkg-voip/?sc=1&rev=9070
Log:
AST-2011-011 (CVE-2011-2536): Don't leak SIP username information
(closes: #632029)

Added:
    asterisk/branches/lenny-security/debian/patches/AST-2011-011
Modified:
    asterisk/branches/lenny-security/debian/changelog
    asterisk/branches/lenny-security/debian/patches/AST-2011-010

Modified: asterisk/branches/lenny-security/debian/changelog
URL: http://svn.debian.org/wsvn/pkg-voip/asterisk/branches/lenny-security/debian/changelog?rev=9070&op=diff
==============================================================================
--- asterisk/branches/lenny-security/debian/changelog (original)
+++ asterisk/branches/lenny-security/debian/changelog Fri Jul  1 11:55:49 2011
@@ -2,8 +2,10 @@
 
   * AST-2011-010 (CVE-2011-2535): crash due to dereferencing a remote pointer
     (closes: #631448)
-
- -- Tzafrir Cohen <tzafrir at debian.org>  Fri, 24 Jun 2011 18:43:04 +0300
+  * AST-2011-011 (CVE-2011-2536): Don't leak SIP username information
+    (closes: #632029)
+
+ -- Tzafrir Cohen <tzafrir at debian.org>  Fri, 01 Jul 2011 14:53:46 +0300
 
 asterisk (1:1.4.21.2~dfsg-3+lenny2.1) oldstable-security; urgency=high
 

Modified: asterisk/branches/lenny-security/debian/patches/AST-2011-010
URL: http://svn.debian.org/wsvn/pkg-voip/asterisk/branches/lenny-security/debian/patches/AST-2011-010?rev=9070&op=diff
==============================================================================
--- asterisk/branches/lenny-security/debian/patches/AST-2011-010 (original)
+++ asterisk/branches/lenny-security/debian/patches/AST-2011-010 Fri Jul  1 11:55:49 2011
@@ -15,7 +15,7 @@
 
 --- a/channels/chan_iax2.c
 +++ b/channels/chan_iax2.c
-@@ -3433,7 +3433,14 @@ static int iax2_setoption(struct ast_cha
+@@ -3414,7 +3414,14 @@ static int iax2_setoption(struct ast_cha
  		/* these two cannot be sent, because they require a result */
  		errno = ENOSYS;
  		return -1;
@@ -31,7 +31,7 @@
  		if (!(h = ast_malloc(datalen + sizeof(*h))))
  			return -1;
  
-@@ -3445,7 +3452,12 @@ static int iax2_setoption(struct ast_cha
+@@ -3426,7 +3433,12 @@ static int iax2_setoption(struct ast_cha
  					  datalen + sizeof(*h), -1);
  		free(h);
  		return res;

Added: asterisk/branches/lenny-security/debian/patches/AST-2011-011
URL: http://svn.debian.org/wsvn/pkg-voip/asterisk/branches/lenny-security/debian/patches/AST-2011-011?rev=9070&op=file
==============================================================================
--- asterisk/branches/lenny-security/debian/patches/AST-2011-011 (added)
+++ asterisk/branches/lenny-security/debian/patches/AST-2011-011 Fri Jul  1 11:55:49 2011
@@ -1,0 +1,40 @@
+From 63f92c985f212e59f56bb95b0c1bb02347195fea Mon Sep 17 00:00:00 2001
+From: Terry Wilson <twilson at digium.com>
+Date: Tue, 28 Jun 2011 20:03:19 +0000
+Subject: [PATCH] Don't leak SIP username information
+Origin: http://svnview.digium.com/svn/asterisk?view=rev&rev=325275
+
+Asterisk may respond differently to SIP requests from an invalid SIP
+user than it does to a user configured on the system, even when the
+alwaysauthreject option is set in the configuration. This can leak
+information about what SIP users are valid on the Asterisk system.
+
+Note: while alwaysauthreject=yes is not the default on 1.4 and 1.6.2 for
+backword-compatibility considerations, it is highly recommended to set it
+so.
+
+CVE: CVE-2011-2536
+See also: http://downloads.asterisk.org/pub/security/AST-2011-011.html
+---
+ channels/chan_sip.c |    4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+--- a/channels/chan_sip.c
++++ b/channels/chan_sip.c
+@@ -8670,14 +8670,14 @@ static void transmit_fake_auth_response(
+ 	if (ast_test_flag(req, SIP_PKT_IGNORE) && !ast_strlen_zero(p->randdata) && ast_strlen_zero(authtoken)) {
+ 		/* This is a retransmitted invite/register/etc, don't reconstruct authentication
+ 		 * information */
+-		transmit_response_with_auth(p, response, req, p->randdata, 0, respheader, 0);
++		transmit_response_with_auth(p, response, req, p->randdata, reliable, respheader, 0);
+ 		/* Schedule auto destroy in 32 seconds (according to RFC 3261) */
+ 		sip_scheddestroy(p, DEFAULT_TRANS_TIMEOUT);
+ 		return;
+ 	} else if (ast_strlen_zero(p->randdata) || ast_strlen_zero(authtoken)) {
+ 		/* We have no auth, so issue challenge and request authentication */
+ 		ast_string_field_build(p, randdata, "%08lx", ast_random());	/* Create nonce for challenge */
+-		transmit_response_with_auth(p, response, req, p->randdata, 0, respheader, 0);
++		transmit_response_with_auth(p, response, req, p->randdata, reliable, respheader, 0);
+ 		/* Schedule auto destroy in 32 seconds */
+ 		sip_scheddestroy(p, DEFAULT_TRANS_TIMEOUT);
+ 		return;

More information about the Pkg-voip-commits mailing list