[Pkg-voip-commits] r9027 - in /asterisk/branches/squeeze/debian: changelog patches/AST-2011-008 patches/series

[tzafrir at alioth.debian.org]

Author: tzafrir
Date: Thu Jun 23 23:54:38 2011
New Revision: 9027

URL: http://svn.debian.org/wsvn/pkg-voip/?sc=1&rev=9027
Log:
Patch AST-2011-008 (CVE-2011-2529) - crash on a malformed SIP packet
(Closes: 631446).

Added:
    asterisk/branches/squeeze/debian/patches/AST-2011-008
Modified:
    asterisk/branches/squeeze/debian/changelog
    asterisk/branches/squeeze/debian/patches/series

Modified: asterisk/branches/squeeze/debian/changelog
URL: http://svn.debian.org/wsvn/pkg-voip/asterisk/branches/squeeze/debian/changelog?rev=9027&op=diff
==============================================================================
--- asterisk/branches/squeeze/debian/changelog (original)
+++ asterisk/branches/squeeze/debian/changelog Thu Jun 23 23:54:38 2011
@@ -1,3 +1,10 @@
+asterisk (1:1.6.2.9-2+squeeze3) stable-security; urgency=high
+
+  * Patch AST-2011-008 (CVE-2011-2529) - crash on a malformed SIP packet
+   (Closes: 631446).
+
+ -- Tzafrir Cohen <tzafrir at debian.org>  Fri, 24 Jun 2011 02:25:38 +0300
+
 asterisk (1:1.6.2.9-2+squeeze2) stable-security; urgency=high
 
   * Patch AST-2011-002 (CVE-2011-1147): Multiple crash vulnerabilities in

Added: asterisk/branches/squeeze/debian/patches/AST-2011-008
URL: http://svn.debian.org/wsvn/pkg-voip/asterisk/branches/squeeze/debian/patches/AST-2011-008?rev=9027&op=file
==============================================================================
--- asterisk/branches/squeeze/debian/patches/AST-2011-008 (added)
+++ asterisk/branches/squeeze/debian/patches/AST-2011-008 Thu Jun 23 23:54:38 2011
@@ -1,0 +1,35 @@
+From: Kinsey Moore <kmoore at digium.com>
+Date: Thu, 23 Jun 2011 18:21:12 +0000
+Origin: http://svnview.digium.com/svn/asterisk?view=rev&rev=324643
+Subject: Addresses AST-2011-008, memory corruption and remote crash in SIP driver.
+
+If a remote user sends a SIP packet containing a null, Asterisk assumes
+available data extends past the null to the end of the packet when the
+buffer is actually truncated when copied.  This causes SIP header parsing
+to modify data past the end of the buffer altering unrelated memory
+structures.  This vulnerability does not affect TCP/TLS connections.
+
+CVE: CVE-2011-2529
+See also http://downloads.asterisk.org/pub/security/AST-2011-008.html
+
+---
+ channels/chan_sip.c |    3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
+
+diff --git a/channels/chan_sip.c b/channels/chan_sip.c
+index 7908a14..2981eb6 100644
+--- a/channels/chan_sip.c
++++ b/channels/chan_sip.c
+@@ -22706,7 +22706,8 @@ static int sipsock_read(int *id, int fd, short events, void *ignore)
+ 		return -1;
+ 	}
+ 
+-	req.len = res;
++	/* req.data will have the correct length in case of nulls */
++	req.len = ast_str_strlen(req.data);
+ 	req.socket.fd = sipsock;
+ 	set_socket_transport(&req.socket, SIP_TRANSPORT_UDP);
+ 	req.socket.tcptls_session	= NULL;
+-- 
+1.7.5.4
+

Modified: asterisk/branches/squeeze/debian/patches/series
URL: http://svn.debian.org/wsvn/pkg-voip/asterisk/branches/squeeze/debian/patches/series?rev=9027&op=diff
==============================================================================
--- asterisk/branches/squeeze/debian/patches/series (original)
+++ asterisk/branches/squeeze/debian/patches/series Thu Jun 23 23:54:38 2011
@@ -34,3 +34,4 @@
 AST-2011-005
 AST-2011-005-p2
 AST-2011-006
+AST-2011-008