[Pkg-voip-commits] r9040 - in /asterisk/branches/lenny-security/debian: changelog patches/AST-2011-010 patches/series

tzafrir at alioth.debian.org tzafrir at alioth.debian.org
Fri Jun 24 15:44:54 UTC 2011 

Author: tzafrir
Date: Fri Jun 24 15:44:54 2011
New Revision: 9040

URL: http://svn.debian.org/wsvn/pkg-voip/?sc=1&rev=9040
Log:
AST-2011-010 (CVE-2011-2535): crash due to dereferencing a remote pointer
(closes: #631448)

Added:
    asterisk/branches/lenny-security/debian/patches/AST-2011-010
Modified:
    asterisk/branches/lenny-security/debian/changelog
    asterisk/branches/lenny-security/debian/patches/series

Modified: asterisk/branches/lenny-security/debian/changelog
URL: http://svn.debian.org/wsvn/pkg-voip/asterisk/branches/lenny-security/debian/changelog?rev=9040&op=diff
==============================================================================
--- asterisk/branches/lenny-security/debian/changelog (original)
+++ asterisk/branches/lenny-security/debian/changelog Fri Jun 24 15:44:54 2011
@@ -1,3 +1,10 @@
+asterisk (1:1.4.21.2~dfsg-3+lenny3) oldstable-security; urgency=high
+
+  * AST-2011-010 (CVE-2011-2535): crash due to dereferencing a remote pointer
+    (closes: #631448)
+
+ -- Tzafrir Cohen <tzafrir at debian.org>  Fri, 24 Jun 2011 18:43:04 +0300
+
 asterisk (1:1.4.21.2~dfsg-3+lenny2.1) oldstable-security; urgency=high
 
   * AST-2011-002 (CVE-2011-1147): Multiple crash vulnerabilities in UDPTL code

Added: asterisk/branches/lenny-security/debian/patches/AST-2011-010
URL: http://svn.debian.org/wsvn/pkg-voip/asterisk/branches/lenny-security/debian/patches/AST-2011-010?rev=9040&op=file
==============================================================================
--- asterisk/branches/lenny-security/debian/patches/AST-2011-010 (added)
+++ asterisk/branches/lenny-security/debian/patches/AST-2011-010 Fri Jun 24 15:44:54 2011
@@ -1,0 +1,71 @@
+From: David Vossel <dvossel at digium.com>
+Date: Thu, 23 Jun 2011 18:16:52 +0000
+Origin: http://svnview.digium.com/svn/asterisk?view=rev&rev=324627
+Subject: Addresses AST-2011-010, crash due to dereferencing a remote pointer
+
+A memory address was inadvertently transmitted over the network via
+IAX2 via an option control frame and the remote party would try to access it.
+
+CVE: CVE-2011-2535
+See also: http://downloads.asterisk.org/pub/security/AST-2011-010.html
+---
+ channels/chan_iax2.c |   14 +++++++++++++-
+ res/res_features.c   |   15 ++++++++++++---
+ 2 files changed, 25 insertions(+), 4 deletions(-)
+
+--- a/channels/chan_iax2.c
++++ b/channels/chan_iax2.c
+@@ -3433,7 +3433,14 @@ static int iax2_setoption(struct ast_cha
+ 		/* these two cannot be sent, because they require a result */
+ 		errno = ENOSYS;
+ 		return -1;
+-	default:
++ 	/* These options are sent to the other side across the network where
++ 	 * they will be passed to whatever channel is bridged there. Don't
++ 	 * do anything silly like pass an option that transmits pointers to
++ 	 * memory on this machine to a remote machine to use */
++ 	case AST_OPTION_TONE_VERIFY:
++ 	case AST_OPTION_TDD:
++ 	case AST_OPTION_RELAXDTMF:
++ 	case AST_OPTION_AUDIO_MODE:
+ 		if (!(h = ast_malloc(datalen + sizeof(*h))))
+ 			return -1;
+ 
+@@ -3445,7 +3452,12 @@ static int iax2_setoption(struct ast_cha
+ 					  datalen + sizeof(*h), -1);
+ 		free(h);
+ 		return res;
++	default:
++		return -1;
+ 	}
++
++	/* Just in case someone does a break instead of a return */
++	return -1;
+ }
+ 
+ static struct ast_frame *iax2_read(struct ast_channel *c) 
+--- a/res/res_features.c
++++ b/res/res_features.c
+@@ -1590,10 +1590,19 @@ int ast_bridge_call(struct ast_channel *
+ 				break;
+ 			case AST_CONTROL_OPTION:
+ 				aoh = f->data;
+-				/* Forward option Requests */
++ 				/* Forward option Requests, but only ones we know are safe
++ 				 * These are ONLY sent by chan_iax2 and I'm not convinced that
++ 				 * they are useful. I haven't deleted them entirely because I
++ 				 * just am not sure of the ramifications of removing them. */
+ 				if (aoh && aoh->flag == AST_OPTION_FLAG_REQUEST) {
+-					ast_channel_setoption(other, ntohs(aoh->option), aoh->data, 
+-						f->datalen - sizeof(struct ast_option_header), 0);
++ 				   	switch (ntohs(aoh->option)) {
++ 					case AST_OPTION_TONE_VERIFY:
++ 					case AST_OPTION_TDD:
++ 					case AST_OPTION_RELAXDTMF:
++ 					case AST_OPTION_AUDIO_MODE:
++						ast_channel_setoption(other, ntohs(aoh->option), aoh->data, 
++							f->datalen - sizeof(struct ast_option_header), 0);
++					}
+ 				}
+ 				break;
+ 			}

Modified: asterisk/branches/lenny-security/debian/patches/series
URL: http://svn.debian.org/wsvn/pkg-voip/asterisk/branches/lenny-security/debian/patches/series?rev=9040&op=diff
==============================================================================
--- asterisk/branches/lenny-security/debian/patches/series (original)
+++ asterisk/branches/lenny-security/debian/patches/series Fri Jun 24 15:44:54 2011
@@ -107,3 +107,4 @@
 manager_bugfix_reload
 AST-2011-005
 AST-2011-005-p2
+AST-2011-010

More information about the Pkg-voip-commits mailing list