[Pkg-voip-commits] r9041 - in /asterisk/branches/squeeze/debian: changelog patches/AST-2011-010 patches/series

tzafrir at alioth.debian.org tzafrir at alioth.debian.org
Fri Jun 24 15:55:20 UTC 2011 

Author: tzafrir
Date: Fri Jun 24 15:55:19 2011
New Revision: 9041

URL: http://svn.debian.org/wsvn/pkg-voip/?sc=1&rev=9041
Log:
Patch AST-2011-010 (CVE-2011-2535): crash due to dereferencing a remote
pointer (closes: #631448).

Added:
    asterisk/branches/squeeze/debian/patches/AST-2011-010
Modified:
    asterisk/branches/squeeze/debian/changelog
    asterisk/branches/squeeze/debian/patches/series

Modified: asterisk/branches/squeeze/debian/changelog
URL: http://svn.debian.org/wsvn/pkg-voip/asterisk/branches/squeeze/debian/changelog?rev=9041&op=diff
==============================================================================
--- asterisk/branches/squeeze/debian/changelog (original)
+++ asterisk/branches/squeeze/debian/changelog Fri Jun 24 15:55:19 2011
@@ -2,8 +2,10 @@
 
   * Patch AST-2011-008 (CVE-2011-2529) - crash on a malformed SIP packet
    (Closes: 631446).
-
- -- Tzafrir Cohen <tzafrir at debian.org>  Fri, 24 Jun 2011 02:25:38 +0300
+  * Patch AST-2011-010 (CVE-2011-2535): crash due to dereferencing a remote
+    pointer (closes: #631448).
+
+ -- Tzafrir Cohen <tzafrir at debian.org>  Fri, 24 Jun 2011 18:53:22 +0300
 
 asterisk (1:1.6.2.9-2+squeeze2) stable-security; urgency=high
 

Added: asterisk/branches/squeeze/debian/patches/AST-2011-010
URL: http://svn.debian.org/wsvn/pkg-voip/asterisk/branches/squeeze/debian/patches/AST-2011-010?rev=9041&op=file
==============================================================================
--- asterisk/branches/squeeze/debian/patches/AST-2011-010 (added)
+++ asterisk/branches/squeeze/debian/patches/AST-2011-010 Fri Jun 24 15:55:19 2011
@@ -1,0 +1,78 @@
+From: David Vossel <dvossel at digium.com>
+Date: Thu, 23 Jun 2011 18:18:46 +0000
+Origin: http://svnview.digium.com/svn/asterisk?view=rev&rev=324634
+Subject: Addresses AST-2011-010, crash due to dereferencing a remote pointer
+
+A memory address was inadvertently transmitted over the network via
+IAX2 via an option control frame and the remote party would try to access it.
+
+CVE: CVE-2011-2535
+See also: http://downloads.asterisk.org/pub/security/AST-2011-010.html
+---
+ channels/chan_iax2.c |   14 +++++++++++++-
+ main/features.c      |   15 ++++++++++++---
+ 2 files changed, 25 insertions(+), 4 deletions(-)
+
+diff --git a/channels/chan_iax2.c b/channels/chan_iax2.c
+index 952092d..6aea5fd 100644
+--- a/channels/chan_iax2.c
++++ b/channels/chan_iax2.c
+@@ -5081,7 +5081,14 @@ static int iax2_setoption(struct ast_channel *c, int option, void *data, int dat
+ 	case AST_OPTION_OPRMODE:
+ 		errno = EINVAL;
+ 		return -1;
+-	default:
++ 	/* These options are sent to the other side across the network where
++ 	 * they will be passed to whatever channel is bridged there. Don't
++ 	 * do anything silly like pass an option that transmits pointers to
++ 	 * memory on this machine to a remote machine to use */
++ 	case AST_OPTION_TONE_VERIFY:
++ 	case AST_OPTION_TDD:
++ 	case AST_OPTION_RELAXDTMF:
++ 	case AST_OPTION_AUDIO_MODE:
+ 	{
+ 		unsigned short callno = PTR_TO_CALLNO(c->tech_pvt);
+ 		struct chan_iax2_pvt *pvt;
+@@ -5109,7 +5116,12 @@ static int iax2_setoption(struct ast_channel *c, int option, void *data, int dat
+ 		ast_free(h);
+ 		return res;
+ 	}
++	default:
++		return -1;
+ 	}
++
++	/* Just in case someone does a break instead of a return */
++	return -1;
+ }
+ 
+ static struct ast_frame *iax2_read(struct ast_channel *c) 
+diff --git a/main/features.c b/main/features.c
+index c83b014..b57d7d1 100644
+--- a/main/features.c
++++ b/main/features.c
+@@ -3132,10 +3132,19 @@ int ast_bridge_call(struct ast_channel *chan,struct ast_channel *peer,struct ast
+ 				break;
+ 			case AST_CONTROL_OPTION:
+ 				aoh = f->data.ptr;
+-				/* Forward option Requests */
++				/* Forward option Requests, but only ones we know are safe
++				 * These are ONLY sent by chan_iax2 and I'm not convinced that
++				 * they are useful. I haven't deleted them entirely because I
++				 * just am not sure of the ramifications of removing them. */
+ 				if (aoh && aoh->flag == AST_OPTION_FLAG_REQUEST) {
+-					ast_channel_setoption(other, ntohs(aoh->option), aoh->data, 
+-						f->datalen - sizeof(struct ast_option_header), 0);
++				   	switch (ntohs(aoh->option)) {
++					case AST_OPTION_TONE_VERIFY:
++					case AST_OPTION_TDD:
++					case AST_OPTION_RELAXDTMF:
++					case AST_OPTION_AUDIO_MODE:
++						ast_channel_setoption(other, ntohs(aoh->option), aoh->data, 
++							f->datalen - sizeof(struct ast_option_header), 0);
++					}
+ 				}
+ 				break;
+ 			}
+-- 
+1.7.5.4
+

Modified: asterisk/branches/squeeze/debian/patches/series
URL: http://svn.debian.org/wsvn/pkg-voip/asterisk/branches/squeeze/debian/patches/series?rev=9041&op=diff
==============================================================================
--- asterisk/branches/squeeze/debian/patches/series (original)
+++ asterisk/branches/squeeze/debian/patches/series Fri Jun 24 15:55:19 2011
@@ -35,3 +35,4 @@
 AST-2011-005-p2
 AST-2011-006
 AST-2011-008
+AST-2011-010

More information about the Pkg-voip-commits mailing list