[Pkg-voip-commits] r8834 - in /asterisk/branches/squeeze/debian: changelog patches/AST-2011-003 patches/AST-2011-004 patches/series
tzafrir at alioth.debian.org
tzafrir at alioth.debian.org
Thu Mar 17 11:18:00 UTC 2011
Author: tzafrir
Date: Thu Mar 17 11:17:47 2011
New Revision: 8834
URL: http://svn.debian.org/wsvn/pkg-voip/?sc=1&rev=8834
Log:
* AST-2011-003: Resource exhaustion in Asterisk Manager Interface
* AST-2011-004: Remote crash vulnerability in TCP/TLS server
Added:
asterisk/branches/squeeze/debian/patches/AST-2011-003
asterisk/branches/squeeze/debian/patches/AST-2011-004
Modified:
asterisk/branches/squeeze/debian/changelog
asterisk/branches/squeeze/debian/patches/series
Modified: asterisk/branches/squeeze/debian/changelog
URL: http://svn.debian.org/wsvn/pkg-voip/asterisk/branches/squeeze/debian/changelog?rev=8834&op=diff
==============================================================================
--- asterisk/branches/squeeze/debian/changelog (original)
+++ asterisk/branches/squeeze/debian/changelog Thu Mar 17 11:17:47 2011
@@ -1,8 +1,10 @@
asterisk (1:1.6.2.9-2+squeeze2) stable-security; urgency=low
* AST-2011-002: Multiple crash vulnerabilities in UDPTL code
-
- -- Tzafrir Cohen <tzafrir at debian.org> Tue, 22 Feb 2011 11:38:42 +0200
+ * AST-2011-003: Resource exhaustion in Asterisk Manager Interface
+ * AST-2011-004: Remote crash vulnerability in TCP/TLS server
+
+ -- Tzafrir Cohen <tzafrir at debian.org> Thu, 17 Mar 2011 13:04:09 +0200
asterisk (1:1.6.2.9-2+squeeze1) stable-security; urgency=high
Added: asterisk/branches/squeeze/debian/patches/AST-2011-003
URL: http://svn.debian.org/wsvn/pkg-voip/asterisk/branches/squeeze/debian/patches/AST-2011-003?rev=8834&op=file
==============================================================================
--- asterisk/branches/squeeze/debian/patches/AST-2011-003 (added)
+++ asterisk/branches/squeeze/debian/patches/AST-2011-003 Thu Mar 17 11:17:47 2011
@@ -1,0 +1,52 @@
+Description: Resource exhaustion in Asterisk Manager Interface
+Origin: http://downloads.asterisk.org/pub/security/AST-2011-003-1.6.1.diff
+
+Rapidly opening manager connections, sending invalid data, and closing the
+connection can cause Asterisk to exhaust available CPU and memory resources.
+
+The manager interface is disabled by default in upstream, but enabled
+by default (listening on localhost only) in the version in Debian 5.0 (Lenny)
+and 6.0 (Squeeze).
+
+Backported from the upstream patch for 1.6.1.
+See also http://downloads.asterisk.org/pub/security/AST-2011-003.html
+
+--- a/main/manager.c
++++ b/main/manager.c
+@@ -220,6 +220,7 @@ struct mansession {
+ struct mansession_session *session;
+ FILE *f;
+ int fd;
++ int write_error:1;
+ };
+
+ #define NEW_EVENT(m) (AST_LIST_NEXT(m->session->last_ev, eq_next))
+@@ -944,11 +945,15 @@ struct ast_variable *astman_get_variable
+ */
+ static int send_string(struct mansession *s, char *string)
+ {
+- if (s->f) {
+- return ast_careful_fwrite(s->f, s->fd, string, strlen(string), s->session->writetimeout);
+- } else {
+- return ast_careful_fwrite(s->session->f, s->session->fd, string, strlen(string), s->session->writetimeout);
++ int res;
++
++ if (s->f && (res = ast_careful_fwrite(s->f, s->fd, string, strlen(string), s->session->writetimeout))) {
++ s->write_error = 1;
++ } else if ((res = ast_careful_fwrite(s->session->f, s->session->fd, string, strlen(string), s->session->writetimeout))) {
++ s->write_error = 1;
+ }
++
++ return res;
+ }
+
+ /*!
+@@ -3232,7 +3237,7 @@ static void *session_do(void *data)
+
+ astman_append(&s, "Asterisk Call Manager/%s\r\n", AMI_VERSION); /* welcome prompt */
+ for (;;) {
+- if ((res = do_message(&s)) < 0)
++ if ((res = do_message(&s)) < 0 || s.write_error)
+ break;
+ }
+ /* session is over, explain why and terminate */
Added: asterisk/branches/squeeze/debian/patches/AST-2011-004
URL: http://svn.debian.org/wsvn/pkg-voip/asterisk/branches/squeeze/debian/patches/AST-2011-004?rev=8834&op=file
==============================================================================
--- asterisk/branches/squeeze/debian/patches/AST-2011-004 (added)
+++ asterisk/branches/squeeze/debian/patches/AST-2011-004 Thu Mar 17 11:17:47 2011
@@ -1,0 +1,28 @@
+Description: Remote crash vulnerability in TCP/TLS server
+Origin: http://downloads.asterisk.org/pub/security/AST-2011-004-1.6.2.diff
+
+Rapidly opening and closing TCP connections to services using the
+ast_tcptls_* API (primarily chan_sip, manager, and res_phoneprov) can
+cause Asterisk to crash after dereferencing a NULL pointer.
+
+TCP-TLS code was did not exist yet in the Lenny (5.0) version of Asterisk.
+
+See also: http://downloads.asterisk.org/pub/security/AST-2011-004.html
+
+--- a/main/tcptls.c
++++ b/main/tcptls.c
+@@ -139,8 +139,12 @@ static void *handle_tcptls_connection(vo
+ * open a FILE * as appropriate.
+ */
+ if (!tcptls_session->parent->tls_cfg) {
+- tcptls_session->f = fdopen(tcptls_session->fd, "w+");
+- setvbuf(tcptls_session->f, NULL, _IONBF, 0);
++ if ((tcptls_session->f = fdopen(tcptls_session->fd, "w+"))) {
++ if(setvbuf(tcptls_session->f, NULL, _IONBF, 0)) {
++ fclose(tcptls_session->f);
++ tcptls_session->f = NULL;
++ }
++ }
+ }
+ #ifdef DO_SSL
+ else if ( (tcptls_session->ssl = SSL_new(tcptls_session->parent->tls_cfg->ssl_ctx)) ) {
Modified: asterisk/branches/squeeze/debian/patches/series
URL: http://svn.debian.org/wsvn/pkg-voip/asterisk/branches/squeeze/debian/patches/series?rev=8834&op=diff
==============================================================================
--- asterisk/branches/squeeze/debian/patches/series (original)
+++ asterisk/branches/squeeze/debian/patches/series Thu Mar 17 11:17:47 2011
@@ -28,3 +28,5 @@
AST-2011-001
AST-2011-002
+AST-2011-003
+AST-2011-004
More information about the Pkg-voip-commits
mailing list