[Pkg-voip-commits] r9656 - in /asterisk/branches/squeeze/debian: changelog patches/AST-2012-004 patches/AST-2012-005 patches/series
tzafrir at alioth.debian.org
tzafrir at alioth.debian.org
Wed Apr 25 08:32:13 UTC 2012
Author: tzafrir
Date: Wed Apr 25 08:32:11 2012
New Revision: 9656
URL: http://svn.debian.org/wsvn/pkg-voip/?sc=1&rev=9656
Log:
* Two extra patches: Closes: #670180:
- Patch AST-2012-004 - further Manager permission fixes (CVE-2012-2414).
- Patch AST-2012-005 - Heap overflow in chan_skinny (CVE-2012-2415).
Added:
asterisk/branches/squeeze/debian/patches/AST-2012-004
asterisk/branches/squeeze/debian/patches/AST-2012-005
Modified:
asterisk/branches/squeeze/debian/changelog
asterisk/branches/squeeze/debian/patches/series
Modified: asterisk/branches/squeeze/debian/changelog
URL: http://svn.debian.org/wsvn/pkg-voip/asterisk/branches/squeeze/debian/changelog?rev=9656&op=diff
==============================================================================
--- asterisk/branches/squeeze/debian/changelog (original)
+++ asterisk/branches/squeeze/debian/changelog Wed Apr 25 08:32:11 2012
@@ -4,8 +4,11 @@
* Quote pathes in postinst script: Closes: #656208 (Pocos).
* Patch AST-2012-002 Stack overflow in Milliwatt
(CVE-2012-1183): Closes: #664411.
-
- -- Tzafrir Cohen <tzafrir at debian.org> Sun, 25 Mar 2012 17:26:59 +0200
+ * Two extra patches: Closes: #670180:
+ - Patch AST-2012-004 - further Manager permission fixes (CVE-2012-2414).
+ - Patch AST-2012-005 - Heap overflow in chan_skinny (CVE-2012-2415).
+
+ -- Tzafrir Cohen <tzafrir at debian.org> Tue, 24 Apr 2012 23:11:23 +0300
asterisk (1:1.6.2.9-2+squeeze4) stable-security; urgency=high
Added: asterisk/branches/squeeze/debian/patches/AST-2012-004
URL: http://svn.debian.org/wsvn/pkg-voip/asterisk/branches/squeeze/debian/patches/AST-2012-004?rev=9656&op=file
==============================================================================
--- asterisk/branches/squeeze/debian/patches/AST-2012-004 (added)
+++ asterisk/branches/squeeze/debian/patches/AST-2012-004 Wed Apr 25 08:32:11 2012
@@ -1,0 +1,102 @@
+From: Jonathan Rose <jrose at digium.com>
+Date: Mon, 23 Apr 2012 14:21:30 +0000
+Subject: AST-2012-004: further AMI permission fixes
+Origin: http://svnview.digium.com/svn/asterisk?view=rev&rev=363117
+Bug: https://issues.asterisk.org/jira/browse/ASTERISK-17465
+
+Similar fixes to AST-2011-006. Fixes extra cases.
+
+Fix an error that allows AMI users to run shell commands sans authorization:
+
+As detailed in the advisory, AMI users without write authorization for SYSTEM class AMI
+actions were able to run system commands by going through other AMI commands which did
+not require that authorization. Specifically, GetVar and Status allowed users to do this
+by setting their variable/s options to the SHELL or EVAL functions.
+Also, within 1.8, 10, and trunk there was a similar flaw with the Originate action that
+allowed users with originate permission to run MixMonitor and supply a shell command
+in the Data argument. That flaw is fixed in those versions of this patch.
+
+See Also: http://downloads.asterisk.org/pub/security/AST-2012-004.html
+
+(closes issue ASTERISK-17465)
+Reported By: David Woolley
+Patches:
+ 162_ami_readfunc_security_r2.diff uploaded by jrose (license 6182)
+ 18_ami_readfunc_security_r2.diff uploaded by jrose (license 6182)
+ 10_ami_readfunc_security_r2.diff uploaded by jrose (license 6182)
+
+---
+ main/manager.c | 42 ++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 42 insertions(+)
+
+--- a/main/manager.c
++++ b/main/manager.c
+@@ -401,6 +401,19 @@ static struct permalias {
+ { 0, "none" },
+ };
+
++/*! \brief Checks to see if a string which can be used to evaluate functions should be rejected */
++static int check_user_can_execute_function(const char *evaluating, int writepermlist)
++{
++ if (!(writepermlist & EVENT_FLAG_SYSTEM)
++ && (
++ strstr(evaluating, "SHELL") || /* NoOp(${SHELL(rm -rf /)}) */
++ strstr(evaluating, "EVAL") /* NoOp(${EVAL(${some_var_containing_SHELL})}) */
++ )) {
++ return 0;
++ }
++ return 1;
++}
++
+ /*! \brief Convert authority code to a list of options */
+ static char *authority_to_str(int authority, struct ast_str **res)
+ {
+@@ -1902,6 +1915,12 @@ static int action_getvar(struct mansessi
+ return 0;
+ }
+
++ /* We don't want users with insufficient permissions using certain functions. */
++ if (!(check_user_can_execute_function(varname, s->session->writeperm))) {
++ astman_send_error(s, m, "GetVar Access Forbidden: Variable");
++ return 0;
++ }
++
+ if (!ast_strlen_zero(name)) {
+ c = ast_get_channel_by_name_locked(name);
+ if (!c) {
+@@ -1969,6 +1988,11 @@ static int action_status(struct mansessi
+ else
+ idText[0] = '\0';
+
++ if (!(check_user_can_execute_function(variables, s->session->writeperm))) {
++ astman_send_error(s, m, "Status Access Forbidden: Variables");
++ return 0;
++ }
++
+ if (all)
+ c = ast_channel_walk_locked(NULL);
+ else {
+@@ -2498,6 +2522,7 @@ static int action_originate(struct manse
+ ast_parse_allow_disallow(NULL, &format, codecs, 1);
+ }
+ if (!ast_strlen_zero(app)) {
++ int bad_appdata = 0;
+ /* To run the System application (or anything else that goes to
+ * shell), you must have the additional System privilege */
+ if (!(s->session->writeperm & EVENT_FLAG_SYSTEM)
+@@ -2508,10 +2533,12 @@ static int action_originate(struct manse
+ TryExec(System(rm -rf /)) */
+ strcasestr(app, "agi") || /* AGI(/bin/rm,-rf /)
+ EAGI(/bin/rm,-rf /) */
+- strstr(appdata, "SHELL") || /* NoOp(${SHELL(rm -rf /)}) */
+- strstr(appdata, "EVAL") /* NoOp(${EVAL(${some_var_containing_SHELL})}) */
++ (strstr(appdata, "SHELL") && (bad_appdata = 1)) || /* NoOp(${SHELL(rm -rf /)}) */
++ (strstr(appdata, "EVAL") && (bad_appdata = 1)) /* NoOp(${EVAL(${some_var_containing_SHELL})}) */
+ )) {
+- astman_send_error(s, m, "Originate with certain 'Application' arguments requires the additional System privilege, which you do not have.");
++ char error_buf[64];
++ snprintf(error_buf, sizeof(error_buf), "Originate Access Forbidden: %s", bad_appdata ? "Data" : "Application");
++ astman_send_error(s, m, error_buf);
+ return 0;
+ }
+ }
Added: asterisk/branches/squeeze/debian/patches/AST-2012-005
URL: http://svn.debian.org/wsvn/pkg-voip/asterisk/branches/squeeze/debian/patches/AST-2012-005?rev=9656&op=file
==============================================================================
--- asterisk/branches/squeeze/debian/patches/AST-2012-005 (added)
+++ asterisk/branches/squeeze/debian/patches/AST-2012-005 Wed Apr 25 08:32:11 2012
@@ -1,0 +1,52 @@
+From cf2f4f0cf2fe5f30b1e033814ef57256a3806825 Mon Sep 17 00:00:00 2001
+From: Matthew Jordan <mjordan at digium.com>
+Date: Mon, 23 Apr 2012 13:30:50 +0000
+Origin: http://svnview.digium.com/svn/asterisk?view=rev&rev=363100
+Bug: https://issues.asterisk.org/jira/browse/ASTERISK-19592
+Subject: AST-2012-005: chan_skinny: heap overflow in keypad button handling
+
+When handling a keypad button message event, the received digit is placed into
+a fixed length buffer that acts as a queue. When a new message event is
+received, the length of that buffer is not checked before placing the new digit
+on the end of the queue. The situation exists where sufficient keypad button
+message events would occur that would cause the buffer to be overrun. This
+patch explicitly checks that there is sufficient room in the buffer before
+appending a new digit.
+
+This issue can only be exploited with a registered Skinny phone (configured
+in e.g. skinny.conf).
+
+See Also: http://downloads.asterisk.org/pub/security/AST-2012-005.html
+
+Reported by: Russell Bryant
+
+---
+ channels/chan_skinny.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+--- a/channels/chan_skinny.c
++++ b/channels/chan_skinny.c
+@@ -6064,6 +6064,7 @@ static int handle_register_available_lin
+ static int handle_message(struct skinny_req *req, struct skinnysession *s)
+ {
+ int res = 0;
++ size_t len;
+
+ if ((!s->device) && (letohl(req->e) != REGISTER_MESSAGE && letohl(req->e) != ALARM_MESSAGE)) {
+ ast_log(LOG_WARNING, "Client sent message #%d without first registering.\n", req->e);
+@@ -6129,8 +6130,13 @@ static int handle_message(struct skinny_
+ ast_log(LOG_WARNING, "Unsupported digit %d\n", digit);
+ }
+
+- d->exten[strlen(d->exten)] = dgt;
+- d->exten[strlen(d->exten)+1] = '\0';
++ len = strlen(d->exten);
++ if (len < sizeof(d->exten) - 1) {
++ d->exten[len] = dgt;
++ d->exten[len + 1] = '\0';
++ } else {
++ ast_log(AST_LOG_WARNING, "Dropping digit with value %d because digit queue is full\n", dgt);
++ }
+ } else
+ res = handle_keypad_button_message(req, s);
+ }
Modified: asterisk/branches/squeeze/debian/patches/series
URL: http://svn.debian.org/wsvn/pkg-voip/asterisk/branches/squeeze/debian/patches/series?rev=9656&op=diff
==============================================================================
--- asterisk/branches/squeeze/debian/patches/series (original)
+++ asterisk/branches/squeeze/debian/patches/series Wed Apr 25 08:32:11 2012
@@ -48,3 +48,5 @@
AST-2011-014
AST-2012-002
+AST-2012-004
+AST-2012-005
More information about the Pkg-voip-commits
mailing list