[Pkg-voip-commits] r9656 - in /asterisk/branches/squeeze/debian: changelog patches/AST-2012-004 patches/AST-2012-005 patches/series

tzafrir at alioth.debian.org tzafrir at alioth.debian.org
Wed Apr 25 08:32:13 UTC 2012 

Author: tzafrir
Date: Wed Apr 25 08:32:11 2012
New Revision: 9656

URL: http://svn.debian.org/wsvn/pkg-voip/?sc=1&rev=9656
Log:
* Two extra patches: Closes: #670180:
  - Patch AST-2012-004 - further Manager permission fixes (CVE-2012-2414).
  - Patch AST-2012-005 - Heap overflow in chan_skinny (CVE-2012-2415).

Added:
    asterisk/branches/squeeze/debian/patches/AST-2012-004
    asterisk/branches/squeeze/debian/patches/AST-2012-005
Modified:
    asterisk/branches/squeeze/debian/changelog
    asterisk/branches/squeeze/debian/patches/series

Modified: asterisk/branches/squeeze/debian/changelog
URL: http://svn.debian.org/wsvn/pkg-voip/asterisk/branches/squeeze/debian/changelog?rev=9656&op=diff
==============================================================================
--- asterisk/branches/squeeze/debian/changelog (original)
+++ asterisk/branches/squeeze/debian/changelog Wed Apr 25 08:32:11 2012
@@ -4,8 +4,11 @@
   * Quote pathes in postinst script: Closes: #656208 (Pocos).
   * Patch AST-2012-002 Stack overflow in Milliwatt
     (CVE-2012-1183): Closes: #664411.
-
- -- Tzafrir Cohen <tzafrir at debian.org>  Sun, 25 Mar 2012 17:26:59 +0200
+  * Two extra patches: Closes: #670180:
+    - Patch AST-2012-004 - further Manager permission fixes (CVE-2012-2414).
+    - Patch AST-2012-005 - Heap overflow in chan_skinny (CVE-2012-2415).
+
+ -- Tzafrir Cohen <tzafrir at debian.org>  Tue, 24 Apr 2012 23:11:23 +0300
 
 asterisk (1:1.6.2.9-2+squeeze4) stable-security; urgency=high
 

Added: asterisk/branches/squeeze/debian/patches/AST-2012-004
URL: http://svn.debian.org/wsvn/pkg-voip/asterisk/branches/squeeze/debian/patches/AST-2012-004?rev=9656&op=file
==============================================================================
--- asterisk/branches/squeeze/debian/patches/AST-2012-004 (added)
+++ asterisk/branches/squeeze/debian/patches/AST-2012-004 Wed Apr 25 08:32:11 2012
@@ -1,0 +1,102 @@
+From: Jonathan Rose <jrose at digium.com>
+Date: Mon, 23 Apr 2012 14:21:30 +0000
+Subject: AST-2012-004: further AMI permission fixes
+Origin: http://svnview.digium.com/svn/asterisk?view=rev&rev=363117
+Bug: https://issues.asterisk.org/jira/browse/ASTERISK-17465
+
+Similar fixes to AST-2011-006. Fixes extra cases.
+
+Fix an error that allows AMI users to run shell commands sans authorization:
+
+As detailed in the advisory, AMI users without write authorization for SYSTEM class AMI
+actions were able to run system commands by going through other AMI commands which did
+not require that authorization. Specifically, GetVar and Status allowed users to do this
+by setting their variable/s options to the SHELL or EVAL functions.
+Also, within 1.8, 10, and trunk there was a similar flaw with the Originate action that
+allowed users with originate permission to run MixMonitor and supply a shell command
+in the Data argument. That flaw is fixed in those versions of this patch.
+
+See Also: http://downloads.asterisk.org/pub/security/AST-2012-004.html
+
+(closes issue ASTERISK-17465)
+Reported By: David Woolley
+Patches:
+	162_ami_readfunc_security_r2.diff uploaded by jrose (license 6182)
+	18_ami_readfunc_security_r2.diff uploaded by jrose (license 6182)
+	10_ami_readfunc_security_r2.diff uploaded by jrose (license 6182)
+
+---
+ main/manager.c |   42 ++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 42 insertions(+)
+
+--- a/main/manager.c
++++ b/main/manager.c
+@@ -401,6 +401,19 @@ static struct permalias {
+ 	{ 0, "none" },
+ };
+ 
++/*! \brief Checks to see if a string which can be used to evaluate functions should be rejected */
++static int check_user_can_execute_function(const char *evaluating, int writepermlist)
++{
++	if (!(writepermlist & EVENT_FLAG_SYSTEM)
++		&& (
++			strstr(evaluating, "SHELL") ||       /* NoOp(${SHELL(rm -rf /)})  */
++			strstr(evaluating, "EVAL")           /* NoOp(${EVAL(${some_var_containing_SHELL})}) */
++		)) {
++		return 0;
++	}
++	return 1;
++}
++
+ /*! \brief Convert authority code to a list of options */
+ static char *authority_to_str(int authority, struct ast_str **res)
+ {
+@@ -1902,6 +1915,12 @@ static int action_getvar(struct mansessi
+ 		return 0;
+ 	}
+ 
++	/* We don't want users with insufficient permissions using certain functions. */
++	if (!(check_user_can_execute_function(varname, s->session->writeperm))) {
++		astman_send_error(s, m, "GetVar Access Forbidden: Variable");
++		return 0;
++	}
++
+ 	if (!ast_strlen_zero(name)) {
+ 		c = ast_get_channel_by_name_locked(name);
+ 		if (!c) {
+@@ -1969,6 +1988,11 @@ static int action_status(struct mansessi
+ 	else
+ 		idText[0] = '\0';
+ 
++	if (!(check_user_can_execute_function(variables, s->session->writeperm))) {
++		astman_send_error(s, m, "Status Access Forbidden: Variables");
++		return 0;
++	}
++
+ 	if (all)
+ 		c = ast_channel_walk_locked(NULL);
+ 	else {
+@@ -2498,6 +2522,7 @@ static int action_originate(struct manse
+ 		ast_parse_allow_disallow(NULL, &format, codecs, 1);
+ 	}
+ 	if (!ast_strlen_zero(app)) {
++		int bad_appdata = 0;
+ 		/* To run the System application (or anything else that goes to
+ 		 * shell), you must have the additional System privilege */
+ 		if (!(s->session->writeperm & EVENT_FLAG_SYSTEM)
+@@ -2508,10 +2533,12 @@ static int action_originate(struct manse
+ 				                                     TryExec(System(rm -rf /)) */
+ 				strcasestr(app, "agi") ||         /* AGI(/bin/rm,-rf /)
+ 				                                     EAGI(/bin/rm,-rf /)       */
+-				strstr(appdata, "SHELL") ||       /* NoOp(${SHELL(rm -rf /)})  */
+-				strstr(appdata, "EVAL")           /* NoOp(${EVAL(${some_var_containing_SHELL})}) */
++				(strstr(appdata, "SHELL") && (bad_appdata = 1)) ||       /* NoOp(${SHELL(rm -rf /)})  */
++				(strstr(appdata, "EVAL") && (bad_appdata = 1))           /* NoOp(${EVAL(${some_var_containing_SHELL})}) */
+ 				)) {
+-			astman_send_error(s, m, "Originate with certain 'Application' arguments requires the additional System privilege, which you do not have.");
++			char error_buf[64];
++			snprintf(error_buf, sizeof(error_buf), "Originate Access Forbidden: %s", bad_appdata ? "Data" : "Application");
++			astman_send_error(s, m, error_buf);
+ 			return 0;
+ 		}
+ 	}

Added: asterisk/branches/squeeze/debian/patches/AST-2012-005
URL: http://svn.debian.org/wsvn/pkg-voip/asterisk/branches/squeeze/debian/patches/AST-2012-005?rev=9656&op=file
==============================================================================
--- asterisk/branches/squeeze/debian/patches/AST-2012-005 (added)
+++ asterisk/branches/squeeze/debian/patches/AST-2012-005 Wed Apr 25 08:32:11 2012
@@ -1,0 +1,52 @@
+From cf2f4f0cf2fe5f30b1e033814ef57256a3806825 Mon Sep 17 00:00:00 2001
+From: Matthew Jordan <mjordan at digium.com>
+Date: Mon, 23 Apr 2012 13:30:50 +0000
+Origin: http://svnview.digium.com/svn/asterisk?view=rev&rev=363100
+Bug: https://issues.asterisk.org/jira/browse/ASTERISK-19592
+Subject: AST-2012-005: chan_skinny: heap overflow in keypad button handling
+
+When handling a keypad button message event, the received digit is placed into
+a fixed length buffer that acts as a queue.  When a new message event is
+received, the length of that buffer is not checked before placing the new digit
+on the end of the queue.  The situation exists where sufficient keypad button
+message events would occur that would cause the buffer to be overrun.  This
+patch explicitly checks that there is sufficient room in the buffer before
+appending a new digit.
+
+This issue can only be exploited with a registered Skinny phone (configured
+in e.g. skinny.conf).
+
+See Also: http://downloads.asterisk.org/pub/security/AST-2012-005.html
+
+Reported by: Russell Bryant
+
+---
+ channels/chan_skinny.c |   10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+--- a/channels/chan_skinny.c
++++ b/channels/chan_skinny.c
+@@ -6064,6 +6064,7 @@ static int handle_register_available_lin
+ static int handle_message(struct skinny_req *req, struct skinnysession *s)
+ {
+ 	int res = 0;
++	size_t len;
+ 
+ 	if ((!s->device) && (letohl(req->e) != REGISTER_MESSAGE && letohl(req->e) != ALARM_MESSAGE)) {
+ 		ast_log(LOG_WARNING, "Client sent message #%d without first registering.\n", req->e);
+@@ -6129,8 +6130,13 @@ static int handle_message(struct skinny_
+ 				ast_log(LOG_WARNING, "Unsupported digit %d\n", digit);
+ 			}
+ 
+-			d->exten[strlen(d->exten)] = dgt;
+-			d->exten[strlen(d->exten)+1] = '\0';
++			len = strlen(d->exten);
++			if (len < sizeof(d->exten) - 1) {
++				d->exten[len] = dgt;
++				d->exten[len + 1] = '\0';
++			} else {
++				ast_log(AST_LOG_WARNING, "Dropping digit with value %d because digit queue is full\n", dgt);
++			}
+ 		} else
+ 			res = handle_keypad_button_message(req, s);
+ 		}

Modified: asterisk/branches/squeeze/debian/patches/series
URL: http://svn.debian.org/wsvn/pkg-voip/asterisk/branches/squeeze/debian/patches/series?rev=9656&op=diff
==============================================================================
--- asterisk/branches/squeeze/debian/patches/series (original)
+++ asterisk/branches/squeeze/debian/patches/series Wed Apr 25 08:32:11 2012
@@ -48,3 +48,5 @@
 
 AST-2011-014
 AST-2012-002
+AST-2012-004
+AST-2012-005

More information about the Pkg-voip-commits mailing list