[Pkg-voip-commits] [asterisk] 02/03: New patches for recent security issues
tzafrir at debian.org
tzafrir at debian.org
Mon Dec 8 05:28:13 UTC 2014
This is an automated email from the git hooks/post-receive script.
tzafrir pushed a commit to branch jessie
in repository asterisk.
commit 4fd65a6b07f438597bc60cc32a236ad383f56479
Author: Tzafrir Cohen <tzafrir at debian.org>
Date: Mon Dec 8 07:04:19 2014 +0200
New patches for recent security issues
---
debian/patches/AST-2014-014.patch | 81 +++++++++++++++++++++++++++++++++++++++
debian/patches/AST-2014-017.patch | 55 ++++++++++++++++++++++++++
debian/patches/AST-2014-018.patch | 41 ++++++++++++++++++++
debian/patches/series | 4 ++
4 files changed, 181 insertions(+)
diff --git a/debian/patches/AST-2014-014.patch b/debian/patches/AST-2014-014.patch
new file mode 100644
index 0000000..92f461c
--- /dev/null
+++ b/debian/patches/AST-2014-014.patch
@@ -0,0 +1,81 @@
+From 90cdc0d1c75ac44837da9ff4a6cecf754d99e4f9 Mon Sep 17 00:00:00 2001
+From: Joshua Colp <jcolp at digium.com>
+Date: Thu, 20 Nov 2014 14:20:08 +0000
+Subject: [PATCH 1/3] AST-2014-014: Fix race condition where channels may get
+ stuck in ConfBridge under load.
+
+Under load it was possible for the bridging API, and thus ConfBridge, to get
+channels that may have hung up stuck in it. This is because handling of state
+transitions for a bridged channel within a bridge was not protected and simply
+set the new state without regard to the existing state. If the existing state
+had been hung up this would get overwritten.
+
+This change adds locking to protect changing of the state and also
+takes into consideration the existing state.
+
+ASTERISK-24440 #close
+Reported by: Ben Klang
+
+Review: https://reviewboard.asterisk.org/r/4173/
+
+
+git-svn-id: http://svn.asterisk.org/svn/asterisk/branches/11@428299 f38db490-d61c-443f-a65b-d21fe96a405b
+---
+ main/bridging.c | 26 +++++++++++++++++++++-----
+ 1 file changed, 21 insertions(+), 5 deletions(-)
+
+diff --git a/main/bridging.c b/main/bridging.c
+index a36ccf9..0f8f4e8 100644
+--- a/main/bridging.c
++++ b/main/bridging.c
+@@ -120,8 +120,22 @@ int ast_bridge_technology_unregister(struct ast_bridge_technology *technology)
+
+ void ast_bridge_change_state(struct ast_bridge_channel *bridge_channel, enum ast_bridge_channel_state new_state)
+ {
+- /* Change the state on the bridge channel */
+- bridge_channel->state = new_state;
++ /* Change the state on the bridge channel with some manner of intelligence. */
++ ao2_lock(bridge_channel);
++ switch (bridge_channel->state) {
++ case AST_BRIDGE_CHANNEL_STATE_DEPART:
++ break;
++ case AST_BRIDGE_CHANNEL_STATE_END:
++ case AST_BRIDGE_CHANNEL_STATE_HANGUP:
++ if (new_state != AST_BRIDGE_CHANNEL_STATE_DEPART) {
++ break;
++ }
++ /* Fall through */
++ default:
++ bridge_channel->state = new_state;
++ break;
++ }
++ ao2_unlock(bridge_channel);
+
+ /* Only poke the channel's thread if it is not us */
+ if (!pthread_equal(pthread_self(), bridge_channel->thread)) {
+@@ -130,8 +144,6 @@ void ast_bridge_change_state(struct ast_bridge_channel *bridge_channel, enum ast
+ ast_cond_signal(&bridge_channel->cond);
+ ao2_unlock(bridge_channel);
+ }
+-
+- return;
+ }
+
+ /*! \brief Helper function to poke the bridge thread */
+@@ -1147,8 +1159,12 @@ static void *bridge_channel_thread(void *data)
+ state = bridge_channel_join(bridge_channel);
+
+ /* If no other thread is going to take the channel then hang it up, or else we would have to service it until something else came along */
+- if (bridge_channel->allow_impart_hangup && (state == AST_BRIDGE_CHANNEL_STATE_END || state == AST_BRIDGE_CHANNEL_STATE_HANGUP)) {
++ if (bridge_channel->allow_impart_hangup
++ && state != AST_BRIDGE_CHANNEL_STATE_DEPART) {
+ ast_hangup(bridge_channel->chan);
++
++ /* nobody is waiting to join me. */
++ pthread_detach(pthread_self());
+ }
+
+ /* cleanup */
+--
+2.1.3
+
diff --git a/debian/patches/AST-2014-017.patch b/debian/patches/AST-2014-017.patch
new file mode 100644
index 0000000..a4e1ed4
--- /dev/null
+++ b/debian/patches/AST-2014-017.patch
@@ -0,0 +1,55 @@
+From 192e4a1d7a04077fe3e94d6eff3ebbd187aa8c05 Mon Sep 17 00:00:00 2001
+From: Kevin Harwell <kharwell at digium.com>
+Date: Thu, 20 Nov 2014 15:42:01 +0000
+Subject: [PATCH 2/3] AST-2014-017 - app_confbridge: permission escalation/
+ class authorization.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Confbridge dialplan function permission escalation via AMI and inappropriate
+class authorization on the ConfbridgeStartRecord action. The CONFBRIDGE dialplan
+function when executed from an external protocol (for instance AMI), could
+result in a privilege escalation. Also, the AMI action “ConfbridgeStartRecord”
+could also be used to execute arbitrary system commands without first checking
+for system access.
+
+Asterisk now inhibits the CONFBRIDGE function from being executed from an
+external interface if the live_dangerously option is set to no. Also, the
+“ConfbridgeStartRecord” AMI action is now only allowed to execute under a
+user with system level access.
+
+ASTERISK-24490
+Reported by: Gareth Palmer
+
+
+git-svn-id: http://svn.asterisk.org/svn/asterisk/branches/11@428332 f38db490-d61c-443f-a65b-d21fe96a405b
+---
+ apps/app_confbridge.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/apps/app_confbridge.c b/apps/app_confbridge.c
+index 70844d6..2fa7904 100644
+--- a/apps/app_confbridge.c
++++ b/apps/app_confbridge.c
+@@ -3189,7 +3189,7 @@ static int load_module(void)
+ ast_log(LOG_ERROR, "Unable to load config. Not loading module.\n");
+ return AST_MODULE_LOAD_DECLINE;
+ }
+- if ((ast_custom_function_register(&confbridge_function))) {
++ if ((ast_custom_function_register_escalating(&confbridge_function, AST_CFE_WRITE))) {
+ return AST_MODULE_LOAD_FAILURE;
+ }
+ if ((ast_custom_function_register(&confbridge_info_function))) {
+@@ -3220,7 +3220,7 @@ static int load_module(void)
+ res |= ast_manager_register_xml("ConfbridgeKick", EVENT_FLAG_CALL, action_confbridgekick);
+ res |= ast_manager_register_xml("ConfbridgeUnlock", EVENT_FLAG_CALL, action_confbridgeunlock);
+ res |= ast_manager_register_xml("ConfbridgeLock", EVENT_FLAG_CALL, action_confbridgelock);
+- res |= ast_manager_register_xml("ConfbridgeStartRecord", EVENT_FLAG_CALL, action_confbridgestartrecord);
++ res |= ast_manager_register_xml("ConfbridgeStartRecord", EVENT_FLAG_SYSTEM, action_confbridgestartrecord);
+ res |= ast_manager_register_xml("ConfbridgeStopRecord", EVENT_FLAG_CALL, action_confbridgestoprecord);
+ res |= ast_manager_register_xml("ConfbridgeSetSingleVideoSrc", EVENT_FLAG_CALL, action_confbridgesetsinglevideosrc);
+ if (res) {
+--
+2.1.3
+
diff --git a/debian/patches/AST-2014-018.patch b/debian/patches/AST-2014-018.patch
new file mode 100644
index 0000000..d1af4b0
--- /dev/null
+++ b/debian/patches/AST-2014-018.patch
@@ -0,0 +1,41 @@
+From 97a7e59635cc71f82e932d9f142ac58ffbfee431 Mon Sep 17 00:00:00 2001
+From: Kevin Harwell <kharwell at digium.com>
+Date: Thu, 20 Nov 2014 16:22:50 +0000
+Subject: [PATCH 3/3] AST-2014-018 - func_db: DB Dialplan function permission
+ escalation via AMI.
+
+The DB dialplan function when executed from an external protocol (for instance
+AMI), could result in a privilege escalation.
+
+Asterisk now inhibits the DB function from being executed from an external
+interface if the live_dangerously option is set to no.
+
+ASTERISK-24534
+Reported by: Gareth Palmer
+patches: submitted by Gareth Palmer (license 5169)
+........
+
+Merged revisions 428331 from http://svn.asterisk.org/svn/asterisk/branches/1.8
+
+
+git-svn-id: http://svn.asterisk.org/svn/asterisk/branches/11@428363 f38db490-d61c-443f-a65b-d21fe96a405b
+---
+ funcs/func_db.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/funcs/func_db.c b/funcs/func_db.c
+index ebe58f0..b56fef9 100644
+--- a/funcs/func_db.c
++++ b/funcs/func_db.c
+@@ -351,7 +351,7 @@ static int load_module(void)
+ {
+ int res = 0;
+
+- res |= ast_custom_function_register(&db_function);
++ res |= ast_custom_function_register_escalating(&db_function, AST_CFE_BOTH);
+ res |= ast_custom_function_register(&db_exists_function);
+ res |= ast_custom_function_register_escalating(&db_delete_function, AST_CFE_READ);
+ res |= ast_custom_function_register(&db_keys_function);
+--
+2.1.3
+
diff --git a/debian/patches/series b/debian/patches/series
index 286b680..8d8475e 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -33,3 +33,7 @@ escape_manpage_hyphen.patch
aelparse_enable.patch
res_fax_bounds.patch
neon_version_check.patch
+
+AST-2014-014.patch
+AST-2014-017.patch
+AST-2014-018.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-voip/asterisk.git
More information about the Pkg-voip-commits
mailing list