[Pkg-voip-commits] [asterisk] 02/03: New patches for recent security issues

tzafrir at debian.org tzafrir at debian.org
Mon Dec 8 05:28:13 UTC 2014 

This is an automated email from the git hooks/post-receive script.

tzafrir pushed a commit to branch jessie
in repository asterisk.

commit 4fd65a6b07f438597bc60cc32a236ad383f56479
Author: Tzafrir Cohen <tzafrir at debian.org>
Date:   Mon Dec 8 07:04:19 2014 +0200

    New patches for recent security issues
---
 debian/patches/AST-2014-014.patch | 81 +++++++++++++++++++++++++++++++++++++++
 debian/patches/AST-2014-017.patch | 55 ++++++++++++++++++++++++++
 debian/patches/AST-2014-018.patch | 41 ++++++++++++++++++++
 debian/patches/series             |  4 ++
 4 files changed, 181 insertions(+)

diff --git a/debian/patches/AST-2014-014.patch b/debian/patches/AST-2014-014.patch
new file mode 100644
index 0000000..92f461c
--- /dev/null
+++ b/debian/patches/AST-2014-014.patch
@@ -0,0 +1,81 @@
+From 90cdc0d1c75ac44837da9ff4a6cecf754d99e4f9 Mon Sep 17 00:00:00 2001
+From: Joshua Colp <jcolp at digium.com>
+Date: Thu, 20 Nov 2014 14:20:08 +0000
+Subject: [PATCH 1/3] AST-2014-014: Fix race condition where channels may get
+ stuck in ConfBridge under load.
+
+Under load it was possible for the bridging API, and thus ConfBridge, to get
+channels that may have hung up stuck in it. This is because handling of state
+transitions for a bridged channel within a bridge was not protected and simply
+set the new state without regard to the existing state. If the existing state
+had been hung up this would get overwritten.
+
+This change adds locking to protect changing of the state and also
+takes into consideration the existing state.
+
+ASTERISK-24440 #close
+Reported by: Ben Klang
+
+Review: https://reviewboard.asterisk.org/r/4173/
+
+
+git-svn-id: http://svn.asterisk.org/svn/asterisk/branches/11@428299 f38db490-d61c-443f-a65b-d21fe96a405b
+---
+ main/bridging.c | 26 +++++++++++++++++++++-----
+ 1 file changed, 21 insertions(+), 5 deletions(-)
+
+diff --git a/main/bridging.c b/main/bridging.c
+index a36ccf9..0f8f4e8 100644
+--- a/main/bridging.c
++++ b/main/bridging.c
+@@ -120,8 +120,22 @@ int ast_bridge_technology_unregister(struct ast_bridge_technology *technology)
+ 
+ void ast_bridge_change_state(struct ast_bridge_channel *bridge_channel, enum ast_bridge_channel_state new_state)
+ {
+-	/* Change the state on the bridge channel */
+-	bridge_channel->state = new_state;
++	/* Change the state on the bridge channel with some manner of intelligence. */
++	ao2_lock(bridge_channel);
++	switch (bridge_channel->state) {
++	case AST_BRIDGE_CHANNEL_STATE_DEPART:
++		break;
++	case AST_BRIDGE_CHANNEL_STATE_END:
++	case AST_BRIDGE_CHANNEL_STATE_HANGUP:
++		if (new_state != AST_BRIDGE_CHANNEL_STATE_DEPART) {
++			break;
++		}
++		/* Fall through */
++	default:
++		bridge_channel->state = new_state;
++		break;
++	}
++	ao2_unlock(bridge_channel);
+ 
+ 	/* Only poke the channel's thread if it is not us */
+ 	if (!pthread_equal(pthread_self(), bridge_channel->thread)) {
+@@ -130,8 +144,6 @@ void ast_bridge_change_state(struct ast_bridge_channel *bridge_channel, enum ast
+ 		ast_cond_signal(&bridge_channel->cond);
+ 		ao2_unlock(bridge_channel);
+ 	}
+-
+-	return;
+ }
+ 
+ /*! \brief Helper function to poke the bridge thread */
+@@ -1147,8 +1159,12 @@ static void *bridge_channel_thread(void *data)
+ 	state = bridge_channel_join(bridge_channel);
+ 
+ 	/* If no other thread is going to take the channel then hang it up, or else we would have to service it until something else came along */
+-	if (bridge_channel->allow_impart_hangup && (state == AST_BRIDGE_CHANNEL_STATE_END || state == AST_BRIDGE_CHANNEL_STATE_HANGUP)) {
++	if (bridge_channel->allow_impart_hangup
++		&& state != AST_BRIDGE_CHANNEL_STATE_DEPART) {
+ 		ast_hangup(bridge_channel->chan);
++
++		/* nobody is waiting to join me. */
++		pthread_detach(pthread_self());
+ 	}
+ 
+ 	/* cleanup */
+-- 
+2.1.3
+
diff --git a/debian/patches/AST-2014-017.patch b/debian/patches/AST-2014-017.patch
new file mode 100644
index 0000000..a4e1ed4
--- /dev/null
+++ b/debian/patches/AST-2014-017.patch
@@ -0,0 +1,55 @@
+From 192e4a1d7a04077fe3e94d6eff3ebbd187aa8c05 Mon Sep 17 00:00:00 2001
+From: Kevin Harwell <kharwell at digium.com>
+Date: Thu, 20 Nov 2014 15:42:01 +0000
+Subject: [PATCH 2/3] AST-2014-017 - app_confbridge: permission escalation/
+ class authorization.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Confbridge dialplan function permission escalation via AMI and inappropriate
+class authorization on the ConfbridgeStartRecord action. The CONFBRIDGE dialplan
+function when executed from an external protocol (for instance AMI), could
+result in a privilege escalation. Also, the AMI action “ConfbridgeStartRecord”
+could also be used to execute arbitrary system commands without first checking
+for system access.
+
+Asterisk now inhibits the CONFBRIDGE function from being executed from an
+external interface if the live_dangerously option is set to no.  Also, the
+“ConfbridgeStartRecord” AMI action is now only allowed to execute under a
+user with system level access.
+
+ASTERISK-24490
+Reported by: Gareth Palmer
+
+
+git-svn-id: http://svn.asterisk.org/svn/asterisk/branches/11@428332 f38db490-d61c-443f-a65b-d21fe96a405b
+---
+ apps/app_confbridge.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/apps/app_confbridge.c b/apps/app_confbridge.c
+index 70844d6..2fa7904 100644
+--- a/apps/app_confbridge.c
++++ b/apps/app_confbridge.c
+@@ -3189,7 +3189,7 @@ static int load_module(void)
+ 		ast_log(LOG_ERROR, "Unable to load config. Not loading module.\n");
+ 		return AST_MODULE_LOAD_DECLINE;
+ 	}
+-	if ((ast_custom_function_register(&confbridge_function))) {
++	if ((ast_custom_function_register_escalating(&confbridge_function, AST_CFE_WRITE))) {
+ 		return AST_MODULE_LOAD_FAILURE;
+ 	}
+ 	if ((ast_custom_function_register(&confbridge_info_function))) {
+@@ -3220,7 +3220,7 @@ static int load_module(void)
+ 	res |= ast_manager_register_xml("ConfbridgeKick", EVENT_FLAG_CALL, action_confbridgekick);
+ 	res |= ast_manager_register_xml("ConfbridgeUnlock", EVENT_FLAG_CALL, action_confbridgeunlock);
+ 	res |= ast_manager_register_xml("ConfbridgeLock", EVENT_FLAG_CALL, action_confbridgelock);
+-	res |= ast_manager_register_xml("ConfbridgeStartRecord", EVENT_FLAG_CALL, action_confbridgestartrecord);
++	res |= ast_manager_register_xml("ConfbridgeStartRecord", EVENT_FLAG_SYSTEM, action_confbridgestartrecord);
+ 	res |= ast_manager_register_xml("ConfbridgeStopRecord", EVENT_FLAG_CALL, action_confbridgestoprecord);
+ 	res |= ast_manager_register_xml("ConfbridgeSetSingleVideoSrc", EVENT_FLAG_CALL, action_confbridgesetsinglevideosrc);
+ 	if (res) {
+-- 
+2.1.3
+
diff --git a/debian/patches/AST-2014-018.patch b/debian/patches/AST-2014-018.patch
new file mode 100644
index 0000000..d1af4b0
--- /dev/null
+++ b/debian/patches/AST-2014-018.patch
@@ -0,0 +1,41 @@
+From 97a7e59635cc71f82e932d9f142ac58ffbfee431 Mon Sep 17 00:00:00 2001
+From: Kevin Harwell <kharwell at digium.com>
+Date: Thu, 20 Nov 2014 16:22:50 +0000
+Subject: [PATCH 3/3] AST-2014-018 - func_db: DB Dialplan function permission
+ escalation via AMI.
+
+The DB dialplan function when executed from an external protocol (for instance
+AMI), could result in a privilege escalation.
+
+Asterisk now inhibits the DB function from being executed from an external
+interface if the live_dangerously option is set to no.
+
+ASTERISK-24534
+Reported by: Gareth Palmer
+patches: submitted by Gareth Palmer (license 5169)
+........
+
+Merged revisions 428331 from http://svn.asterisk.org/svn/asterisk/branches/1.8
+
+
+git-svn-id: http://svn.asterisk.org/svn/asterisk/branches/11@428363 f38db490-d61c-443f-a65b-d21fe96a405b
+---
+ funcs/func_db.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/funcs/func_db.c b/funcs/func_db.c
+index ebe58f0..b56fef9 100644
+--- a/funcs/func_db.c
++++ b/funcs/func_db.c
+@@ -351,7 +351,7 @@ static int load_module(void)
+ {
+ 	int res = 0;
+ 
+-	res |= ast_custom_function_register(&db_function);
++	res |= ast_custom_function_register_escalating(&db_function, AST_CFE_BOTH);
+ 	res |= ast_custom_function_register(&db_exists_function);
+ 	res |= ast_custom_function_register_escalating(&db_delete_function, AST_CFE_READ);
+ 	res |= ast_custom_function_register(&db_keys_function);
+-- 
+2.1.3
+
diff --git a/debian/patches/series b/debian/patches/series
index 286b680..8d8475e 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -33,3 +33,7 @@ escape_manpage_hyphen.patch
 aelparse_enable.patch
 res_fax_bounds.patch
 neon_version_check.patch
+
+AST-2014-014.patch
+AST-2014-017.patch
+AST-2014-018.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-voip/asterisk.git

More information about the Pkg-voip-commits mailing list