[Pkg-voip-commits] [asterisk] 01/01: AST-2016-009: non-printable ASCII chars treated as whitespace (CVE-2016-9938)
Bernhard Schmidt
berni at moszumanska.debian.org
Sun Dec 18 22:02:24 UTC 2016
This is an automated email from the git hooks/post-receive script.
berni pushed a commit to branch jessie
in repository asterisk.
commit c784dca12d977c1ba0b5e06cc106f29c877be77b
Author: Bernhard Schmidt <berni at debian.org>
Date: Sun Dec 18 22:57:18 2016 +0100
AST-2016-009: non-printable ASCII chars treated as whitespace (CVE-2016-9938)
Closes: #847668
---
debian/patches/AST-2016-009-11.diff | 27 +++++++++++++++++++++++++++
debian/patches/series | 1 +
2 files changed, 28 insertions(+)
diff --git a/debian/patches/AST-2016-009-11.diff b/debian/patches/AST-2016-009-11.diff
new file mode 100644
index 0000000..421da37
--- /dev/null
+++ b/debian/patches/AST-2016-009-11.diff
@@ -0,0 +1,27 @@
+diff --git a/channels/chan_sip.c b/channels/chan_sip.c
+index 556db57..9c74acb 100644
+--- a/channels/chan_sip.c
++++ b/channels/chan_sip.c
+@@ -8132,8 +8132,6 @@ static const char *__get_header(const struct sip_request *req, const char *name,
+ * one afterwards. If you shouldn't do it, what absolute idiot decided it was
+ * a good idea to say you can do it, and if you can do it, why in the hell would.
+ * you say you shouldn't.
+- * Anyways, pedanticsipchecking controls whether we allow spaces before ':',
+- * and we always allow spaces after that for compatibility.
+ */
+ const char *sname = find_alias(name, NULL);
+ int x, len = strlen(name), slen = (sname ? 1 : 0);
+@@ -8146,10 +8144,10 @@ static const char *__get_header(const struct sip_request *req, const char *name,
+ if (match || smatch) {
+ /* skip name */
+ const char *r = header + (match ? len : slen );
+- if (sip_cfg.pedanticsipchecking) {
+- r = ast_skip_blanks(r);
++ /* HCOLON has optional SP/HTAB; skip past those */
++ while (*r == ' ' || *r == '\t') {
++ ++r;
+ }
+-
+ if (*r == ':') {
+ *start = x+1;
+ return ast_skip_blanks(r+1);
diff --git a/debian/patches/series b/debian/patches/series
index ae39581..ffa18e0 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -44,3 +44,4 @@ AST-2016-001-11.diff
AST-2016-002-11.diff
AST-2016-003-11.diff
AST-2016-007.patch
+AST-2016-009-11.diff
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-voip/asterisk.git
More information about the Pkg-voip-commits
mailing list