Untitled

diff -u asterisk-1.4.17~dfsg/debian/patches/series asterisk-1.4.17~dfsg/debian/patches/series
--- asterisk-1.4.17~dfsg/debian/patches/series
+++ asterisk-1.4.17~dfsg/debian/patches/series
@@ -83,0 +84,5 @@
+
+# Ubuntu CVE fixes
+CVE-2008-1289
+CVE-2008-1332
+CVE-2008-1333
diff -u asterisk-1.4.17~dfsg/debian/control asterisk-1.4.17~dfsg/debian/control
--- asterisk-1.4.17~dfsg/debian/control
+++ asterisk-1.4.17~dfsg/debian/control
@@ -1,7 +1,8 @@
 Source: asterisk
 Priority: optional
 Section: comm
-Maintainer: Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>
+Maintainer: Ubuntu MOTU Developers <ubuntu-motu@lists.ubuntu.com>
+XSBC-Original-Maintainer: Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>
 Uploaders: Mark Purcell <msp@debian.org>, Kilian Krause <kilian@debian.org>, Tzafrir Cohen <tzafrir.cohen@xorcom.com>, Faidon Liambotis <paravoid@debian.org>
 Build-Depends: debhelper (>= 5), quilt, zlib1g-dev, libreadline5-dev, libgsm1-dev, libssl-dev, libtonezone-dev (>= 1:1.4.1~0), bison, libasound2-dev, libpq-dev, unixodbc-dev, libpri-dev (>= 1.4.1-1), libvpb-dev, zaptel-source (>= 1:1.4.1~0), autotools-dev, libnewt-dev, libsqlite-dev, libspeex-dev, graphviz, libcurl4-openssl-dev | libcurl-dev, doxygen, gsfonts, libpopt-dev, libopenh323-dev (>= 1.17.4-1), libiksemel-dev, libradiusclient-ng-dev, freetds-dev, libvorbis-dev, libsnmp-dev, libc-client2007-dev | libc-client-dev, libcap-dev
 Standards-Version: 3.7.3
diff -u asterisk-1.4.17~dfsg/debian/changelog asterisk-1.4.17~dfsg/debian/changelog
--- asterisk-1.4.17~dfsg/debian/changelog
+++ asterisk-1.4.17~dfsg/debian/changelog
@@ -1,3 +1,25 @@
+asterisk (1:1.4.17~dfsg-2ubuntu1) hardy; urgency=low
+
+  * SECURITY UPDATE: arbitrary code execution and authentication bypass.
+    (LP: #210124)
+    - debian/patches/CVE-2008-1289: Check that incoming RTP payloads are
+      within buffer limits. Patch from Debian.
+    - debian/patches/CVE-2008-1332: Ensure that allowguest has been enabled
+      before deciding that authentication isn't required. Patch from Debian.
+    - debian/patches/CVE-2008-1333: Interpret logging output as a character
+      string, not a format string. Patch from Debian.
+    - References:
+      + CVE-2008-1289
+      + CVE-2008-1332
+      + CVE-2008-1333
+      + AST-2008-002
+      + AST-2008-003
+      + AST-2008-004
+  * Modify Maintainer value to match the DebianMaintainerField
+    specification.
+
+ -- William Grant <william@qeuni.net>  Sat, 05 Apr 2008 11:32:12 +1100
+
 asterisk (1:1.4.17~dfsg-2build1) hardy; urgency=low

   * Rebuild for libc-client2006j2 -> libc-client2007 transition (LP: #192415).
only in patch2:
unchanged:
--- asterisk-1.4.17~dfsg.orig/debian/patches/CVE-2008-1333
+++ asterisk-1.4.17~dfsg/debian/patches/CVE-2008-1333
@@ -0,0 +1,12 @@
+diff -urNad asterisk-1.4.17~dfsg~/include/asterisk/astobj.h asterisk-1.4.17~dfsg/include/asterisk/astobj.h
+--- asterisk-1.4.17~dfsg~/include/asterisk/astobj.h	2006-02-15 06:14:15.000000000 +1100
++++ asterisk-1.4.17~dfsg/include/asterisk/astobj.h	2008-04-05 11:12:28.000000000 +1100
+@@ -813,7 +813,7 @@
+  * descriptor.
+  */
+ #define ASTOBJ_CONTAINER_DUMP(fd,s,slen,container) \
+-	ASTOBJ_CONTAINER_TRAVERSE(container, 1, do { ASTOBJ_DUMP(s,slen,iterator); ast_cli(fd, s); } while(0))
++	ASTOBJ_CONTAINER_TRAVERSE(container, 1, do { ASTOBJ_DUMP(s,slen,iterator); ast_cli(fd, "%s", s); } while(0))
+
+ #if defined(__cplusplus) || defined(c_plusplus)
+ }
only in patch2:
unchanged:
--- asterisk-1.4.17~dfsg.orig/debian/patches/CVE-2008-1332
+++ asterisk-1.4.17~dfsg/debian/patches/CVE-2008-1332
@@ -0,0 +1,12 @@
+diff -urNad asterisk-1.4.17~dfsg~/channels/chan_sip.c asterisk-1.4.17~dfsg/channels/chan_sip.c
+--- asterisk-1.4.17~dfsg~/channels/chan_sip.c	2008-04-05 11:08:51.000000000 +1100
++++ asterisk-1.4.17~dfsg/channels/chan_sip.c	2008-04-05 11:11:37.000000000 +1100
+@@ -9305,8 +9305,6 @@
+ 			ast_shrink_phone_number(tmp);
+ 		ast_string_field_set(p, cid_num, tmp);
+ 	}
+-	if (ast_strlen_zero(of))
+-		return AUTH_SUCCESSFUL;
+
+ 	if (!authpeer)	/* If we are looking for a peer, don't check the user objects (or realtime) */
+ 		user = find_user(of, 1);
only in patch2:
unchanged:
--- asterisk-1.4.17~dfsg.orig/debian/patches/CVE-2008-1289
+++ asterisk-1.4.17~dfsg/debian/patches/CVE-2008-1289
@@ -0,0 +1,77 @@
+diff -urNad asterisk-1.4.17~dfsg~/channels/chan_sip.c asterisk-1.4.17~dfsg/channels/chan_sip.c
+--- asterisk-1.4.17~dfsg~/channels/chan_sip.c	2008-04-05 11:05:32.000000000 +1100
++++ asterisk-1.4.17~dfsg/channels/chan_sip.c	2008-04-05 11:05:37.000000000 +1100
+@@ -214,6 +214,8 @@
+ #define SIP_MAX_LINES                64               /*!< Max amount of lines in SIP attachment (like SDP) */
+ #define SIP_MAX_PACKET               4096             /*!< Also from RFC 3261 (2543), should sub headers tho */
+
++#define SDP_MAX_RTPMAP_CODECS        32               /*!< Maximum number of codecs allowed in received SDP */
++
+ #define INITIAL_CSEQ                 101              /*!< our initial sip sequence number */
+
+ /*! \brief Global jitterbuffer configuration - by default, jb is disabled */
+@@ -4975,7 +4977,7 @@
+ 	int numberofmediastreams = 0;
+ 	int debug = sip_debug_test_pvt(p);
+
+-	int found_rtpmap_codecs[32];
++	int found_rtpmap_codecs[SDP_MAX_RTPMAP_CODECS];
+ 	int last_rtpmap_codec=0;
+
+ 	if (!p->rtp) {
+@@ -5248,24 +5250,30 @@
+ 			/* We should propably check if this is an audio or video codec
+ 				so we know where to look */
+
+-			/* Note: should really look at the 'freq' and '#chans' params too */
+-			if(ast_rtp_set_rtpmap_type(newaudiortp, codec, "audio", mimeSubtype,
+-					ast_test_flag(&p->flags[0], SIP_G726_NONSTANDARD) ? AST_RTP_OPT_G726_NONSTANDARD : 0) != -1) {
+-				if (debug)
+-					ast_verbose("Found audio description format %s for ID %d\n", mimeSubtype, codec);
+-				found_rtpmap_codecs[last_rtpmap_codec] = codec;
+-				last_rtpmap_codec++;
+-				found = TRUE;
+-
+-			} else if (p->vrtp) {
+-				if(ast_rtp_set_rtpmap_type(newvideortp, codec, "video", mimeSubtype, 0) != -1) {
++			if (last_rtpmap_codec < SDP_MAX_RTPMAP_CODECS) {
++				/* Note: should really look at the 'freq' and '#chans' params too */
++				if(ast_rtp_set_rtpmap_type(newaudiortp, codec, "audio", mimeSubtype,
++							   ast_test_flag(&p->flags[0], SIP_G726_NONSTANDARD) ? AST_RTP_OPT_G726_NONSTANDARD : 0) != -1) {
+ 					if (debug)
+-						ast_verbose("Found video description format %s for ID %d\n", mimeSubtype, codec);
++						ast_verbose("Found audio description format %s for ID %d\n", mimeSubtype, codec);
+ 					found_rtpmap_codecs[last_rtpmap_codec] = codec;
+ 					last_rtpmap_codec++;
+ 					found = TRUE;
++
++				} else if (p->vrtp) {
++					if(ast_rtp_set_rtpmap_type(newvideortp, codec, "video", mimeSubtype, 0) != -1) {
++						if (debug)
++							ast_verbose("Found video description format %s for ID %d\n", mimeSubtype, codec);
++						found_rtpmap_codecs[last_rtpmap_codec] = codec;
++						last_rtpmap_codec++;
++						found = TRUE;
++					}
+ 				}
++			} else {
++				if (debug)
++					ast_verbose("Discarded description format %s for ID %d\n", mimeSubtype, codec);
+ 			}
++
+ 			if (!found) {
+ 				/* Remove this codec since it's an unknown media type for us */
+ 				/* XXX This is buggy since the media line for audio and video can have the
+diff -urNad asterisk-1.4.17~dfsg~/main/rtp.c asterisk-1.4.17~dfsg/main/rtp.c
+--- asterisk-1.4.17~dfsg~/main/rtp.c	2007-12-11 03:36:15.000000000 +1100
++++ asterisk-1.4.17~dfsg/main/rtp.c	2008-04-05 11:05:37.000000000 +1100
+@@ -1645,6 +1645,9 @@
+     an unknown media type */
+ void ast_rtp_unset_m_type(struct ast_rtp* rtp, int pt)
+ {
++	if (pt < 0 || pt > MAX_RTP_PT)
++		return; /* bogus payload type */
++
+ 	ast_mutex_lock(&rtp->bridge_lock);
+ 	rtp->current_RTP_PT[pt].isAstFormat = 0;
+ 	rtp->current_RTP_PT[pt].code = 0;