Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- diff -u asterisk-1.4.17~dfsg/debian/patches/series asterisk-1.4.17~dfsg/debian/patches/series
- --- asterisk-1.4.17~dfsg/debian/patches/series
- +++ asterisk-1.4.17~dfsg/debian/patches/series
- @@ -83,0 +84,5 @@
- +
- +# Ubuntu CVE fixes
- +CVE-2008-1289
- +CVE-2008-1332
- +CVE-2008-1333
- diff -u asterisk-1.4.17~dfsg/debian/control asterisk-1.4.17~dfsg/debian/control
- --- asterisk-1.4.17~dfsg/debian/control
- +++ asterisk-1.4.17~dfsg/debian/control
- @@ -1,7 +1,8 @@
- Source: asterisk
- Priority: optional
- Section: comm
- -Maintainer: Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>
- +Maintainer: Ubuntu MOTU Developers <ubuntu-motu@lists.ubuntu.com>
- +XSBC-Original-Maintainer: Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>
- Uploaders: Mark Purcell <msp@debian.org>, Kilian Krause <kilian@debian.org>, Tzafrir Cohen <tzafrir.cohen@xorcom.com>, Faidon Liambotis <paravoid@debian.org>
- Build-Depends: debhelper (>= 5), quilt, zlib1g-dev, libreadline5-dev, libgsm1-dev, libssl-dev, libtonezone-dev (>= 1:1.4.1~0), bison, libasound2-dev, libpq-dev, unixodbc-dev, libpri-dev (>= 1.4.1-1), libvpb-dev, zaptel-source (>= 1:1.4.1~0), autotools-dev, libnewt-dev, libsqlite-dev, libspeex-dev, graphviz, libcurl4-openssl-dev | libcurl-dev, doxygen, gsfonts, libpopt-dev, libopenh323-dev (>= 1.17.4-1), libiksemel-dev, libradiusclient-ng-dev, freetds-dev, libvorbis-dev, libsnmp-dev, libc-client2007-dev | libc-client-dev, libcap-dev
- Standards-Version: 3.7.3
- diff -u asterisk-1.4.17~dfsg/debian/changelog asterisk-1.4.17~dfsg/debian/changelog
- --- asterisk-1.4.17~dfsg/debian/changelog
- +++ asterisk-1.4.17~dfsg/debian/changelog
- @@ -1,3 +1,25 @@
- +asterisk (1:1.4.17~dfsg-2ubuntu1) hardy; urgency=low
- +
- + * SECURITY UPDATE: arbitrary code execution and authentication bypass.
- + (LP: #210124)
- + - debian/patches/CVE-2008-1289: Check that incoming RTP payloads are
- + within buffer limits. Patch from Debian.
- + - debian/patches/CVE-2008-1332: Ensure that allowguest has been enabled
- + before deciding that authentication isn't required. Patch from Debian.
- + - debian/patches/CVE-2008-1333: Interpret logging output as a character
- + string, not a format string. Patch from Debian.
- + - References:
- + + CVE-2008-1289
- + + CVE-2008-1332
- + + CVE-2008-1333
- + + AST-2008-002
- + + AST-2008-003
- + + AST-2008-004
- + * Modify Maintainer value to match the DebianMaintainerField
- + specification.
- +
- + -- William Grant <william@qeuni.net> Sat, 05 Apr 2008 11:32:12 +1100
- +
- asterisk (1:1.4.17~dfsg-2build1) hardy; urgency=low
- * Rebuild for libc-client2006j2 -> libc-client2007 transition (LP: #192415).
- only in patch2:
- unchanged:
- --- asterisk-1.4.17~dfsg.orig/debian/patches/CVE-2008-1333
- +++ asterisk-1.4.17~dfsg/debian/patches/CVE-2008-1333
- @@ -0,0 +1,12 @@
- +diff -urNad asterisk-1.4.17~dfsg~/include/asterisk/astobj.h asterisk-1.4.17~dfsg/include/asterisk/astobj.h
- +--- asterisk-1.4.17~dfsg~/include/asterisk/astobj.h 2006-02-15 06:14:15.000000000 +1100
- ++++ asterisk-1.4.17~dfsg/include/asterisk/astobj.h 2008-04-05 11:12:28.000000000 +1100
- +@@ -813,7 +813,7 @@
- + * descriptor.
- + */
- + #define ASTOBJ_CONTAINER_DUMP(fd,s,slen,container) \
- +- ASTOBJ_CONTAINER_TRAVERSE(container, 1, do { ASTOBJ_DUMP(s,slen,iterator); ast_cli(fd, s); } while(0))
- ++ ASTOBJ_CONTAINER_TRAVERSE(container, 1, do { ASTOBJ_DUMP(s,slen,iterator); ast_cli(fd, "%s", s); } while(0))
- +
- + #if defined(__cplusplus) || defined(c_plusplus)
- + }
- only in patch2:
- unchanged:
- --- asterisk-1.4.17~dfsg.orig/debian/patches/CVE-2008-1332
- +++ asterisk-1.4.17~dfsg/debian/patches/CVE-2008-1332
- @@ -0,0 +1,12 @@
- +diff -urNad asterisk-1.4.17~dfsg~/channels/chan_sip.c asterisk-1.4.17~dfsg/channels/chan_sip.c
- +--- asterisk-1.4.17~dfsg~/channels/chan_sip.c 2008-04-05 11:08:51.000000000 +1100
- ++++ asterisk-1.4.17~dfsg/channels/chan_sip.c 2008-04-05 11:11:37.000000000 +1100
- +@@ -9305,8 +9305,6 @@
- + ast_shrink_phone_number(tmp);
- + ast_string_field_set(p, cid_num, tmp);
- + }
- +- if (ast_strlen_zero(of))
- +- return AUTH_SUCCESSFUL;
- +
- + if (!authpeer) /* If we are looking for a peer, don't check the user objects (or realtime) */
- + user = find_user(of, 1);
- only in patch2:
- unchanged:
- --- asterisk-1.4.17~dfsg.orig/debian/patches/CVE-2008-1289
- +++ asterisk-1.4.17~dfsg/debian/patches/CVE-2008-1289
- @@ -0,0 +1,77 @@
- +diff -urNad asterisk-1.4.17~dfsg~/channels/chan_sip.c asterisk-1.4.17~dfsg/channels/chan_sip.c
- +--- asterisk-1.4.17~dfsg~/channels/chan_sip.c 2008-04-05 11:05:32.000000000 +1100
- ++++ asterisk-1.4.17~dfsg/channels/chan_sip.c 2008-04-05 11:05:37.000000000 +1100
- +@@ -214,6 +214,8 @@
- + #define SIP_MAX_LINES 64 /*!< Max amount of lines in SIP attachment (like SDP) */
- + #define SIP_MAX_PACKET 4096 /*!< Also from RFC 3261 (2543), should sub headers tho */
- +
- ++#define SDP_MAX_RTPMAP_CODECS 32 /*!< Maximum number of codecs allowed in received SDP */
- ++
- + #define INITIAL_CSEQ 101 /*!< our initial sip sequence number */
- +
- + /*! \brief Global jitterbuffer configuration - by default, jb is disabled */
- +@@ -4975,7 +4977,7 @@
- + int numberofmediastreams = 0;
- + int debug = sip_debug_test_pvt(p);
- +
- +- int found_rtpmap_codecs[32];
- ++ int found_rtpmap_codecs[SDP_MAX_RTPMAP_CODECS];
- + int last_rtpmap_codec=0;
- +
- + if (!p->rtp) {
- +@@ -5248,24 +5250,30 @@
- + /* We should propably check if this is an audio or video codec
- + so we know where to look */
- +
- +- /* Note: should really look at the 'freq' and '#chans' params too */
- +- if(ast_rtp_set_rtpmap_type(newaudiortp, codec, "audio", mimeSubtype,
- +- ast_test_flag(&p->flags[0], SIP_G726_NONSTANDARD) ? AST_RTP_OPT_G726_NONSTANDARD : 0) != -1) {
- +- if (debug)
- +- ast_verbose("Found audio description format %s for ID %d\n", mimeSubtype, codec);
- +- found_rtpmap_codecs[last_rtpmap_codec] = codec;
- +- last_rtpmap_codec++;
- +- found = TRUE;
- +-
- +- } else if (p->vrtp) {
- +- if(ast_rtp_set_rtpmap_type(newvideortp, codec, "video", mimeSubtype, 0) != -1) {
- ++ if (last_rtpmap_codec < SDP_MAX_RTPMAP_CODECS) {
- ++ /* Note: should really look at the 'freq' and '#chans' params too */
- ++ if(ast_rtp_set_rtpmap_type(newaudiortp, codec, "audio", mimeSubtype,
- ++ ast_test_flag(&p->flags[0], SIP_G726_NONSTANDARD) ? AST_RTP_OPT_G726_NONSTANDARD : 0) != -1) {
- + if (debug)
- +- ast_verbose("Found video description format %s for ID %d\n", mimeSubtype, codec);
- ++ ast_verbose("Found audio description format %s for ID %d\n", mimeSubtype, codec);
- + found_rtpmap_codecs[last_rtpmap_codec] = codec;
- + last_rtpmap_codec++;
- + found = TRUE;
- ++
- ++ } else if (p->vrtp) {
- ++ if(ast_rtp_set_rtpmap_type(newvideortp, codec, "video", mimeSubtype, 0) != -1) {
- ++ if (debug)
- ++ ast_verbose("Found video description format %s for ID %d\n", mimeSubtype, codec);
- ++ found_rtpmap_codecs[last_rtpmap_codec] = codec;
- ++ last_rtpmap_codec++;
- ++ found = TRUE;
- ++ }
- + }
- ++ } else {
- ++ if (debug)
- ++ ast_verbose("Discarded description format %s for ID %d\n", mimeSubtype, codec);
- + }
- ++
- + if (!found) {
- + /* Remove this codec since it's an unknown media type for us */
- + /* XXX This is buggy since the media line for audio and video can have the
- +diff -urNad asterisk-1.4.17~dfsg~/main/rtp.c asterisk-1.4.17~dfsg/main/rtp.c
- +--- asterisk-1.4.17~dfsg~/main/rtp.c 2007-12-11 03:36:15.000000000 +1100
- ++++ asterisk-1.4.17~dfsg/main/rtp.c 2008-04-05 11:05:37.000000000 +1100
- +@@ -1645,6 +1645,9 @@
- + an unknown media type */
- + void ast_rtp_unset_m_type(struct ast_rtp* rtp, int pt)
- + {
- ++ if (pt < 0 || pt > MAX_RTP_PT)
- ++ return; /* bogus payload type */
- ++
- + ast_mutex_lock(&rtp->bridge_lock);
- + rtp->current_RTP_PT[pt].isAstFormat = 0;
- + rtp->current_RTP_PT[pt].code = 0;
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement