Bug#394025: CVE-2006-5444: Remote compromise in chan_skinny

Ben Hutchings ben at decadent.org.uk
Sat Nov 25 17:20:59 UTC 2006 

Enough stalling.  Here's a debdiff for a sarge security update.  I have
tested that the warning message is certainly triggered by the bogus
length values Adam found.  I *think* the bug may only be exploitable on
64-bit systems, as read() calls seem to fail immediately where the
length would result in wrapping around the virtual address space.  I
don't have a 64-bit system to test on.

I removed the letohl() calls because the function doesn't exist in
Asterisk 1.0.7 and it wouldn't fix the whole problem (and I don't know
quite what would need to be changed to do so).  If any of the so-called
"maintainers" actually care about this package they could perhaps
arrange to disable chan_skinny on big-endian platforms in this security
update, since it can't work properly and the endian bugs might pose
other security problems.

Ben.

diff -u asterisk-1.0.7.dfsg.1/debian/patches/00list asterisk-1.0.7.dfsg.1/debian/patches/00list
--- asterisk-1.0.7.dfsg.1/debian/patches/00list
+++ asterisk-1.0.7.dfsg.1/debian/patches/00list
@@ -18,0 +19,1 @@
+99_CVE-2006-5444.dpatch
diff -u asterisk-1.0.7.dfsg.1/debian/changelog asterisk-1.0.7.dfsg.1/debian/changelog
--- asterisk-1.0.7.dfsg.1/debian/changelog
+++ asterisk-1.0.7.dfsg.1/debian/changelog
@@ -1,3 +1,12 @@
+asterisk (1:1.0.7.dfsg.1-2sarge4) stable-security; urgency=high
+
+  * Non-maintainer upload
+  * Backported fix for buffer overflow in chan_skinny driver
+    induced by an undetected integer underflow
+    [debian/patches/99_CVE-2006-5444.dpatch] (Closes: #394025)
+
+ -- Ben Hutchings <ben at decadent.org.uk>  Sat, 25 Nov 2006 16:12:26 +0000
+
 asterisk (1:1.0.7.dfsg.1-2sarge3) stable-security; urgency=high
 
   * Non-maintainer upload by the Security Team
only in patch2:
unchanged:
--- asterisk-1.0.7.dfsg.1.orig/debian/patches/99_CVE-2006-5444.dpatch
+++ asterisk-1.0.7.dfsg.1/debian/patches/99_CVE-2006-5444.dpatch
@@ -0,0 +1,27 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 99_CVE-2006-5444.dpatch by <ben at decadent.org.uk>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Fix buffer overflow in chan_skinny driver induced by an undetected
+## DP: integer underflow (CVE-2006-5444).
+## DP: Remove bogus mutex unlock in case it can cause denial of service.
+
+ at DPATCH@
+--- asterisk-1.0.7.dfsg.1/channels/chan_skinny.c.orig	2006-10-20 00:10:49.000000000 +0000
++++ asterisk-1.0.7.dfsg.1/channels/chan_skinny.c	2006-10-20 00:16:37.000000000 +0000
+@@ -2305,10 +2305,14 @@
+ 			return -1;
+ 		}
+ 		dlen = *(int *)s->inbuf;
++		if (dlen < 0) {
++			ast_log(LOG_WARNING, "Skinny Client sent invalid data.\n");
++			return -1;
++		}
+ 		if (dlen+8 > sizeof(s->inbuf))
+ 			dlen = sizeof(s->inbuf) - 8;
++		*(int *)s->inbuf = dlen;
+ 		res = read(s->fd, s->inbuf+4, dlen+4);
+-		ast_mutex_unlock(&s->lock);
+ 		if (res != (dlen+4)) {
+ 			ast_log(LOG_WARNING, "Skinny Client sent less data than expected.\n");
+ 			return -1;
-- END --

-- 
Ben Hutchings
Tomorrow will be cancelled due to lack of interest.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.alioth.debian.org/pipermail/pkg-voip-maintainers/attachments/20061125/98203d0e/attachment.pgp

More information about the Pkg-voip-maintainers mailing list