Bug#482997: asterisk: Remote Crash Vulnerability in SIP channel driver when run in pedantic mode (CVE-2008-2119)
Faidon Liambotis
paravoid at debian.org
Thu Jun 5 02:14:56 UTC 2008
Hi,
Yet another Asterisk security vulnerability, this time affecting only
1.2, i.e. the version in etch -- lenny and sid are unaffected.
I've attached the diff which has these changes:
* Fix a remote crash vulnerability in chan_sip when running in
pedantic mode (AST-2008-008/CVE-2008-2119).
* Fix chan_iax2 performance regression introduced by upstream in the
previous security update (Closes: #482997).
The diffstat is:
changelog | 9
patches/00list | 2
patches/AST-2008-008.dpatch | 45
patches/security-IAX2-performance.dpatch | 2010 +++++++++++++++++++++
4 files changed, 2066 insertions(+)
patches/security-IAX2-performance.dpatch is in turn
Makefile | 2
astobj2.c | 722 +++++++++++++++++++++++++++++++++++
channels/chan_iax2.c | 493 ++++++++++++++++-------
include/asterisk/astobj2.h | 541 ++++++++++++++++++++++++++
include/asterisk/lock.h | 27 +
utils.c | 11
6 files changed, 1645 insertions(+), 151 deletions(-)
These are changes fixing the IAX2 huge performance regression (as
discussed in #482997); it is unfortunately a very big patch but it is
what upstream recommends and they are as cautious as we are with their
extra-stable branch.
It is, therefore, my opinion that this regression fix should be included
in this security update.
If you, however, feel strongly about it I could split this to two
versions with the one targetted to s-p-u.
This version is /not/ uploaded to security-master yet, because I'm
waiting for your ACK regarding the regression fix.
Thanks,
Faidon
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: asterisk-2etch5.diff
Url: http://lists.alioth.debian.org/pipermail/pkg-voip-maintainers/attachments/20080605/2fd6fe9e/attachment-0001.txt
More information about the Pkg-voip-maintainers
mailing list