debdiff for asterisk in Jessie CVE-2015-3008

Thorsten Alteholz alteholz at debian.org
Sun Apr 24 20:23:37 UTC 2016 

Hi everybody,

attached is the debdiff to fix CVE-2015-3008 in the Jessie version of
asterisk[1].
The packages for testing are available at[2].

   Thorsten

[1] https://security-tracker.debian.org/tracker/source-package/asterisk
[2] https://people.debian.org/~alteholz/packages/jessie-security/asterisk/
-------------- next part --------------
diff -Nru asterisk-11.13.1~dfsg/debian/changelog asterisk-11.13.1~dfsg/debian/changelog
--- asterisk-11.13.1~dfsg/debian/changelog	2015-01-01 00:25:18.000000000 +0100
+++ asterisk-11.13.1~dfsg/debian/changelog	2016-04-24 19:18:20.000000000 +0200
@@ -1,3 +1,18 @@
+asterisk (1:11.13.1~dfsg-2+deb8u1) jessie-security; urgency=high
+
+  * Non-maintainer upload by the Wheezy LTS Team. 
+  * CVE-2015-3008 (in AST-2015-003-11.6.diff)
+    Asterisk Open Source 1.8 before 1.8.32.3, 11.x before 11.17.1, 12.x 
+    before 12.8.2, and 13.x before 13.3.2 and Certified Asterisk 1.8.28 
+    before 1.8.28-cert5, 11.6 before 11.6-cert11, and 13.1 before 
+    13.1-cert2, when registering a SIP TLS device, does not properly 
+    handle a null byte in a domain name in the subject's Common Name (CN) 
+    field of an X.509 certificate, which allows man-in-the-middle 
+    attackers to spoof arbitrary SSL servers via a crafted certificate 
+    issued by a legitimate Certification Authority.
+ 
+ -- Thorsten Alteholz <debian at alteholz.de>  Sun, 24 Apr 2016 19:03:02 +0200
+
 asterisk (1:11.13.1~dfsg-2) testing-proposed-updates; urgency=high
 
   * New upstream release: fixes AST-2014-011 (CVE-2014-3566, POODLE).
diff -Nru asterisk-11.13.1~dfsg/debian/patches/AST-2015-003-11.6.diff asterisk-11.13.1~dfsg/debian/patches/AST-2015-003-11.6.diff
--- asterisk-11.13.1~dfsg/debian/patches/AST-2015-003-11.6.diff	1970-01-01 01:00:00.000000000 +0100
+++ asterisk-11.13.1~dfsg/debian/patches/AST-2015-003-11.6.diff	2016-04-24 19:13:06.000000000 +0200
@@ -0,0 +1,22 @@
+Index: asterisk-11.13.1~dfsg/main/tcptls.c
+===================================================================
+--- asterisk-11.13.1~dfsg.orig/main/tcptls.c	2016-04-24 19:13:02.000000000 +0200
++++ asterisk-11.13.1~dfsg/main/tcptls.c	2016-04-24 19:13:02.000000000 +0200
+@@ -639,9 +639,15 @@
+ 							break;
+ 						}
+ 						str = X509_NAME_ENTRY_get_data(X509_NAME_get_entry(name, pos));
+-						ASN1_STRING_to_UTF8(&str2, str);
++						ret = ASN1_STRING_to_UTF8(&str2, str);
++						if (ret < 0) {
++							continue;
++						}
++
+ 						if (str2) {
+-							if (!strcasecmp(tcptls_session->parent->hostname, (char *) str2)) {
++							if (strlen((char *) str2) != ret) {
++								ast_log(LOG_WARNING, "Invalid certificate common name length (contains NULL bytes?)\n");
++							} else if (!strcasecmp(tcptls_session->parent->hostname, (char *) str2)) {
+ 								found = 1;
+ 							}
+ 							ast_debug(3, "SSL Common Name compare s1='%s' s2='%s'\n", tcptls_session->parent->hostname, str2);
diff -Nru asterisk-11.13.1~dfsg/debian/patches/series asterisk-11.13.1~dfsg/debian/patches/series
--- asterisk-11.13.1~dfsg/debian/patches/series	2014-12-31 23:27:15.000000000 +0100
+++ asterisk-11.13.1~dfsg/debian/patches/series	2016-04-24 19:12:53.000000000 +0200
@@ -39,3 +39,5 @@
 AST-2014-017.patch
 AST-2014-018.patch
 AST-2014-019.patch
+
+AST-2015-003-11.6.diff

More information about the Pkg-voip-maintainers mailing list