[Git][pkg-voip-team/asterisk][stretch] 5 commits: ASTERISK-26606.patch: from branch 13 in git
Bernhard Schmidt
gitlab at salsa.debian.org
Tue Jan 2 19:35:58 UTC 2018
Bernhard Schmidt pushed to branch stretch at Debian VoIP Packaging Team / asterisk
Commits:
d3a0a3d4 by Tzafrir Cohen at 2017-12-16T07:39:10+02:00
ASTERISK-26606.patch: from branch 13 in git
- - - - -
e2c61b70 by Tzafrir Cohen at 2017-12-16T07:39:58+02:00
ASTERISK-26606.patch: adapt patch and add
Remove a white space hunk that was removed in a later commit.
- - - - -
bed9fb7f by Tzafrir Cohen at 2017-12-29T16:11:27+02:00
Closes #884345
- - - - -
82823d17 by Tzafrir Cohen at 2017-12-29T16:26:11+02:00
changelog: ASTERISK-26606.patch closes #883767
- - - - -
97214ab3 by Tzafrir Cohen at 2017-12-29T16:28:07+02:00
Release 1:13.14.1~dfsg-2+deb9u3
- - - - -
3 changed files:
- debian/changelog
- + debian/patches/ASTERISK-26606.patch
- debian/patches/series
Changes:
=====================================
debian/changelog
=====================================
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,4 +1,4 @@
-asterisk (1:13.14.1~dfsg-2+deb9u3) UNRELEASED; urgency=medium
+asterisk (1:13.14.1~dfsg-2+deb9u3) stretch-security; urgency=medium
[ Tzafrir Cohen ]
* AST-2017-009: ignored for the record.
@@ -6,17 +6,18 @@ asterisk (1:13.14.1~dfsg-2+deb9u3) UNRELEASED; urgency=medium
(Closes: #881257)
* AST-2017-011 / CVE-2017-16672: Memory/File Descriptor/RTP leak in
pjsip session resource (Closes: #881256)
- * AST-2017-012 / CVE-2017-???: Remote Crash Vulnerability in RTCP Stack
- (Closes: #???)
+ * AST-2017-012 / CVE-2017-17664: Remote Crash Vulnerability in RTCP Stack
+ (Closes: #884345)
* AST-2017-013 / CVE-2017-17090: DoS (memory leak) in chan_skinny
(Closes: #883342)
+ * ASTERISK-26606.patch: fix openssl error reporting (Closes: #883767)
* debian/.gitignore: typo
* gbp.conf: set branch name
[ Bernhard Schmidt ]
* Drop duplicate filter line from d/gbp.conf
- -- Tzafrir Cohen <tzafrir at debian.org> Wed, 13 Dec 2017 22:10:34 +0200
+ -- Tzafrir Cohen <tzafrir at debian.org> Fri, 29 Dec 2017 16:27:08 +0200
asterisk (1:13.14.1~dfsg-2+deb9u2) stretch-security; urgency=high
=====================================
debian/patches/ASTERISK-26606.patch
=====================================
--- /dev/null
+++ b/debian/patches/ASTERISK-26606.patch
@@ -0,0 +1,157 @@
+From 6fba0a41f06c257032e572f1876b51c19ef54b6a Mon Sep 17 00:00:00 2001
+From: Joshua Colp <jcolp at digium.com>
+Date: Tue, 9 May 2017 15:34:49 +0000
+Subject: [PATCH] tcptls: Improve error messages for TLS connections.
+
+This change uses the functions provided by OpenSSL to query
+and better construct error messages for situations where
+the connection encounters a problem.
+
+ASTERISK-26606
+
+Change-Id: I7ae40ce88c0dc4e185c4df1ceb3a6ccc198f075b
+---
+ main/tcptls.c | 67 ++++++++++++++++++++++++++++++++++++++++++++++++++++-------
+ 1 file changed, 59 insertions(+), 8 deletions(-)
+
+diff --git a/main/tcptls.c b/main/tcptls.c
+index 3fd3c53122..7e09e66611 100644
+--- a/main/tcptls.c
++++ b/main/tcptls.c
+@@ -83,6 +83,39 @@ struct ast_tcptls_stream {
+ int exclusive_input;
+ };
+
++#if defined(DO_SSL)
++AST_THREADSTORAGE(err2str_threadbuf);
++#define ERR2STR_BUFSIZE 128
++
++static const char *ssl_error_to_string(int sslerr, int ret)
++{
++ switch (sslerr) {
++ case SSL_ERROR_SSL:
++ return "Internal SSL error";
++ case SSL_ERROR_SYSCALL:
++ if (!ret) {
++ return "System call EOF";
++ } else if (ret == -1) {
++ char *buf;
++
++ buf = ast_threadstorage_get(&err2str_threadbuf, ERR2STR_BUFSIZE);
++ if (!buf) {
++ return "Unknown";
++ }
++
++ snprintf(buf, ERR2STR_BUFSIZE, "Underlying BIO error: %s", strerror(errno));
++ return buf;
++ } else {
++ return "System call other";
++ }
++ default:
++ break;
++ }
++
++ return "Unknown";
++}
++#endif
++
+ void ast_tcptls_stream_set_timeout_disable(struct ast_tcptls_stream *stream)
+ {
+ ast_assert(stream != NULL);
+@@ -151,12 +184,17 @@ static HOOK_T tcptls_stream_read(void *cookie, char *buf, LEN_T size)
+ #if defined(DO_SSL)
+ if (stream->ssl) {
+ for (;;) {
++ int sslerr;
++ char err[256];
++
+ res = SSL_read(stream->ssl, buf, size);
+ if (0 < res) {
+ /* We read some payload data. */
+ return res;
+ }
+- switch (SSL_get_error(stream->ssl, res)) {
++
++ sslerr = SSL_get_error(stream->ssl, res);
++ switch (sslerr) {
+ case SSL_ERROR_ZERO_RETURN:
+ /* Report EOF for a shutdown */
+ ast_debug(1, "TLS clean shutdown alert reading data\n");
+@@ -204,7 +242,8 @@ static HOOK_T tcptls_stream_read(void *cookie, char *buf, LEN_T size)
+ break;
+ default:
+ /* Report EOF for an undecoded SSL or transport error. */
+- ast_debug(1, "TLS transport or SSL error reading data\n");
++ ast_debug(1, "TLS transport or SSL error reading data: %s, %s\n", ERR_error_string(sslerr, err),
++ ssl_error_to_string(sslerr, res));
+ return 0;
+ }
+ if (!ms) {
+@@ -279,6 +318,9 @@ static HOOK_T tcptls_stream_write(void *cookie, const char *buf, LEN_T size)
+ written = 0;
+ remaining = size;
+ for (;;) {
++ int sslerr;
++ char err[256];
++
+ res = SSL_write(stream->ssl, buf + written, remaining);
+ if (res == remaining) {
+ /* Everything was written. */
+@@ -290,7 +332,8 @@ static HOOK_T tcptls_stream_write(void *cookie, const char *buf, LEN_T size)
+ remaining -= res;
+ continue;
+ }
+- switch (SSL_get_error(stream->ssl, res)) {
++ sslerr = SSL_get_error(stream->ssl, res);
++ switch (sslerr) {
+ case SSL_ERROR_ZERO_RETURN:
+ ast_debug(1, "TLS clean shutdown alert writing data\n");
+ if (written) {
+@@ -319,7 +362,8 @@ static HOOK_T tcptls_stream_write(void *cookie, const char *buf, LEN_T size)
+ break;
+ default:
+ /* Undecoded SSL or transport error. */
+- ast_debug(1, "TLS transport or SSL error writing data\n");
++ ast_debug(1, "TLS transport or SSL error writing data: %s, %s\n", ERR_error_string(sslerr, err),
++ ssl_error_to_string(sslerr, res));
+ if (written) {
+ /* Report partial write. */
+ return written;
+@@ -396,8 +440,11 @@ static int tcptls_stream_close(void *cookie)
+ */
+ res = SSL_shutdown(stream->ssl);
+ if (res < 0) {
+- ast_log(LOG_ERROR, "SSL_shutdown() failed: %d\n",
+- SSL_get_error(stream->ssl, res));
++ int sslerr = SSL_get_error(stream->ssl, res);
++ char err[256];
++
++ ast_log(LOG_ERROR, "SSL_shutdown() failed: %s, %s\n",
++ ERR_error_string(sslerr, err), ssl_error_to_string(sslerr, res));
+ }
+
+ #if defined(OPENSSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= 0x10100000L
+@@ -604,7 +652,6 @@ static void *handle_tcptls_connection(void *data)
+ #ifdef DO_SSL
+ int (*ssl_setup)(SSL *) = (tcptls_session->client) ? SSL_connect : SSL_accept;
+ int ret;
+- char err[256];
+ #endif
+
+ /* TCP/TLS connections are associated with external protocols, and
+@@ -642,7 +689,11 @@ static void *handle_tcptls_connection(void *data)
+ else if ( (tcptls_session->ssl = SSL_new(tcptls_session->parent->tls_cfg->ssl_ctx)) ) {
+ SSL_set_fd(tcptls_session->ssl, tcptls_session->fd);
+ if ((ret = ssl_setup(tcptls_session->ssl)) <= 0) {
+- ast_log(LOG_ERROR, "Problem setting up ssl connection: %s\n", ERR_error_string(ERR_get_error(), err));
++ char err[256];
++ int sslerr = SSL_get_error(tcptls_session->ssl, ret);
++
++ ast_log(LOG_ERROR, "Problem setting up ssl connection: %s, %s\n", ERR_error_string(sslerr, err),
++ ssl_error_to_string(sslerr, ret));
+ } else if ((tcptls_session->f = tcptls_stream_fopen(tcptls_session->stream_cookie,
+ tcptls_session->ssl, tcptls_session->fd, -1))) {
+ if ((tcptls_session->client && !ast_test_flag(&tcptls_session->parent->tls_cfg->flags, AST_SSL_DONT_VERIFY_SERVER))
+--
+2.11.0
+
=====================================
debian/patches/series
=====================================
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -46,6 +46,9 @@ pjsip_unresolved_symbol.patch
# Bug#875450 - chan_sip: One way audio when transcoding
875450-chan_sip-oneway-audio.patch
+# Bug#8837 - backport correct and improved notification of TLS connection error:
+ASTERISK-26606.patch
+
AST-2017-004.patch
AST-2017-005-13.13.diff
AST-2017-006-13.diff
View it on GitLab: https://salsa.debian.org/pkg-voip-team/asterisk/compare/958f9c71b00fc6b300d42e4f0082d5bd8cc1b665...97214ab352e41fa626a480612a7e38d520527694
---
View it on GitLab: https://salsa.debian.org/pkg-voip-team/asterisk/compare/958f9c71b00fc6b300d42e4f0082d5bd8cc1b665...97214ab352e41fa626a480612a7e38d520527694
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-voip-maintainers/attachments/20180102/e1149d8f/attachment-0001.html>
More information about the Pkg-voip-maintainers
mailing list