[Git][pkg-voip-team/asterisk][master] 2 commits: AST-2019-002 / AST-2019-003
Bernhard Schmidt
gitlab at salsa.debian.org
Sat Jul 13 22:56:30 BST 2019
Bernhard Schmidt pushed to branch master at Debian VoIP Packaging Team / asterisk
Commits:
4ddffa9d by Bernhard Schmidt at 2019-07-13T21:46:35Z
AST-2019-002 / AST-2019-003
- - - - -
6f330267 by Bernhard Schmidt at 2019-07-13T21:49:22Z
Changelog for 1:16.2.1~dfsg-2
- - - - -
4 changed files:
- debian/changelog
- + debian/patches/AST-2019-002.patch
- + debian/patches/AST-2019-003.patch
- debian/patches/series
Changes:
=====================================
debian/changelog
=====================================
@@ -1,3 +1,12 @@
+asterisk (1:16.2.1~dfsg-2) unstable; urgency=high
+
+ * AST-2019-002 / CVE-2019-12827
+ Buffer overflow in res_pjsip_messaging (Closes: #931980)
+ * AST-2019-003 / CVE-2019-13161
+ Remote Crash Vulnerability in chan_sip (Closes: #931981)
+
+ -- Bernhard Schmidt <berni at debian.org> Sat, 13 Jul 2019 23:47:36 +0200
+
asterisk (1:16.2.1~dfsg-1) unstable; urgency=medium
* New upstream version 16.2.1~dfsg
=====================================
debian/patches/AST-2019-002.patch
=====================================
@@ -0,0 +1,40 @@
+From 785bf3a755e47d92caef110e6040295764d08127 Mon Sep 17 00:00:00 2001
+From: George Joseph <gjoseph at digium.com>
+Date: Wed, 12 Jun 2019 12:03:04 -0600
+Subject: [PATCH] res_pjsip_messaging: Check for body in in-dialog message
+
+We now check that a body exists and it has a length > 0 before
+attempting to process it.
+
+ASTERISK-28447
+Reported-by: Gil Richard
+
+Change-Id: Ic469544b22ab848734636588d4c93426cc6f4b1f
+---
+ res/res_pjsip_messaging.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/res/res_pjsip_messaging.c b/res/res_pjsip_messaging.c
+index 0e10a8f047..930cf84a53 100644
+--- a/res/res_pjsip_messaging.c
++++ b/res/res_pjsip_messaging.c
+@@ -90,10 +90,13 @@ static enum pjsip_status_code check_content_type_in_dialog(const pjsip_rx_data *
+ static const pj_str_t text = { "text", 4};
+ static const pj_str_t application = { "application", 11};
+
++ if (!(rdata->msg_info.msg->body && rdata->msg_info.msg->body->len > 0)) {
++ return res;
++ }
++
+ /* We'll accept any text/ or application/ content type */
+- if (rdata->msg_info.msg->body && rdata->msg_info.msg->body->len
+- && (pj_stricmp(&rdata->msg_info.msg->body->content_type.type, &text) == 0
+- || pj_stricmp(&rdata->msg_info.msg->body->content_type.type, &application) == 0)) {
++ if (pj_stricmp(&rdata->msg_info.msg->body->content_type.type, &text) == 0
++ || pj_stricmp(&rdata->msg_info.msg->body->content_type.type, &application) == 0) {
+ res = PJSIP_SC_OK;
+ } else if (rdata->msg_info.ctype
+ && (pj_stricmp(&rdata->msg_info.ctype->media.type, &text) == 0
+--
+2.21.0
+
=====================================
debian/patches/AST-2019-003.patch
=====================================
@@ -0,0 +1,39 @@
+From 1e4df0215af4f192ed06a7fc7589c799f1ec6091 Mon Sep 17 00:00:00 2001
+From: Francesco Castellano <francesco.castellano at messagenet.it>
+Date: Fri, 28 Jun 2019 18:15:31 +0200
+Subject: [PATCH] chan_sip: Handle invalid SDP answer to T.38 re-invite
+
+The chan_sip module performs a T.38 re-invite using a single media
+stream of udptl, and expects the SDP answer to be the same.
+
+If an SDP answer is received instead that contains an additional
+media stream with no joint codec a crash will occur as the code
+assumes that at least one joint codec will exist in this
+scenario.
+
+This change removes this assumption.
+
+ASTERISK-28465
+
+Change-Id: I8b02845b53344c6babe867a3f0a5231045c7ac87
+---
+
+diff --git a/channels/chan_sip.c b/channels/chan_sip.c
+index 898b646..a609ff8 100644
+--- a/channels/chan_sip.c
++++ b/channels/chan_sip.c
+@@ -10965,7 +10965,13 @@
+ ast_rtp_lookup_mime_multiple2(s3, NULL, newnoncodeccapability, 0, 0));
+ }
+
+- if (portno != -1 || vportno != -1 || tportno != -1) {
++ /* When UDPTL is negotiated it is expected that there are no compatible codecs as audio or
++ * video is not being transported, thus we continue in this function further up if that is
++ * the case. If we receive an SDP answer containing both a UDPTL stream and another media
++ * stream however we need to check again to ensure that there is at least one joint codec
++ * instead of assuming there is one.
++ */
++ if ((portno != -1 || vportno != -1 || tportno != -1) && ast_format_cap_count(newjointcapability)) {
+ /* We are now ready to change the sip session and RTP structures with the offered codecs, since
+ they are acceptable */
+ unsigned int framing;
=====================================
debian/patches/series
=====================================
@@ -32,3 +32,8 @@ ffmpeg-includes.patch
build-reproducibly
autoreconf-pjproject
+
+# AST-2019-002 / CVE-2019-12827
+AST-2019-002.patch
+# AST-2019-003 / CVE-2019-13161
+AST-2019-003.patch
View it on GitLab: https://salsa.debian.org/pkg-voip-team/asterisk/compare/4de73fc4dc7e0afcde179b23d570a18552e85a67...6f330267e33c218bb2afa08d97a72de927918bec
--
View it on GitLab: https://salsa.debian.org/pkg-voip-team/asterisk/compare/4de73fc4dc7e0afcde179b23d570a18552e85a67...6f330267e33c218bb2afa08d97a72de927918bec
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-voip-maintainers/attachments/20190713/2b77a5dc/attachment-0001.html>
More information about the Pkg-voip-maintainers
mailing list