[Git][pkg-voip-team/asterisk][master] 2 commits: AST-2019-002 / AST-2019-003

Bernhard Schmidt gitlab at salsa.debian.org
Sat Jul 13 22:56:30 BST 2019 


Bernhard Schmidt pushed to branch master at Debian VoIP Packaging Team / asterisk


Commits:
4ddffa9d by Bernhard Schmidt at 2019-07-13T21:46:35Z
AST-2019-002 / AST-2019-003

- - - - -
6f330267 by Bernhard Schmidt at 2019-07-13T21:49:22Z
Changelog for 1:16.2.1~dfsg-2

- - - - -


4 changed files:

- debian/changelog
- + debian/patches/AST-2019-002.patch
- + debian/patches/AST-2019-003.patch
- debian/patches/series


Changes:

=====================================
debian/changelog
=====================================
@@ -1,3 +1,12 @@
+asterisk (1:16.2.1~dfsg-2) unstable; urgency=high
+
+  * AST-2019-002 / CVE-2019-12827
+    Buffer overflow in res_pjsip_messaging (Closes: #931980)
+  * AST-2019-003 / CVE-2019-13161
+    Remote Crash Vulnerability in chan_sip (Closes: #931981)
+
+ -- Bernhard Schmidt <berni at debian.org>  Sat, 13 Jul 2019 23:47:36 +0200
+
 asterisk (1:16.2.1~dfsg-1) unstable; urgency=medium
 
   * New upstream version 16.2.1~dfsg


=====================================
debian/patches/AST-2019-002.patch
=====================================
@@ -0,0 +1,40 @@
+From 785bf3a755e47d92caef110e6040295764d08127 Mon Sep 17 00:00:00 2001
+From: George Joseph <gjoseph at digium.com>
+Date: Wed, 12 Jun 2019 12:03:04 -0600
+Subject: [PATCH] res_pjsip_messaging:  Check for body in in-dialog message
+
+We now check that a body exists and it has a length > 0 before
+attempting to process it.
+
+ASTERISK-28447
+Reported-by: Gil Richard
+
+Change-Id: Ic469544b22ab848734636588d4c93426cc6f4b1f
+---
+ res/res_pjsip_messaging.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/res/res_pjsip_messaging.c b/res/res_pjsip_messaging.c
+index 0e10a8f047..930cf84a53 100644
+--- a/res/res_pjsip_messaging.c
++++ b/res/res_pjsip_messaging.c
+@@ -90,10 +90,13 @@ static enum pjsip_status_code check_content_type_in_dialog(const pjsip_rx_data *
+ 	static const pj_str_t text = { "text", 4};
+ 	static const pj_str_t application = { "application", 11};
+ 
++	if (!(rdata->msg_info.msg->body && rdata->msg_info.msg->body->len > 0)) {
++		return res;
++	}
++
+ 	/* We'll accept any text/ or application/ content type */
+-	if (rdata->msg_info.msg->body && rdata->msg_info.msg->body->len
+-		&& (pj_stricmp(&rdata->msg_info.msg->body->content_type.type, &text) == 0
+-			|| pj_stricmp(&rdata->msg_info.msg->body->content_type.type, &application) == 0)) {
++	if (pj_stricmp(&rdata->msg_info.msg->body->content_type.type, &text) == 0
++			|| pj_stricmp(&rdata->msg_info.msg->body->content_type.type, &application) == 0) {
+ 		res = PJSIP_SC_OK;
+ 	} else if (rdata->msg_info.ctype
+ 		&& (pj_stricmp(&rdata->msg_info.ctype->media.type, &text) == 0
+-- 
+2.21.0
+


=====================================
debian/patches/AST-2019-003.patch
=====================================
@@ -0,0 +1,39 @@
+From 1e4df0215af4f192ed06a7fc7589c799f1ec6091 Mon Sep 17 00:00:00 2001
+From: Francesco Castellano <francesco.castellano at messagenet.it>
+Date: Fri, 28 Jun 2019 18:15:31 +0200
+Subject: [PATCH] chan_sip: Handle invalid SDP answer to T.38 re-invite
+
+The chan_sip module performs a T.38 re-invite using a single media
+stream of udptl, and expects the SDP answer to be the same.
+
+If an SDP answer is received instead that contains an additional
+media stream with no joint codec a crash will occur as the code
+assumes that at least one joint codec will exist in this
+scenario.
+
+This change removes this assumption.
+
+ASTERISK-28465
+
+Change-Id: I8b02845b53344c6babe867a3f0a5231045c7ac87
+---
+
+diff --git a/channels/chan_sip.c b/channels/chan_sip.c
+index 898b646..a609ff8 100644
+--- a/channels/chan_sip.c
++++ b/channels/chan_sip.c
+@@ -10965,7 +10965,13 @@
+ 			    ast_rtp_lookup_mime_multiple2(s3, NULL, newnoncodeccapability, 0, 0));
+ 	}
+ 
+-	if (portno != -1 || vportno != -1 || tportno != -1) {
++	/* When UDPTL is negotiated it is expected that there are no compatible codecs as audio or
++	 * video is not being transported, thus we continue in this function further up if that is
++	 * the case. If we receive an SDP answer containing both a UDPTL stream and another media
++	 * stream however we need to check again to ensure that there is at least one joint codec
++	 * instead of assuming there is one.
++	 */
++	if ((portno != -1 || vportno != -1 || tportno != -1) && ast_format_cap_count(newjointcapability)) {
+ 		/* We are now ready to change the sip session and RTP structures with the offered codecs, since
+ 		   they are acceptable */
+ 		unsigned int framing;


=====================================
debian/patches/series
=====================================
@@ -32,3 +32,8 @@ ffmpeg-includes.patch
 
 build-reproducibly
 autoreconf-pjproject
+
+# AST-2019-002 / CVE-2019-12827
+AST-2019-002.patch
+# AST-2019-003 / CVE-2019-13161
+AST-2019-003.patch



View it on GitLab: https://salsa.debian.org/pkg-voip-team/asterisk/compare/4de73fc4dc7e0afcde179b23d570a18552e85a67...6f330267e33c218bb2afa08d97a72de927918bec

-- 
View it on GitLab: https://salsa.debian.org/pkg-voip-team/asterisk/compare/4de73fc4dc7e0afcde179b23d570a18552e85a67...6f330267e33c218bb2afa08d97a72de927918bec
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-voip-maintainers/attachments/20190713/2b77a5dc/attachment-0001.html>

More information about the Pkg-voip-maintainers mailing list