[Git][pkg-voip-team/asterisk][upstream/latest] New upstream version 20.5.1~dfsg+~cs6.13.40431414
Jonas Smedegaard (@js)
gitlab at salsa.debian.org
Tue Dec 19 17:29:08 GMT 2023
Jonas Smedegaard pushed to branch upstream/latest at Debian VoIP Packaging Team / asterisk
Commits:
4852c72c by Jonas Smedegaard at 2023-12-19T16:47:26+01:00
New upstream version 20.5.1~dfsg+~cs6.13.40431414
- - - - -
9 changed files:
- .version
- CHANGES.md
- + ChangeLogs/ChangeLog-20.5.1.md
- configs/samples/pjproject.conf.sample
- main/manager.c
- res/res_pjproject.c
- res/res_pjsip_header_funcs.c
- res/res_rtp_asterisk.c
- + third-party/pjproject/patches/0020-log-dropped-packet-in-debug.patch
Changes:
=====================================
.version
=====================================
@@ -1 +1 @@
-20.5.0
+20.5.1
=====================================
CHANGES.md
=====================================
@@ -1 +1 @@
-ChangeLogs/ChangeLog-20.5.0.md
\ No newline at end of file
+ChangeLogs/ChangeLog-20.5.1.md
\ No newline at end of file
=====================================
ChangeLogs/ChangeLog-20.5.1.md
=====================================
@@ -0,0 +1,95 @@
+
+Change Log for Release asterisk-20.5.1
+========================================
+
+Links:
+----------------------------------------
+
+ - [Full ChangeLog](https://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-20.5.1.md)
+ - [GitHub Diff](https://github.com/asterisk/asterisk/compare/20.5.0...20.5.1)
+ - [Tarball](https://downloads.asterisk.org/pub/telephony/asterisk/asterisk-20.5.1.tar.gz)
+ - [Downloads](https://downloads.asterisk.org/pub/telephony/asterisk)
+
+Summary:
+----------------------------------------
+
+- res_pjsip_header_funcs: Duplicate new header value, don't copy.
+- res_pjsip: disable raw bad packet logging
+- res_rtp_asterisk.c: Check DTLS packets against ICE candidate list
+- manager.c: Prevent path traversal with GetConfig.
+
+User Notes:
+----------------------------------------
+
+
+Upgrade Notes:
+----------------------------------------
+
+
+Closed Issues:
+----------------------------------------
+
+None
+
+Commits By Author:
+----------------------------------------
+
+- ### Ben Ford (1):
+ - manager.c: Prevent path traversal with GetConfig.
+
+- ### George Joseph (1):
+ - res_rtp_asterisk.c: Check DTLS packets against ICE candidate list
+
+- ### Gitea (1):
+ - res_pjsip_header_funcs: Duplicate new header value, don't copy.
+
+- ### Mike Bradeen (1):
+ - res_pjsip: disable raw bad packet logging
+
+
+Detail:
+----------------------------------------
+
+- ### res_pjsip_header_funcs: Duplicate new header value, don't copy.
+ Author: Gitea
+ Date: 2023-07-10
+
+ When updating an existing header the 'update' code incorrectly
+ just copied the new value into the existing buffer. If the
+ new value exceeded the available buffer size memory outside
+ of the buffer would be written into, potentially causing
+ a crash.
+
+ This change makes it so that the 'update' now duplicates
+ the new header value instead of copying it into the existing
+ buffer.
+
+- ### res_pjsip: disable raw bad packet logging
+ Author: Mike Bradeen
+ Date: 2023-07-25
+
+ Add patch to split the log level for invalid packets received on the
+ signaling port. The warning regarding the packet will move to level 2
+ so that it can still be displayed, while the raw packet will be at level
+ 4.
+
+- ### res_rtp_asterisk.c: Check DTLS packets against ICE candidate list
+ Author: George Joseph
+ Date: 2023-11-09
+
+ When ICE is in use, we can prevent a possible DOS attack by allowing
+ DTLS protocol messages (client hello, etc) only from sources that
+ are in the active remote candidates list.
+
+ Resolves: GHSA-hxj9-xwr8-w8pq
+
+- ### manager.c: Prevent path traversal with GetConfig.
+ Author: Ben Ford
+ Date: 2023-11-13
+
+ When using AMI GetConfig, it was possible to access files outside of the
+ Asterisk configuration directory by using filenames with ".." and "./"
+ even while live_dangerously was not enabled. This change resolves the
+ full path and ensures we are still in the configuration directory before
+ attempting to access the file.
+
=====================================
configs/samples/pjproject.conf.sample
=====================================
@@ -38,6 +38,10 @@
; - 5: trace
; - 6: more detailed trace
;
+; Note: setting the pjproject debug level to 4 (debug) or above may result in
+; raw packets being logged. This should only be enabled during active debugging
+; to avoid a potential security issue due to logging injection.
+;
;asterisk_error = ; A comma separated list of pjproject log levels to map to
; Asterisk errors.
; (default: "0,1")
=====================================
main/manager.c
=====================================
@@ -3752,12 +3752,43 @@ void astman_live_dangerously(int new_live_dangerously)
live_dangerously = new_live_dangerously;
}
+/**
+ * \brief Check if a file is restricted or not
+ *
+ * \return 0 on success
+ * \return 1 on restricted file
+ * \return -1 on failure
+ */
static int restrictedFile(const char *filename)
{
- if (!live_dangerously && !strncasecmp(filename, "/", 1) &&
- strncasecmp(filename, ast_config_AST_CONFIG_DIR, strlen(ast_config_AST_CONFIG_DIR))) {
+ char *stripped_filename;
+ RAII_VAR(char *, path, NULL, ast_free);
+ RAII_VAR(char *, real_path, NULL, ast_free);
+
+ if (live_dangerously) {
+ return 0;
+ }
+
+ stripped_filename = ast_strip(ast_strdupa(filename));
+
+ /* If the file path starts with '/', don't prepend ast_config_AST_CONFIG_DIR */
+ if (stripped_filename[0] == '/') {
+ real_path = realpath(stripped_filename, NULL);
+ } else {
+ if (ast_asprintf(&path, "%s/%s", ast_config_AST_CONFIG_DIR, stripped_filename) == -1) {
+ return -1;
+ }
+ real_path = realpath(path, NULL);
+ }
+
+ if (!real_path) {
+ return -1;
+ }
+
+ if (!ast_begins_with(real_path, ast_config_AST_CONFIG_DIR)) {
return 1;
}
+
return 0;
}
@@ -3770,6 +3801,7 @@ static int action_getconfig(struct mansession *s, const struct message *m)
const char *category_name;
int catcount = 0;
int lineno = 0;
+ int ret = 0;
struct ast_category *cur_category = NULL;
struct ast_variable *v;
struct ast_flags config_flags = { CONFIG_FLAG_WITHCOMMENTS | CONFIG_FLAG_NOCACHE };
@@ -3779,9 +3811,13 @@ static int action_getconfig(struct mansession *s, const struct message *m)
return 0;
}
- if (restrictedFile(fn)) {
+ ret = restrictedFile(fn);
+ if (ret == 1) {
astman_send_error(s, m, "File requires escalated priveledges");
return 0;
+ } else if (ret == -1) {
+ astman_send_error(s, m, "Config file not found");
+ return 0;
}
cfg = ast_config_load2(fn, "manager", config_flags);
=====================================
res/res_pjproject.c
=====================================
@@ -398,7 +398,9 @@ static char *handle_pjproject_set_log_level(struct ast_cli_entry *e, int cmd, st
"\n"
" Set the maximum active pjproject logging level.\n"
" See pjproject.conf.sample for additional information\n"
- " about the various levels pjproject uses.\n";
+ " about the various levels pjproject uses.\n"
+ " Note: setting this level at 4 or above may result in\n"
+ " raw packet logging.\n";
return NULL;
case CLI_GENERATE:
return NULL;
=====================================
res/res_pjsip_header_funcs.c
=====================================
@@ -676,6 +676,7 @@ static int add_header(void *obj)
static int update_header(void *obj)
{
struct header_data *data = obj;
+ pj_pool_t *pool = data->channel->session->inv_session->dlg->pool;
pjsip_hdr *hdr = NULL;
RAII_VAR(struct ast_datastore *, datastore,
ast_sip_session_get_datastore(data->channel->session, data->header_datastore->type),
@@ -694,7 +695,7 @@ static int update_header(void *obj)
return -1;
}
- pj_strcpy2(&((pjsip_generic_string_hdr *) hdr)->hvalue, data->header_value);
+ pj_strdup2(pool, &((pjsip_generic_string_hdr *) hdr)->hvalue, data->header_value);
return 0;
}
=====================================
res/res_rtp_asterisk.c
=====================================
@@ -3179,6 +3179,61 @@ static int __rtp_recvfrom(struct ast_rtp_instance *instance, void *buf, size_t s
ast_debug_dtls(3, "(%p) DTLS - __rtp_recvfrom rtp=%p - Got SSL packet '%d'\n", instance, rtp, *in);
+ /*
+ * If ICE is in use, we can prevent a possible DOS attack
+ * by allowing DTLS protocol messages (client hello, etc)
+ * only from sources that are in the active remote
+ * candidates list.
+ */
+
+ if (rtp->ice) {
+ int pass_src_check = 0;
+ struct ao2_iterator i;
+ struct ast_rtp_engine_ice_candidate *candidate;
+ int cand_cnt = 0;
+
+ /*
+ * You'd think that this check would cause a "deadlock"
+ * because ast_rtp_ice_start_media calls dtls_perform_handshake
+ * before it sets ice_media_started = 1 so how can we do a
+ * handshake if we're dropping packets before we send them
+ * to openssl. Fortunately, dtls_perform_handshake just sets
+ * up openssl to do the handshake and doesn't actually perform it
+ * itself and the locking prevents __rtp_recvfrom from
+ * running before the ice_media_started flag is set. So only
+ * unexpected DTLS packets can get dropped here.
+ */
+ if (!rtp->ice_media_started) {
+ ast_log(LOG_WARNING, "%s: DTLS packet from %s dropped. ICE not completed yet.\n",
+ ast_rtp_instance_get_channel_id(instance),
+ ast_sockaddr_stringify(sa));
+ return 0;
+ }
+
+ /*
+ * If we got this far, then ice_active_remote_candidates
+ * can't be NULL.
+ */
+ i = ao2_iterator_init(rtp->ice_active_remote_candidates, 0);
+ while ((candidate = ao2_iterator_next(&i)) && (cand_cnt < PJ_ICE_MAX_CAND)) {
+ res = ast_sockaddr_cmp_addr(&candidate->address, sa);
+ ao2_ref(candidate, -1);
+ if (res == 0) {
+ pass_src_check = 1;
+ break;
+ }
+ cand_cnt++;
+ }
+ ao2_iterator_destroy(&i);
+
+ if (!pass_src_check) {
+ ast_log(LOG_WARNING, "%s: DTLS packet from %s dropped. Source not in ICE active candidate list.\n",
+ ast_rtp_instance_get_channel_id(instance),
+ ast_sockaddr_stringify(sa));
+ return 0;
+ }
+ }
+
/*
* A race condition is prevented between dtls_perform_handshake()
* and this function because both functions have to get the
=====================================
third-party/pjproject/patches/0020-log-dropped-packet-in-debug.patch
=====================================
@@ -0,0 +1,28 @@
+diff --git a/pjsip/src/pjsip/sip_transport.c b/pjsip/src/pjsip/sip_transport.c
+index 4f483faa1..12439e3ee 100644
+--- a/pjsip/src/pjsip/sip_transport.c
++++ b/pjsip/src/pjsip/sip_transport.c
+@@ -2088,15 +2088,17 @@ PJ_DEF(pj_ssize_t) pjsip_tpmgr_receive_packet( pjsip_tpmgr *mgr,
+ * which were sent to keep NAT bindings.
+ */
+ if (tmp.slen) {
+- PJ_LOG(1, (THIS_FILE,
+- "Error processing %d bytes packet from %s %s:%d %.*s:\n"
+- "%.*s\n"
+- "-- end of packet.",
++ PJ_LOG(2, (THIS_FILE,
++ "Dropping %d bytes packet from %s %s:%d %.*s\n",
+ msg_fragment_size,
+ rdata->tp_info.transport->type_name,
+- rdata->pkt_info.src_name,
++ rdata->pkt_info.src_name,
+ rdata->pkt_info.src_port,
+- (int)tmp.slen, tmp.ptr,
++ (int)tmp.slen, tmp.ptr));
++ PJ_LOG(4, (THIS_FILE,
++ "Dropped packet:"
++ "%.*s\n"
++ "-- end of packet.",
+ (int)msg_fragment_size,
+ rdata->msg_info.msg_buf));
+ }
View it on GitLab: https://salsa.debian.org/pkg-voip-team/asterisk/-/commit/4852c72c601234b0616c38e766ae482f19a1480b
--
View it on GitLab: https://salsa.debian.org/pkg-voip-team/asterisk/-/commit/4852c72c601234b0616c38e766ae482f19a1480b
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-voip-maintainers/attachments/20231219/bc3578d7/attachment-0001.htm>
More information about the Pkg-voip-maintainers
mailing list