[Git][pkg-voip-team/asterisk][upstream/latest] New upstream version 20.5.1~dfsg+~cs6.13.40431414

Jonas Smedegaard (@js) gitlab at salsa.debian.org
Tue Dec 19 17:29:08 GMT 2023



Jonas Smedegaard pushed to branch upstream/latest at Debian VoIP Packaging Team / asterisk


Commits:
4852c72c by Jonas Smedegaard at 2023-12-19T16:47:26+01:00
New upstream version 20.5.1~dfsg+~cs6.13.40431414
- - - - -


9 changed files:

- .version
- CHANGES.md
- + ChangeLogs/ChangeLog-20.5.1.md
- configs/samples/pjproject.conf.sample
- main/manager.c
- res/res_pjproject.c
- res/res_pjsip_header_funcs.c
- res/res_rtp_asterisk.c
- + third-party/pjproject/patches/0020-log-dropped-packet-in-debug.patch


Changes:

=====================================
.version
=====================================
@@ -1 +1 @@
-20.5.0
+20.5.1


=====================================
CHANGES.md
=====================================
@@ -1 +1 @@
-ChangeLogs/ChangeLog-20.5.0.md
\ No newline at end of file
+ChangeLogs/ChangeLog-20.5.1.md
\ No newline at end of file


=====================================
ChangeLogs/ChangeLog-20.5.1.md
=====================================
@@ -0,0 +1,95 @@
+
+Change Log for Release asterisk-20.5.1
+========================================
+
+Links:
+----------------------------------------
+
+ - [Full ChangeLog](https://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-20.5.1.md)  
+ - [GitHub Diff](https://github.com/asterisk/asterisk/compare/20.5.0...20.5.1)  
+ - [Tarball](https://downloads.asterisk.org/pub/telephony/asterisk/asterisk-20.5.1.tar.gz)  
+ - [Downloads](https://downloads.asterisk.org/pub/telephony/asterisk)  
+
+Summary:
+----------------------------------------
+
+- res_pjsip_header_funcs: Duplicate new header value, don't copy.
+- res_pjsip: disable raw bad packet logging
+- res_rtp_asterisk.c: Check DTLS packets against ICE candidate list
+- manager.c: Prevent path traversal with GetConfig.
+
+User Notes:
+----------------------------------------
+
+
+Upgrade Notes:
+----------------------------------------
+
+
+Closed Issues:
+----------------------------------------
+
+None
+
+Commits By Author:
+----------------------------------------
+
+- ### Ben Ford (1):
+  - manager.c: Prevent path traversal with GetConfig.
+
+- ### George Joseph (1):
+  - res_rtp_asterisk.c: Check DTLS packets against ICE candidate list
+
+- ### Gitea (1):
+  - res_pjsip_header_funcs: Duplicate new header value, don't copy.
+
+- ### Mike Bradeen (1):
+  - res_pjsip: disable raw bad packet logging
+
+
+Detail:
+----------------------------------------
+
+- ### res_pjsip_header_funcs: Duplicate new header value, don't copy.
+  Author: Gitea  
+  Date:   2023-07-10  
+
+  When updating an existing header the 'update' code incorrectly
+  just copied the new value into the existing buffer. If the
+  new value exceeded the available buffer size memory outside
+  of the buffer would be written into, potentially causing
+  a crash.
+
+  This change makes it so that the 'update' now duplicates
+  the new header value instead of copying it into the existing
+  buffer.
+
+- ### res_pjsip: disable raw bad packet logging
+  Author: Mike Bradeen  
+  Date:   2023-07-25  
+
+  Add patch to split the log level for invalid packets received on the
+  signaling port.  The warning regarding the packet will move to level 2
+  so that it can still be displayed, while the raw packet will be at level
+  4.
+
+- ### res_rtp_asterisk.c: Check DTLS packets against ICE candidate list
+  Author: George Joseph  
+  Date:   2023-11-09  
+
+  When ICE is in use, we can prevent a possible DOS attack by allowing
+  DTLS protocol messages (client hello, etc) only from sources that
+  are in the active remote candidates list.
+
+  Resolves: GHSA-hxj9-xwr8-w8pq
+
+- ### manager.c: Prevent path traversal with GetConfig.
+  Author: Ben Ford  
+  Date:   2023-11-13  
+
+  When using AMI GetConfig, it was possible to access files outside of the
+  Asterisk configuration directory by using filenames with ".." and "./"
+  even while live_dangerously was not enabled. This change resolves the
+  full path and ensures we are still in the configuration directory before
+  attempting to access the file.
+


=====================================
configs/samples/pjproject.conf.sample
=====================================
@@ -38,6 +38,10 @@
 ;  - 5: trace
 ;  - 6: more detailed trace
 ;
+; Note:  setting the pjproject debug level to 4 (debug) or above may result in
+; raw packets being logged. This should only be enabled during active debugging
+; to avoid a potential security issue due to logging injection.
+;
 ;asterisk_error =    ; A comma separated list of pjproject log levels to map to
                      ; Asterisk errors.
                      ; (default: "0,1")


=====================================
main/manager.c
=====================================
@@ -3752,12 +3752,43 @@ void astman_live_dangerously(int new_live_dangerously)
 	live_dangerously = new_live_dangerously;
 }
 
+/**
+ * \brief Check if a file is restricted or not
+ *
+ * \return 0 on success
+ * \return 1 on restricted file
+ * \return -1 on failure
+ */
 static int restrictedFile(const char *filename)
 {
-	if (!live_dangerously && !strncasecmp(filename, "/", 1) &&
-		 strncasecmp(filename, ast_config_AST_CONFIG_DIR, strlen(ast_config_AST_CONFIG_DIR))) {
+	char *stripped_filename;
+	RAII_VAR(char *, path, NULL, ast_free);
+	RAII_VAR(char *, real_path, NULL, ast_free);
+
+	if (live_dangerously) {
+		return 0;
+	}
+
+	stripped_filename = ast_strip(ast_strdupa(filename));
+
+	/* If the file path starts with '/', don't prepend ast_config_AST_CONFIG_DIR */
+	if (stripped_filename[0] == '/') {
+		real_path = realpath(stripped_filename, NULL);
+	} else {
+		if (ast_asprintf(&path, "%s/%s", ast_config_AST_CONFIG_DIR, stripped_filename) == -1) {
+			return -1;
+		}
+		real_path = realpath(path, NULL);
+	}
+
+	if (!real_path) {
+		return -1;
+	}
+
+	if (!ast_begins_with(real_path, ast_config_AST_CONFIG_DIR)) {
 		return 1;
 	}
+
 	return 0;
 }
 
@@ -3770,6 +3801,7 @@ static int action_getconfig(struct mansession *s, const struct message *m)
 	const char *category_name;
 	int catcount = 0;
 	int lineno = 0;
+	int ret = 0;
 	struct ast_category *cur_category = NULL;
 	struct ast_variable *v;
 	struct ast_flags config_flags = { CONFIG_FLAG_WITHCOMMENTS | CONFIG_FLAG_NOCACHE };
@@ -3779,9 +3811,13 @@ static int action_getconfig(struct mansession *s, const struct message *m)
 		return 0;
 	}
 
-	if (restrictedFile(fn)) {
+	ret = restrictedFile(fn);
+	if (ret == 1) {
 		astman_send_error(s, m, "File requires escalated priveledges");
 		return 0;
+	} else if (ret == -1) {
+		astman_send_error(s, m, "Config file not found");
+		return 0;
 	}
 
 	cfg = ast_config_load2(fn, "manager", config_flags);


=====================================
res/res_pjproject.c
=====================================
@@ -398,7 +398,9 @@ static char *handle_pjproject_set_log_level(struct ast_cli_entry *e, int cmd, st
 			"\n"
 			"       Set the maximum active pjproject logging level.\n"
 			"       See pjproject.conf.sample for additional information\n"
-			"       about the various levels pjproject uses.\n";
+			"       about the various levels pjproject uses.\n"
+			"       Note: setting this level at 4 or above may result in\n"
+			"       raw packet logging.\n";
 		return NULL;
 	case CLI_GENERATE:
 		return NULL;


=====================================
res/res_pjsip_header_funcs.c
=====================================
@@ -676,6 +676,7 @@ static int add_header(void *obj)
 static int update_header(void *obj)
 {
 	struct header_data *data = obj;
+	pj_pool_t *pool = data->channel->session->inv_session->dlg->pool;
 	pjsip_hdr *hdr = NULL;
 	RAII_VAR(struct ast_datastore *, datastore,
 			 ast_sip_session_get_datastore(data->channel->session, data->header_datastore->type),
@@ -694,7 +695,7 @@ static int update_header(void *obj)
 		return -1;
 	}
 
-	pj_strcpy2(&((pjsip_generic_string_hdr *) hdr)->hvalue, data->header_value);
+	pj_strdup2(pool, &((pjsip_generic_string_hdr *) hdr)->hvalue, data->header_value);
 
 	return 0;
 }


=====================================
res/res_rtp_asterisk.c
=====================================
@@ -3179,6 +3179,61 @@ static int __rtp_recvfrom(struct ast_rtp_instance *instance, void *buf, size_t s
 
 		ast_debug_dtls(3, "(%p) DTLS - __rtp_recvfrom rtp=%p - Got SSL packet '%d'\n", instance, rtp, *in);
 
+		/*
+		 * If ICE is in use, we can prevent a possible DOS attack
+		 * by allowing DTLS protocol messages (client hello, etc)
+		 * only from sources that are in the active remote
+		 * candidates list.
+		 */
+
+		if (rtp->ice) {
+			int pass_src_check = 0;
+			struct ao2_iterator i;
+			struct ast_rtp_engine_ice_candidate *candidate;
+			int cand_cnt = 0;
+
+			/*
+			 * You'd think that this check would cause a "deadlock"
+			 * because ast_rtp_ice_start_media calls dtls_perform_handshake
+			 * before it sets ice_media_started = 1 so how can we do a
+			 * handshake if we're dropping packets before we send them
+			 * to openssl.  Fortunately, dtls_perform_handshake just sets
+			 * up openssl to do the handshake and doesn't actually perform it
+			 * itself and the locking prevents __rtp_recvfrom from
+			 * running before the ice_media_started flag is set.  So only
+			 * unexpected DTLS packets can get dropped here.
+			 */
+			if (!rtp->ice_media_started) {
+				ast_log(LOG_WARNING, "%s: DTLS packet from %s dropped. ICE not completed yet.\n",
+					ast_rtp_instance_get_channel_id(instance),
+					ast_sockaddr_stringify(sa));
+				return 0;
+			}
+
+			/*
+			 * If we got this far, then ice_active_remote_candidates
+			 * can't be NULL.
+			 */
+			i = ao2_iterator_init(rtp->ice_active_remote_candidates, 0);
+			while ((candidate = ao2_iterator_next(&i)) && (cand_cnt < PJ_ICE_MAX_CAND)) {
+				res = ast_sockaddr_cmp_addr(&candidate->address, sa);
+				ao2_ref(candidate, -1);
+				if (res == 0) {
+					pass_src_check = 1;
+					break;
+				}
+				cand_cnt++;
+			}
+			ao2_iterator_destroy(&i);
+
+			if (!pass_src_check) {
+				ast_log(LOG_WARNING, "%s: DTLS packet from %s dropped. Source not in ICE active candidate list.\n",
+					ast_rtp_instance_get_channel_id(instance),
+					ast_sockaddr_stringify(sa));
+				return 0;
+			}
+		}
+
 		/*
 		 * A race condition is prevented between dtls_perform_handshake()
 		 * and this function because both functions have to get the


=====================================
third-party/pjproject/patches/0020-log-dropped-packet-in-debug.patch
=====================================
@@ -0,0 +1,28 @@
+diff --git a/pjsip/src/pjsip/sip_transport.c b/pjsip/src/pjsip/sip_transport.c
+index 4f483faa1..12439e3ee 100644
+--- a/pjsip/src/pjsip/sip_transport.c
++++ b/pjsip/src/pjsip/sip_transport.c
+@@ -2088,15 +2088,17 @@ PJ_DEF(pj_ssize_t) pjsip_tpmgr_receive_packet( pjsip_tpmgr *mgr,
+              * which were sent to keep NAT bindings.
+              */
+             if (tmp.slen) {
+-                PJ_LOG(1, (THIS_FILE, 
+-                      "Error processing %d bytes packet from %s %s:%d %.*s:\n"
+-                      "%.*s\n"
+-                      "-- end of packet.",
++                PJ_LOG(2, (THIS_FILE,
++                      "Dropping %d bytes packet from %s %s:%d %.*s\n",
+                       msg_fragment_size,
+                       rdata->tp_info.transport->type_name,
+-                      rdata->pkt_info.src_name, 
++                      rdata->pkt_info.src_name,
+                       rdata->pkt_info.src_port,
+-                      (int)tmp.slen, tmp.ptr,
++                      (int)tmp.slen, tmp.ptr));
++                PJ_LOG(4, (THIS_FILE,
++                      "Dropped packet:"
++                      "%.*s\n"
++                      "-- end of packet.",
+                       (int)msg_fragment_size,
+                       rdata->msg_info.msg_buf));
+             }



View it on GitLab: https://salsa.debian.org/pkg-voip-team/asterisk/-/commit/4852c72c601234b0616c38e766ae482f19a1480b

-- 
View it on GitLab: https://salsa.debian.org/pkg-voip-team/asterisk/-/commit/4852c72c601234b0616c38e766ae482f19a1480b
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-voip-maintainers/attachments/20231219/bc3578d7/attachment-0001.htm>


More information about the Pkg-voip-maintainers mailing list