[Git][pkg-voip-team/asterisk][debian/latest] 4 commits: New upstream version 22.1.1~dfsg+~cs6.14.60671435

Sun Jan 12 23:16:19 GMT 2025


Jonas Smedegaard pushed to branch debian/latest at Debian VoIP Packaging Team / asterisk


Commits:
eefd05bb by Jonas Smedegaard at 2025-01-12T20:14:15+01:00
New upstream version 22.1.1~dfsg+~cs6.14.60671435
- - - - -
b3d9f301 by Jonas Smedegaard at 2025-01-12T20:14:40+01:00
Update upstream source from tag 'upstream/22.1.1_dfsg+_cs6.14.60671435'

Update to upstream version '22.1.1~dfsg+~cs6.14.60671435'
with Debian dir 26eda23eadb283a70ae28c5e04cf71dd8718934b
- - - - -
eaf3b070 by Jonas Smedegaard at 2025-01-12T20:19:21+01:00
update git-buildpackage config: avoid variable abstraction in usage comment

- - - - -
f48ebe7f by Jonas Smedegaard at 2025-01-13T00:01:52+01:00
update changelog and copyright hints

- - - - -


7 changed files:

- .version
- CHANGES.md
- + ChangeLogs/ChangeLog-22.1.1.md
- debian/changelog
- debian/copyright_hints
- debian/gbp.conf
- main/manager.c


Changes:

=====================================
.version
=====================================
@@ -1 +1 @@
-22.1.0
+22.1.1


=====================================
CHANGES.md
=====================================
@@ -1 +1 @@
-ChangeLogs/ChangeLog-22.1.0.md
\ No newline at end of file
+ChangeLogs/ChangeLog-22.1.1.md
\ No newline at end of file


=====================================
ChangeLogs/ChangeLog-22.1.1.md
=====================================
@@ -0,0 +1,65 @@
+
+## Change Log for Release asterisk-22.1.1
+
+### Links:
+
+ - [Full ChangeLog](https://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-22.1.1.md)  
+ - [GitHub Diff](https://github.com/asterisk/asterisk/compare/22.1.0...22.1.1)  
+ - [Tarball](https://downloads.asterisk.org/pub/telephony/asterisk/asterisk-22.1.1.tar.gz)  
+ - [Downloads](https://downloads.asterisk.org/pub/telephony/asterisk)  
+
+### Summary:
+
+- Commits: 1
+- Commit Authors: 1
+- Issues Resolved: 0
+- Security Advisories Resolved: 1
+  - [GHSA-33x6-fj46-6rfh](https://github.com/asterisk/asterisk/security/advisories/GHSA-33x6-fj46-6rfh): Path traversal via AMI ListCategories allows access to outside files
+
+### User Notes:
+
+- #### manager.c: Restrict ListCategories to the configuration directory.              
+  The ListCategories AMI action now restricts files to the
+  configured configuration directory.
+
+
+### Upgrade Notes:
+
+
+### Commit Authors:
+
+- Ben Ford: (1)
+
+## Issue and Commit Detail:
+
+### Closed Issues:
+
+  - !GHSA-33x6-fj46-6rfh: Path traversal via AMI ListCategories allows access to outside files
+
+### Commits By Author:
+
+- #### Ben Ford (1):
+  - manager.c: Restrict ListCategories to the configuration directory.
+
+
+### Commit List:
+
+-  manager.c: Restrict ListCategories to the configuration directory.
+
+### Commit Details:
+
+#### manager.c: Restrict ListCategories to the configuration directory.
+  Author: Ben Ford
+  Date:   2024-12-17
+
+  When using the ListCategories AMI action, it was possible to traverse
+  upwards through the directories to files outside of the configured
+  configuration directory. This action is now restricted to the configured
+  directory and an error will now be returned if the specified file is
+  outside of this limitation.
+
+  Resolves: #GHSA-33x6-fj46-6rfh
+
+  UserNote: The ListCategories AMI action now restricts files to the
+  configured configuration directory.
+


=====================================
debian/changelog
=====================================
@@ -1,3 +1,16 @@
+asterisk (1:22.1.1~dfsg+~cs6.14.60671435-1) unstable; urgency=medium
+
+  [ upstream ]
+  * new release
+    + Restrict ListCategories to the configuration directory;
+      CVE-2024-53566
+
+  [ Jonas Smedegaard ]
+  * update git-buildpackage config:
+    + avoid variable abstraction in usage comment
+
+ -- Jonas Smedegaard <dr at jones.dk>  Mon, 13 Jan 2025 00:01:35 +0100
+
 asterisk (1:22.1.0~dfsg+~cs6.14.60671435-1) unstable; urgency=medium
 
   [ upstream ]


=====================================
debian/copyright_hints
=====================================
@@ -8,6 +8,7 @@ Files: BSDmakefile
  BUGS
  ChangeLogs/ChangeLog-22.0.0.md
  ChangeLogs/ChangeLog-22.1.0.md
+ ChangeLogs/ChangeLog-22.1.1.md
  README-SERIOUSLY.bestpractices.md
  SECURITY.md
  Xamr/README.md


=====================================
debian/gbp.conf
=====================================
@@ -1,4 +1,4 @@
-# clone this source:       gbp clone $PKG_GIT_URL
+# clone this source:       gbp clone vcsgit:asterisk
 # update this source:      gbp pull
 # import upstream release: gbp import-orig --uscan
 # build package:           gbp buildpackage


=====================================
main/manager.c
=====================================
@@ -2561,12 +2561,22 @@ static int action_listcategories(struct mansession *s, const struct message *m)
 	struct ast_category *category = NULL;
 	struct ast_flags config_flags = { CONFIG_FLAG_WITHCOMMENTS | CONFIG_FLAG_NOCACHE };
 	int catcount = 0;
+	int ret = 0;
 
 	if (ast_strlen_zero(fn)) {
 		astman_send_error(s, m, "Filename not specified");
 		return 0;
 	}
 
+	ret = restrictedFile(fn);
+	if (ret == 1) {
+		astman_send_error(s, m, "File requires escalated priveledges");
+		return 0;
+	} else if (ret == -1) {
+		astman_send_error(s, m, "Config file not found");
+		return 0;
+	}
+
 	if (!(cfg = ast_config_load2(fn, "manager", config_flags))) {
 		astman_send_error(s, m, "Config file not found");
 		return 0;



View it on GitLab: https://salsa.debian.org/pkg-voip-team/asterisk/-/compare/a606e9475aaff90197fd6bc1fae3f03fa1231ac2...f48ebe7f0ccfe3468ff2dc3e995847e9797a41c3

-- 
View it on GitLab: https://salsa.debian.org/pkg-voip-team/asterisk/-/compare/a606e9475aaff90197fd6bc1fae3f03fa1231ac2...f48ebe7f0ccfe3468ff2dc3e995847e9797a41c3
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-voip-maintainers/attachments/20250112/aaa65c0c/attachment-0001.htm>
