[Git][pkg-voip-team/asterisk][upstream/latest] New upstream version 22.1.1~dfsg+~cs6.14.60671435

Sun Jan 12 23:16:21 GMT 2025


Jonas Smedegaard pushed to branch upstream/latest at Debian VoIP Packaging Team / asterisk


Commits:
eefd05bb by Jonas Smedegaard at 2025-01-12T20:14:15+01:00
New upstream version 22.1.1~dfsg+~cs6.14.60671435
- - - - -


4 changed files:

- .version
- CHANGES.md
- + ChangeLogs/ChangeLog-22.1.1.md
- main/manager.c


Changes:

=====================================
.version
=====================================
@@ -1 +1 @@
-22.1.0
+22.1.1


=====================================
CHANGES.md
=====================================
@@ -1 +1 @@
-ChangeLogs/ChangeLog-22.1.0.md
\ No newline at end of file
+ChangeLogs/ChangeLog-22.1.1.md
\ No newline at end of file


=====================================
ChangeLogs/ChangeLog-22.1.1.md
=====================================
@@ -0,0 +1,65 @@
+
+## Change Log for Release asterisk-22.1.1
+
+### Links:
+
+ - [Full ChangeLog](https://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-22.1.1.md)  
+ - [GitHub Diff](https://github.com/asterisk/asterisk/compare/22.1.0...22.1.1)  
+ - [Tarball](https://downloads.asterisk.org/pub/telephony/asterisk/asterisk-22.1.1.tar.gz)  
+ - [Downloads](https://downloads.asterisk.org/pub/telephony/asterisk)  
+
+### Summary:
+
+- Commits: 1
+- Commit Authors: 1
+- Issues Resolved: 0
+- Security Advisories Resolved: 1
+  - [GHSA-33x6-fj46-6rfh](https://github.com/asterisk/asterisk/security/advisories/GHSA-33x6-fj46-6rfh): Path traversal via AMI ListCategories allows access to outside files
+
+### User Notes:
+
+- #### manager.c: Restrict ListCategories to the configuration directory.              
+  The ListCategories AMI action now restricts files to the
+  configured configuration directory.
+
+
+### Upgrade Notes:
+
+
+### Commit Authors:
+
+- Ben Ford: (1)
+
+## Issue and Commit Detail:
+
+### Closed Issues:
+
+  - !GHSA-33x6-fj46-6rfh: Path traversal via AMI ListCategories allows access to outside files
+
+### Commits By Author:
+
+- #### Ben Ford (1):
+  - manager.c: Restrict ListCategories to the configuration directory.
+
+
+### Commit List:
+
+-  manager.c: Restrict ListCategories to the configuration directory.
+
+### Commit Details:
+
+#### manager.c: Restrict ListCategories to the configuration directory.
+  Author: Ben Ford
+  Date:   2024-12-17
+
+  When using the ListCategories AMI action, it was possible to traverse
+  upwards through the directories to files outside of the configured
+  configuration directory. This action is now restricted to the configured
+  directory and an error will now be returned if the specified file is
+  outside of this limitation.
+
+  Resolves: #GHSA-33x6-fj46-6rfh
+
+  UserNote: The ListCategories AMI action now restricts files to the
+  configured configuration directory.
+


=====================================
main/manager.c
=====================================
@@ -2561,12 +2561,22 @@ static int action_listcategories(struct mansession *s, const struct message *m)
 	struct ast_category *category = NULL;
 	struct ast_flags config_flags = { CONFIG_FLAG_WITHCOMMENTS | CONFIG_FLAG_NOCACHE };
 	int catcount = 0;
+	int ret = 0;
 
 	if (ast_strlen_zero(fn)) {
 		astman_send_error(s, m, "Filename not specified");
 		return 0;
 	}
 
+	ret = restrictedFile(fn);
+	if (ret == 1) {
+		astman_send_error(s, m, "File requires escalated priveledges");
+		return 0;
+	} else if (ret == -1) {
+		astman_send_error(s, m, "Config file not found");
+		return 0;
+	}
+
 	if (!(cfg = ast_config_load2(fn, "manager", config_flags))) {
 		astman_send_error(s, m, "Config file not found");
 		return 0;



View it on GitLab: https://salsa.debian.org/pkg-voip-team/asterisk/-/commit/eefd05bbec9f64b57d46abfbf8028b5ccf1ab424

-- 
View it on GitLab: https://salsa.debian.org/pkg-voip-team/asterisk/-/commit/eefd05bbec9f64b57d46abfbf8028b5ccf1ab424
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-voip-maintainers/attachments/20250112/515237ce/attachment-0001.htm>
