ACL not respected on SIP INVITE

This is CVE-2009-3723

The attached debdiff resolves this bug and #491637 for Karmic. It's using patches derived from upstream, and builds cleanly. I have tested installation and basic functionality. I have not tried to reproduce the known exploit for one of the bugs.

There is also a minor string change in the ubuntu-banner patch to make the suggested reporting URL more correct.

If this debdiff is accepted into-security, i'll prepare other ones for targeted releases for #491637.

Thanks for the debdiff! It looks good, though I'd prefer:
1. it use http://dep.debian.net/deps/dep3/
2. you remove the unicode from the patch description
3. you not change the banner (edge does work after all)

I don't feel super strongly about fixing the banner, but it seems more like something to just leave alone. Other than these minor changes, it looks great. Thanks for you hard work on this!

Marking Triaged. Please set back to In Progress after resubmitting for Karmic.

Also includes resolution to #493555

Dave,

Thanks again for your patch. It looks great with one exception: the patch file names should be appended to debian/patches/series, not prepended. If you haven't already, I suggest becoming familiar with https://wiki.ubuntu.com/PackagingGuide/Complete which will help you use quilt to manage the series file for you.

I made this change and uploaded to the security PPA. I'll push it out when it is done building.

Thanks again!

Dave,

I forgot to mention, when you submit debdiffs for the other releases, please nominate for release and mark In Progress for each debdiff submitted. Thanks again!

This bug was fixed in the package asterisk - 1:1.6.2.0~rc2-0ubuntu1.1

---------------
asterisk (1:1.6.2.0~rc2-0ubuntu1.1) karmic-security; urgency=low

  * SECURITY UPDATE: ACL not respected on SIP INVITE (LP: #491632).
    - debian/patches/AST-2009-007: Additional check in channels/chan_sip.c to
      check ACL for handling SIP INVITEs. This blocks calls on networks
      intended to be prohibited, by configuration. Based on upstream patch.
    - AST-2009-007
    - CVE-2009-3723
  * SECURITY UPDATE: SIP responses expose valid usernames (LP: #491637).
    - debian/patches/AST-2009-008: Sanitise certain return of REGISTER message
      to stop a specially crafted series of requests returning valid usernames.
      Based on upstream patch.
    - AST-2009-008
    - CVE-2009-3727
  * SECURITY UPDATE: RTP Remote Crash Vulnerability (LP: #493555).
    - debian/patches/AST-2009-010: Stops Asterisk from crashing when an RTP
      comfort noise payload containing 24 bytes or greater is recieved.
    - AST-2009-010
    - CVE-2009-4055
 -- Dave Walker (Daviey) <email address hidden> Mon, 07 Dec 2009 12:23:36 +0000

This bug was fixed in the package asterisk - 1:1.6.2.0~rc2-0ubuntu2

---------------
asterisk (1:1.6.2.0~rc2-0ubuntu2) lucid; urgency=low

  [ Dave Walker (Daviey) ]
  * SECURITY UPDATE: ACL not respected on SIP INVITE (LP: #491632).
    - debian/patches/AST-2009-007: Additional check in channels/chan_sip.c to
      check ACL for handling SIP INVITEs. This blocks calls on networks
      intended to be prohibited, by configuration. Based on upstream patch.
    - AST-2009-007
    - CVE-2009-3723
  * SECURITY UPDATE: SIP responses expose valid usernames (LP: #491637).
    - debian/patches/AST-2009-008: Sanitise certain return of REGISTER message
      to stop a specially crafted series of requests returning valid usernames.
      Based on upstream patch.
    - AST-2009-008
    - CVE-2009-3727
  * SECURITY UPDATE: RTP Remote Crash Vulnerability (LP: #493555).
    - debian/patches/AST-2009-010: Stops Asterisk from crashing when an RTP
      comfort noise payload containing 24 bytes or greater is recieved.
    - AST-2009-010
    - CVE-2009-4055

  [ Roberto D'Auria ]
  * debian/patches/iax2-heavy-traffic-fix: Stops asterisk crashing on
    heavy traffic on iax2 channel, editing channels/chan_iax2.c.
    Based on upstream patch. (LP: #501116)
 -- Roberto D'Auria <email address hidden> Wed, 30 Dec 2009 14:49:24 +0100