Bug #956581 “Stack Buffer Overflow in HTTP Manager " : Bugs : asterisk package : Ubuntu

Paul Belanger (pabelanger) on 2012-03-16

Changed in asterisk (Ubuntu):
status:	New → Confirmed
assignee:	nobody → Paul Belanger (pabelanger)

Revision history for this message

Paul Belanger (pabelanger) wrote on 2012-03-16:

#1

This actually fixes 6 issues. I've uploaded the patch here, since a packaging branch does not exist.
---
* debian/patches/AST-2011-012.diff:
   - Remote crash vulnerability in SIP channel driver (LP: #956578)
* debian/patches/AST-2011-013.diff:
   - Possible remote enumeration of SIP endpoints with differing NAT
     settings (LP: #956576)
* debian/patches/AST-2011-014.diff:
   - Remote crash possibility with SIP and the “automon” feature
     enabled (LP: #956574)
* debian/patches/AST-2012-01.diff:
   - SRTP Video Remote Crash Vulnerability (LP: #956572)
* debian/patches/AST-2012-002.diff:
   - Remote Crash Vulnerability in Milliwatt Application (LP: 956580)
* debian/patches/AST-2012-003.diff
   - Stack Buffer Overflow in HTTP Manager (LP: #956581)

Revision history for this message

Paul Belanger (pabelanger) wrote on 2012-03-16:

#2

asterisk_1.8.4.4~dfsg.diff Edit (24.5 KiB, text/plain)

Steve Beattie (sbeattie) on 2012-03-22

visibility:

private → public

Revision history for this message

Steve Beattie (sbeattie) wrote on 2012-03-22:

#3

Updated asterisk debdiff Edit (25.9 KiB, text/plain)

Hi Paul,

When compiling with your added patches, a new compiler warning pops up:

+chan_sip.c: In function 'parse_register_contact':
+chan_sip.c:13312:2: warning: implicit declaration of function 'parse_uri_legacy_check' [-Wimplicit-function-declaration]

greping through the source, I don't see parse_uri_legacy_check() referenced anywhere except in debian/patches/AST-2011-012.diff ; is this actually correct? Was this function added after 1.8.4.4?

I've updated your debdiff to include DEP-3 references and CVE references in the changelog, it's attached. If you end up re-submitting, can you please base off it?

Thanks.

Changed in asterisk (Ubuntu):
status:	Confirmed → Incomplete

Revision history for this message

Paul Belanger (pabelanger) wrote on 2012-03-22:

#4

Odd, I don't remember seeing that when I compiled. Let me try test the patch and make any changes.

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2012-03-26:

#5

Unsubscribing ubuntu-security-sponsors for now. Please resubscribe once there is something to review. Thanks!

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2012-03-26:

#6

(also unsubscribed ubuntu-sponsors; feel free to add it again too, when ready)

Revision history for this message

Launchpad Janitor (janitor) wrote on 2012-04-24:

#7

Download full text (4.3 KiB)

This bug was fixed in the package asterisk - 1:1.8.10.1~dfsg-1ubuntu1

---------------
asterisk (1:1.8.10.1~dfsg-1ubuntu1) precise; urgency=low

  * Merge from Debian unstable. (LP: #987772, #956578, #956580, #956581)
  * Remaining changes:
    - debian/asterisk.init: chown /dev/dahdi
    - debian/backports/hardy: add file
    - debian/backports/asterisk.init.hardy: add file
    - Fix building on armhf with debian/patches/armhf-fixes:
      + Flatten linux-gnueabihf in configure to linux-gnu, in
        the same way that's already done for linux-gnueabi
  * Changes dropped from Ubuntu delta as no longer applicable:
    - debian/patches/backport-r312866.diff: Backported from upstream
    - debian/control: Build-depend on hardening-wrapper, now handled
      by dpkg-buildflags
    - debian/rules: Make use of hardening-wrapper

asterisk (1:1.8.10.1~dfsg-1) unstable; urgency=low

[ Victor Seva ]
* Update backports/squeeze script gmime2.6 -> gmime2.4

  [ Tzafrir Cohen ]
  * New upstrean bug-fix release.
    - Fixes "[CVE-2012-1183 - CVE-2012-1184] Asterisk: AST-2012-002 and
      AST-2012-003 flaws" (Closes: #664411).
  * Patch gmime2.6 (Closes: #663998, #664004), also fixed Build-Depends.
  * Remove the text of RFC 3951 from the tarball. (Closes: #665937)

asterisk (1:1.8.10.0~dfsg-1) unstable; urgency=low

  [ Tzafrir Cohen ]
  * New upstrean release.
  * Build-depend on sqlite3 as well (Closes: #531759).

  [ Paul Belanger ]
  * debian/patch/chan_iax2-detach-thread-on-non-stop-exit:
    - Dropped; merged upstream

  [ Mark Purcell ]
  * New Release:
    - Fixes "SHA-1 code is doesn't allow modification" (Closes: #643703)
    - Fixes "Placing calls on hold fails with some IP phones" (Closes: #632518)
    - Fixes "Pass the correct value to ast_timer_set_rate() for IAX2
    trunking." (Closes: #661974)
    - Fixes "Call quality on IAX significantly worse than SIP" (Closes: #481702)
    - Fixes "New upstream release: 1.8.2.2" (Closes: #610811)
    - Fixes "asterisk german number pronunciation" (Closes: #402991)
    - Fixes "Why using version 1.6.2.9 - it's not LTS" (Closes: #612147)
    - Fixes "SRTP/ZRTP support for Asterisk" (Closes: #577686)
    - Fixes "fails to register SIP channels on ARM" (Closes: #660240)
  * export CFLAGS LDFLAGS
    - Fixes "Hardening flags missing for menuselect" (Closes: #664086)
    - Fixes "enable hardening options" (Closes: #542741)

asterisk (1:1.8.8.2~dfsg-1) unstable; urgency=high

* New upstream release, fixes AST-2012-001 (Closes: #656596).
* Use CFLAGS and LDFLAGS from dpkg-buildflags (Closes: #653944).

asterisk (1:1.8.8.0~dfsg-1) unstable; urgency=high

  [ Faidon Liambotis ]
  * Fix Breaks/Conflicts to contain the epoch.
  * Urgency high since this resulted in file conflicts when upgrading from
    stable.
  * Patch reenable-pri-optional: Backport a patch from upstream to fix
    several PRI features being compiled-out and hence disabled.
  * Bump libpri-dev dependency to 1.4.12; it is not strictly needed but extra
    functionality is enabled at build-time.

  [ Tzafrir Cohen ]
  * New upstream release. Closes: #651552.
    - Patch reenable-pri-optional dropped: included upstream.
  * Officially r...

This bug was fixed in the package asterisk - 1:1.8.10.1~dfsg-1ubuntu1

---------------
asterisk (1:1.8.10.1~dfsg-1ubuntu1) precise; urgency=low

* Merge from Debian unstable. (LP: #987772, #956578, #956580, #956581)
  * Remaining changes:
    - debian/asterisk.init: chown /dev/dahdi
    - debian/backports/hardy: add file
    - debian/backports/asterisk.init.hardy: add file
    - Fix building on armhf with debian/patches/armhf-fixes:
      + Flatten linux-gnueabihf in configure to linux-gnu, in
        the same way that's already done for linux-gnueabi
  * Changes dropped from Ubuntu delta as no longer applicable:
    - debian/patches/backport-r312866.diff: Backported from upstream
    - debian/control: Build-depend on hardening-wrapper, now handled
      by dpkg-buildflags
    - debian/rules: Make use of hardening-wrapper

asterisk (1:1.8.10.1~dfsg-1) unstable; urgency=low

[ Victor Seva ]
  * Update backports/squeeze script gmime2.6 -> gmime2.4

[ Tzafrir Cohen ]
  * New upstrean bug-fix release.
    - Fixes "[CVE-2012-1183 - CVE-2012-1184] Asterisk: AST-2012-002 and
      AST-2012-003 flaws" (Closes: #664411).
  * Patch gmime2.6 (Closes: #663998, #664004), also fixed Build-Depends.
  * Remove the text of RFC 3951 from the tarball. (Closes: #665937)

asterisk (1:1.8.10.0~dfsg-1) unstable; urgency=low

[ Tzafrir Cohen ]
  * New upstrean release.
  * Build-depend on sqlite3 as well (Closes: #531759).

[ Paul Belanger ]
  * debian/patch/chan_iax2-detach-thread-on-non-stop-exit:
    - Dropped; merged upstream

[ Mark Purcell ]
  * New Release:
    - Fixes "SHA-1 code is doesn't allow modification" (Closes: #643703)
    - Fixes "Placing calls on hold fails with some IP phones" (Closes: #632518)
    - Fixes "Pass the correct value to ast_timer_set_rate() for IAX2
    trunking." (Closes: #661974)
    - Fixes "Call quality on IAX significantly worse than SIP" (Closes: #481702)
    - Fixes "New upstream release: 1.8.2.2" (Closes: #610811)
    - Fixes "asterisk german number pronunciation" (Closes: #402991)
    - Fixes "Why using version 1.6.2.9 - it's not LTS" (Closes: #612147)
    - Fixes "SRTP/ZRTP support for Asterisk" (Closes: #577686)
    - Fixes "fails to register SIP channels on ARM"  (Closes: #660240)
  * export CFLAGS LDFLAGS
    - Fixes "Hardening flags missing for menuselect" (Closes: #664086)
    - Fixes "enable hardening options" (Closes: #542741)

asterisk (1:1.8.8.2~dfsg-1) unstable; urgency=high

* New upstream release, fixes AST-2012-001 (Closes: #656596).
  * Use CFLAGS and LDFLAGS from dpkg-buildflags (Closes: #653944).

asterisk (1:1.8.8.0~dfsg-1) unstable; urgency=high

[ Faidon Liambotis ]
  * Fix Breaks/Conflicts to contain the epoch.
  * Urgency high since this resulted in file conflicts when upgrading from
    stable.
  * Patch reenable-pri-optional: Backport a patch from upstream to fix
    several PRI features being compiled-out and hence disabled.
  * Bump libpri-dev dependency to 1.4.12; it is not strictly needed but extra
    functionality is enabled at build-time.

[ Tzafrir Cohen ]
  * New upstream release. Closes: #651552.
    - Patch reenable-pri-optional dropped: included upstream.
  * Officially remove asterisk-h323:
    - Break older versions, as it did not have a versioned Depends before.
    - Remove the package.
  * Update watch file to only check for 1.8.x tarballs.
  * Quote pathes in postinst script: Closes: #656208 (Pocos).

asterisk (1:1.8.7.1~dfsg-2) unstable; urgency=low

* libncurses is a build dep afterall (Closes: #649431).

asterisk (1:1.8.7.1~dfsg-1) unstable; urgency=high

[ Tzafrir Cohen ]
  * New upstream release (Closes: #647252):
    - Patch refix_bashism removed: applied upstream.
    - Patch openssl10 removed: applied upstream.
    - Patch gmime-2.4 removed: applied upstream.
    - Patch gcc46 removed - was a backport from upstream.
  * Disable chan_h323: broken with current h323plus, and not loved by
    upstream.
  * Patch chan_iax2-detach-thread-on-non-stop-exit: Hopefully plugs a
    memory leak.
  * Patch reinclude_docs: a copy of the included documentation that was
    removed.
  * Patch sparc32_disable: Remove pointless optimization for sparc64

[ Paul Belanger ]
  * Bump libpri-dev to 1.4.11.
  * Ensure sub-packages with asterisk modules are the same version as the
    binary.
 -- Andrew Mitchell <ajmitch@ubuntu.com>   Tue, 24 Apr 2012 22:15:54 +1200

Changed in asterisk (Ubuntu):
status:	Incomplete → Fix Released

Ubuntu
asterisk package

Stack Buffer Overflow in HTTP Manager

Bug Description

Related branches

CVE References

Other bug subscribers

Patches

Remote bug watches

Ubuntuasterisk package

Stack Buffer Overflow in HTTP Manager

Bug Description

Related branches

CVE References

Other bug subscribers

Patches

Remote bug watches

Ubuntu
asterisk package