aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAriadne Conill <ariadne@dereferenced.org>2021-08-10 11:56:47 -0600
committerAriadne Conill <ariadne@dereferenced.org>2021-08-10 12:00:09 -0600
commit32fbcd8e2524fa130908b8678d57e4f0fad62370 (patch)
treefa2dcb24d8aabcfd242006b94e3e590571f9ec74
parent4e7b71fcd7568742a834ef9da16d1a1be2dc0797 (diff)
downloadaports-32fbcd8e2524fa130908b8678d57e4f0fad62370.tar.gz
aports-32fbcd8e2524fa130908b8678d57e4f0fad62370.tar.bz2
aports-32fbcd8e2524fa130908b8678d57e4f0fad62370.tar.xz
main/asterisk: add mitigation for CVE-2021-32558
-rw-r--r--main/asterisk/APKBUILD12
-rw-r--r--main/asterisk/CVE-2021-32558.patch126
2 files changed, 135 insertions, 3 deletions
diff --git a/main/asterisk/APKBUILD b/main/asterisk/APKBUILD
index 6585907cba..f5f4d4dbb3 100644
--- a/main/asterisk/APKBUILD
+++ b/main/asterisk/APKBUILD
@@ -4,7 +4,7 @@
# Maintainer: Timo Teras <timo.teras@iki.fi>
pkgname=asterisk
pkgver=18.2.1
-pkgrel=1
+pkgrel=2
pkgdesc="Modular Open Source PBX System"
pkgusers="asterisk"
pkggroups="asterisk"
@@ -33,11 +33,14 @@ source="$_download/asterisk-$pkgver.tar.gz
20-musl-astmm-fix.patch
30-asterisk-mariadb.patch
40-asterisk-cdefs.patch
+ CVE-2021-32558.patch
asterisk.initd
asterisk.confd
asterisk.logrotate"
# secfixes:
+# 18.2.1-r2:
+# - CVE-2021-32558
# 18.2.1-r0:
# - CVE-2021-26712
# - CVE-2021-26713
@@ -188,12 +191,15 @@ sound_en() {
chown -R asterisk:asterisk "$subpkgdir"/var/*/asterisk
}
-sha512sums="9d7ab83059509dacfab85fdecbdecdb9a90d5da5e3e7f2dce3b49edbbcf5198e19afe8c23b6c4fa480285f00406e74e29bf16bb40cb90a96d03b3e6b315191f9 asterisk-18.2.1.tar.gz
+sha512sums="
+9d7ab83059509dacfab85fdecbdecdb9a90d5da5e3e7f2dce3b49edbbcf5198e19afe8c23b6c4fa480285f00406e74e29bf16bb40cb90a96d03b3e6b315191f9 asterisk-18.2.1.tar.gz
aacef3f4796fb1abd33266998b53909cb4b36e7cc5ad2f7bac68bdc43e9a9072d9a4e2e7e681bddfa31f3d04575eb248afe6ea95da780c67e4829c1e22adfe1b asterisk-addon-mp3-r201.patch.gz
771237ba6d42ab62d914f2702234b23fd0bc8c22f2aa33b0e745c9170163c8046f6d48ecb299faab3d6fb397f1aa046421083c3cc88510c9779861c522f357dd 10-musl-mutex-init.patch
0fae11b42894ab3d405bc50e9275b9084712b482fbf9b4259ea938667fc5cbe413655f3ff83da0f607151bb2b6e49c2f741b5ada6944dbb478f076ef8d86380a 20-musl-astmm-fix.patch
a43239189a1170d23d8f99d7658d8e064d4cc8149dd92d68e80d7af7a8fe181e0b111860ab13f12a91172c1e7f370c1a86679081b9ced98f4932fdfc64f04a49 30-asterisk-mariadb.patch
ba33f11169284f190b7dabab1da7d2751cb65d7976408db635a892fa17d7552e1660350017e7aada3464ecc7d9d6e99d6ad76d66c0036de062a386cffbc948e6 40-asterisk-cdefs.patch
+87df7c97c0963f41a6d61ed80c7b9996d7f38fa39bbca50c3157f4bb68146e1c977459dfdff734395aca4fd9d801c15d6c996bfabdd81be16b96f3bbe92ff480 CVE-2021-32558.patch
0044c5db468ec8f2385d18d476f89976f6d036448583a4ef8017ce7a6f8f72105337e6b20037ffe47f561d2877fc9c86720aef23ab037df89b36dc140a5924c4 asterisk.initd
ab6b6f08ff43268cbb1abb7ed7d678949991ba495682a644bbaeb017d6adbff0a43297905fd73ae8db1786a28d5b5904f1bc253209a0e388c8a27f26c6ce14ed asterisk.confd
-7591d2faf539d05d9ee4e431c78a5e20686721fd79221ad94dffeeaff9282220b09cb9aec214bd7a8d12affaec0276c9c91e6e21af8b6712c0a9502b60b02f2b asterisk.logrotate"
+7591d2faf539d05d9ee4e431c78a5e20686721fd79221ad94dffeeaff9282220b09cb9aec214bd7a8d12affaec0276c9c91e6e21af8b6712c0a9502b60b02f2b asterisk.logrotate
+"
diff --git a/main/asterisk/CVE-2021-32558.patch b/main/asterisk/CVE-2021-32558.patch
new file mode 100644
index 0000000000..522d8d6f4f
--- /dev/null
+++ b/main/asterisk/CVE-2021-32558.patch
@@ -0,0 +1,126 @@
+From 852a8780cb45db0dca7c18b364cb0485a1e09840 Mon Sep 17 00:00:00 2001
+From: Kevin Harwell <kharwell@sangoma.com>
+Date: Mon, 10 May 2021 17:59:00 -0500
+Subject: [PATCH] AST-2021-008 - chan_iax2: remote crash on unsupported media format
+
+If chan_iax2 received a packet with an unsupported media format, for
+example vp9, then it would set the frame's format to NULL. This could
+then result in a crash later when an attempt was made to access the
+format.
+
+This patch makes it so chan_iax2 now ignores/drops frames received
+with unsupported media format types.
+
+ASTERISK-29392 #close
+
+Change-Id: Ifa869a90dafe33eed8fd9463574fe6f1c0ad3eb1
+---
+
+diff --git a/channels/chan_iax2.c b/channels/chan_iax2.c
+index 4122c04..c57434b 100644
+--- a/channels/chan_iax2.c
++++ b/channels/chan_iax2.c
+@@ -4132,6 +4132,7 @@
+ long ms;
+ long next;
+ struct timeval now = ast_tvnow();
++ struct ast_format *voicefmt;
+
+ /* Make sure we have a valid private structure before going on */
+ ast_mutex_lock(&iaxsl[callno]);
+@@ -4151,10 +4152,9 @@
+
+ ms = ast_tvdiff_ms(now, pvt->rxcore);
+
+- if(ms >= (next = jb_next(pvt->jb))) {
+- struct ast_format *voicefmt;
+- voicefmt = ast_format_compatibility_bitfield2format(pvt->voiceformat);
+- ret = jb_get(pvt->jb, &frame, ms, voicefmt ? ast_format_get_default_ms(voicefmt) : 20);
++ voicefmt = ast_format_compatibility_bitfield2format(pvt->voiceformat);
++ if (voicefmt && ms >= (next = jb_next(pvt->jb))) {
++ ret = jb_get(pvt->jb, &frame, ms, ast_format_get_default_ms(voicefmt));
+ switch(ret) {
+ case JB_OK:
+ fr = frame.data;
+@@ -4182,7 +4182,7 @@
+ pvt = iaxs[callno];
+ }
+ }
+- break;
++ break;
+ case JB_DROP:
+ iax2_frame_free(frame.data);
+ break;
+@@ -6451,8 +6451,14 @@
+ f->frametype = fh->type;
+ if (f->frametype == AST_FRAME_VIDEO) {
+ f->subclass.format = ast_format_compatibility_bitfield2format(uncompress_subclass(fh->csub & ~0x40) | ((fh->csub >> 6) & 0x1));
++ if (!f->subclass.format) {
++ f->subclass.format = ast_format_none;
++ }
+ } else if (f->frametype == AST_FRAME_VOICE) {
+ f->subclass.format = ast_format_compatibility_bitfield2format(uncompress_subclass(fh->csub));
++ if (!f->subclass.format) {
++ f->subclass.format = ast_format_none;
++ }
+ } else {
+ f->subclass.integer = uncompress_subclass(fh->csub);
+ }
+@@ -9929,8 +9935,8 @@
+ } else if (iaxs[fr->callno]->voiceformat == 0) {
+ ast_log(LOG_WARNING, "Received trunked frame before first full voice frame\n");
+ iax2_vnak(fr->callno);
+- } else {
+- f.subclass.format = ast_format_compatibility_bitfield2format(iaxs[fr->callno]->voiceformat);
++ } else if ((f.subclass.format = ast_format_compatibility_bitfield2format(
++ iaxs[fr->callno]->voiceformat))) {
+ f.datalen = len;
+ if (f.datalen >= 0) {
+ if (f.datalen)
+@@ -10173,11 +10179,17 @@
+ f.frametype = fh->type;
+ if (f.frametype == AST_FRAME_VIDEO) {
+ f.subclass.format = ast_format_compatibility_bitfield2format(uncompress_subclass(fh->csub & ~0x40));
++ if (!f.subclass.format) {
++ return 1;
++ }
+ if ((fh->csub >> 6) & 0x1) {
+ f.subclass.frame_ending = 1;
+ }
+ } else if (f.frametype == AST_FRAME_VOICE) {
+ f.subclass.format = ast_format_compatibility_bitfield2format(uncompress_subclass(fh->csub));
++ if (!f.subclass.format) {
++ return 1;
++ }
+ } else {
+ f.subclass.integer = uncompress_subclass(fh->csub);
+ }
+@@ -11795,6 +11807,11 @@
+ f.subclass.frame_ending = 1;
+ }
+ f.subclass.format = ast_format_compatibility_bitfield2format(iaxs[fr->callno]->videoformat);
++ if (!f.subclass.format) {
++ ast_variables_destroy(ies.vars);
++ ast_mutex_unlock(&iaxsl[fr->callno]);
++ return 1;
++ }
+ } else {
+ ast_log(LOG_WARNING, "Received mini frame before first full video frame\n");
+ iax2_vnak(fr->callno);
+@@ -11816,9 +11833,14 @@
+ } else {
+ /* A mini frame */
+ f.frametype = AST_FRAME_VOICE;
+- if (iaxs[fr->callno]->voiceformat > 0)
++ if (iaxs[fr->callno]->voiceformat > 0) {
+ f.subclass.format = ast_format_compatibility_bitfield2format(iaxs[fr->callno]->voiceformat);
+- else {
++ if (!f.subclass.format) {
++ ast_variables_destroy(ies.vars);
++ ast_mutex_unlock(&iaxsl[fr->callno]);
++ return 1;
++ }
++ } else {
+ ast_debug(1, "Received mini frame before first full voice frame\n");
+ iax2_vnak(fr->callno);
+ ast_variables_destroy(ies.vars);