main/asterisk: add mitigation for CVE-2021-32558

author: Ariadne Conill <ariadne@dereferenced.org> 2021-08-10 11:56:47 -0600
committer: Ariadne Conill <ariadne@dereferenced.org> 2021-08-10 12:00:09 -0600
commit: 32fbcd8e2524fa130908b8678d57e4f0fad62370 (patch)
tree: fa2dcb24d8aabcfd242006b94e3e590571f9ec74
parent: 4e7b71fcd7568742a834ef9da16d1a1be2dc0797 (diff)
2 files changed, 135 insertions, 3 deletions
diff --git a/main/asterisk/APKBUILD b/main/asterisk/APKBUILD
index 6585907cba5..f5f4d4dbb38 100644
--- a/main/asterisk/APKBUILD
+++ b/main/asterisk/APKBUILD
@@ -4,7 +4,7 @@
 # Maintainer: Timo Teras <timo.teras@iki.fi>
 pkgname=asterisk
 pkgver=18.2.1
-pkgrel=1
+pkgrel=2
 pkgdesc="Modular Open Source PBX System"
 pkgusers="asterisk"
 pkggroups="asterisk"
@@ -33,11 +33,14 @@ source="$_download/asterisk-$pkgver.tar.gz
 	20-musl-astmm-fix.patch
 	30-asterisk-mariadb.patch
 	40-asterisk-cdefs.patch
+	CVE-2021-32558.patch
 	asterisk.initd
 	asterisk.confd
 	asterisk.logrotate"
 
 # secfixes:
+#   18.2.1-r2:
+#     - CVE-2021-32558
 #   18.2.1-r0:
 #     - CVE-2021-26712
 #     - CVE-2021-26713
@@ -188,12 +191,15 @@ sound_en() {
 	chown -R asterisk:asterisk "$subpkgdir"/var/*/asterisk
 }
 
-sha512sums="9d7ab83059509dacfab85fdecbdecdb9a90d5da5e3e7f2dce3b49edbbcf5198e19afe8c23b6c4fa480285f00406e74e29bf16bb40cb90a96d03b3e6b315191f9  asterisk-18.2.1.tar.gz
+sha512sums="
+9d7ab83059509dacfab85fdecbdecdb9a90d5da5e3e7f2dce3b49edbbcf5198e19afe8c23b6c4fa480285f00406e74e29bf16bb40cb90a96d03b3e6b315191f9  asterisk-18.2.1.tar.gz
 aacef3f4796fb1abd33266998b53909cb4b36e7cc5ad2f7bac68bdc43e9a9072d9a4e2e7e681bddfa31f3d04575eb248afe6ea95da780c67e4829c1e22adfe1b  asterisk-addon-mp3-r201.patch.gz
 771237ba6d42ab62d914f2702234b23fd0bc8c22f2aa33b0e745c9170163c8046f6d48ecb299faab3d6fb397f1aa046421083c3cc88510c9779861c522f357dd  10-musl-mutex-init.patch
 0fae11b42894ab3d405bc50e9275b9084712b482fbf9b4259ea938667fc5cbe413655f3ff83da0f607151bb2b6e49c2f741b5ada6944dbb478f076ef8d86380a  20-musl-astmm-fix.patch
 a43239189a1170d23d8f99d7658d8e064d4cc8149dd92d68e80d7af7a8fe181e0b111860ab13f12a91172c1e7f370c1a86679081b9ced98f4932fdfc64f04a49  30-asterisk-mariadb.patch
 ba33f11169284f190b7dabab1da7d2751cb65d7976408db635a892fa17d7552e1660350017e7aada3464ecc7d9d6e99d6ad76d66c0036de062a386cffbc948e6  40-asterisk-cdefs.patch
+87df7c97c0963f41a6d61ed80c7b9996d7f38fa39bbca50c3157f4bb68146e1c977459dfdff734395aca4fd9d801c15d6c996bfabdd81be16b96f3bbe92ff480  CVE-2021-32558.patch
 0044c5db468ec8f2385d18d476f89976f6d036448583a4ef8017ce7a6f8f72105337e6b20037ffe47f561d2877fc9c86720aef23ab037df89b36dc140a5924c4  asterisk.initd
 ab6b6f08ff43268cbb1abb7ed7d678949991ba495682a644bbaeb017d6adbff0a43297905fd73ae8db1786a28d5b5904f1bc253209a0e388c8a27f26c6ce14ed  asterisk.confd
-7591d2faf539d05d9ee4e431c78a5e20686721fd79221ad94dffeeaff9282220b09cb9aec214bd7a8d12affaec0276c9c91e6e21af8b6712c0a9502b60b02f2b  asterisk.logrotate"
+7591d2faf539d05d9ee4e431c78a5e20686721fd79221ad94dffeeaff9282220b09cb9aec214bd7a8d12affaec0276c9c91e6e21af8b6712c0a9502b60b02f2b  asterisk.logrotate
+"
diff --git a/main/asterisk/CVE-2021-32558.patch b/main/asterisk/CVE-2021-32558.patch
new file mode 100644
index 00000000000..522d8d6f4ff
--- /dev/null
+++ b/main/asterisk/CVE-2021-32558.patch
@@ -0,0 +1,126 @@
+From 852a8780cb45db0dca7c18b364cb0485a1e09840 Mon Sep 17 00:00:00 2001
+From: Kevin Harwell <kharwell@sangoma.com>
+Date: Mon, 10 May 2021 17:59:00 -0500
+Subject: [PATCH] AST-2021-008 - chan_iax2: remote crash on unsupported media format
+
+If chan_iax2 received a packet with an unsupported media format, for
+example vp9, then it would set the frame's format to NULL. This could
+then result in a crash later when an attempt was made to access the
+format.
+
+This patch makes it so chan_iax2 now ignores/drops frames received
+with unsupported media format types.
+
+ASTERISK-29392 #close
+
+Change-Id: Ifa869a90dafe33eed8fd9463574fe6f1c0ad3eb1
+---
+
+diff --git a/channels/chan_iax2.c b/channels/chan_iax2.c
+index 4122c04..c57434b 100644
+--- a/channels/chan_iax2.c
++++ b/channels/chan_iax2.c
+@@ -4132,6 +4132,7 @@
+ 	long ms;
+ 	long next;
+ 	struct timeval now = ast_tvnow();
++	struct ast_format *voicefmt;
+ 
+ 	/* Make sure we have a valid private structure before going on */
+ 	ast_mutex_lock(&iaxsl[callno]);
+@@ -4151,10 +4152,9 @@
+ 
+ 	ms = ast_tvdiff_ms(now, pvt->rxcore);
+ 
+-	if(ms >= (next = jb_next(pvt->jb))) {
+-		struct ast_format *voicefmt;
+-		voicefmt = ast_format_compatibility_bitfield2format(pvt->voiceformat);
+-		ret = jb_get(pvt->jb, &frame, ms, voicefmt ? ast_format_get_default_ms(voicefmt) : 20);
++	voicefmt = ast_format_compatibility_bitfield2format(pvt->voiceformat);
++	if (voicefmt && ms >= (next = jb_next(pvt->jb))) {
++		ret = jb_get(pvt->jb, &frame, ms, ast_format_get_default_ms(voicefmt));
+ 		switch(ret) {
+ 		case JB_OK:
+ 			fr = frame.data;
+@@ -4182,7 +4182,7 @@
+ 				pvt = iaxs[callno];
+ 			}
+ 		}
+-			break;
++		break;
+ 		case JB_DROP:
+ 			iax2_frame_free(frame.data);
+ 			break;
+@@ -6451,8 +6451,14 @@
+ 		f->frametype = fh->type;
+ 		if (f->frametype == AST_FRAME_VIDEO) {
+ 			f->subclass.format = ast_format_compatibility_bitfield2format(uncompress_subclass(fh->csub & ~0x40) | ((fh->csub >> 6) & 0x1));
++			if (!f->subclass.format) {
++				f->subclass.format = ast_format_none;
++			}
+ 		} else if (f->frametype == AST_FRAME_VOICE) {
+ 			f->subclass.format = ast_format_compatibility_bitfield2format(uncompress_subclass(fh->csub));
++			if (!f->subclass.format) {
++				f->subclass.format = ast_format_none;
++			}
+ 		} else {
+ 			f->subclass.integer = uncompress_subclass(fh->csub);
+ 		}
+@@ -9929,8 +9935,8 @@
+ 		} else if (iaxs[fr->callno]->voiceformat == 0) {
+ 			ast_log(LOG_WARNING, "Received trunked frame before first full voice frame\n");
+ 			iax2_vnak(fr->callno);
+-		} else {
+-			f.subclass.format = ast_format_compatibility_bitfield2format(iaxs[fr->callno]->voiceformat);
++		} else if ((f.subclass.format = ast_format_compatibility_bitfield2format(
++						iaxs[fr->callno]->voiceformat))) {
+ 			f.datalen = len;
+ 			if (f.datalen >= 0) {
+ 				if (f.datalen)
+@@ -10173,11 +10179,17 @@
+ 		f.frametype = fh->type;
+ 		if (f.frametype == AST_FRAME_VIDEO) {
+ 			f.subclass.format = ast_format_compatibility_bitfield2format(uncompress_subclass(fh->csub & ~0x40));
++			if (!f.subclass.format) {
++				return 1;
++			}
+ 			if ((fh->csub >> 6) & 0x1) {
+ 				f.subclass.frame_ending = 1;
+ 			}
+ 		} else if (f.frametype == AST_FRAME_VOICE) {
+ 			f.subclass.format = ast_format_compatibility_bitfield2format(uncompress_subclass(fh->csub));
++			if (!f.subclass.format) {
++				return 1;
++			}
+ 		} else {
+ 			f.subclass.integer = uncompress_subclass(fh->csub);
+ 		}
+@@ -11795,6 +11807,11 @@
+ 				f.subclass.frame_ending = 1;
+ 			}
+ 			f.subclass.format = ast_format_compatibility_bitfield2format(iaxs[fr->callno]->videoformat);
++			if (!f.subclass.format) {
++				ast_variables_destroy(ies.vars);
++				ast_mutex_unlock(&iaxsl[fr->callno]);
++				return 1;
++			}
+ 		} else {
+ 			ast_log(LOG_WARNING, "Received mini frame before first full video frame\n");
+ 			iax2_vnak(fr->callno);
+@@ -11816,9 +11833,14 @@
+ 	} else {
+ 		/* A mini frame */
+ 		f.frametype = AST_FRAME_VOICE;
+-		if (iaxs[fr->callno]->voiceformat > 0)
++		if (iaxs[fr->callno]->voiceformat > 0) {
+ 			f.subclass.format = ast_format_compatibility_bitfield2format(iaxs[fr->callno]->voiceformat);
+-		else {
++			if (!f.subclass.format) {
++				ast_variables_destroy(ies.vars);
++				ast_mutex_unlock(&iaxsl[fr->callno]);
++				return 1;
++			}
++		} else {
+ 			ast_debug(1, "Received mini frame before first full voice frame\n");
+ 			iax2_vnak(fr->callno);
+ 			ast_variables_destroy(ies.vars);
author	Ariadne Conill <ariadne@dereferenced.org>	2021-08-10 11:56:47 -0600
committer	Ariadne Conill <ariadne@dereferenced.org>	2021-08-10 12:00:09 -0600
commit	32fbcd8e2524fa130908b8678d57e4f0fad62370 (patch)
tree	fa2dcb24d8aabcfd242006b94e3e590571f9ec74
parent	4e7b71fcd7568742a834ef9da16d1a1be2dc0797 (diff)