diff options
| author | Leonardo Arena <rnalrd@alpinelinux.org> | 2019-12-02 10:37:56 +0000 |
|---|---|---|
| committer | Leonardo Arena <rnalrd@alpinelinux.org> | 2019-12-02 10:38:06 +0000 |
| commit | 6a36d2a527e316e6506513ef5e5c60b2934f0962 (patch) | |
| tree | 7e469f53d5a550304c7522daab644d9c6df57afa | |
| parent | 27fa888bce981c1918d927cfccf3e39063dfa0ab (diff) | |
| download | aports-6a36d2a527e316e6506513ef5e5c60b2934f0962.tar.gz aports-6a36d2a527e316e6506513ef5e5c60b2934f0962.tar.bz2 aports-6a36d2a527e316e6506513ef5e5c60b2934f0962.tar.xz | |
main/asterisk: security fixes
| -rw-r--r-- | main/asterisk/APKBUILD | 9 | ||||
| -rw-r--r-- | main/asterisk/AST-2019-006-16.patch | 73 | ||||
| -rw-r--r-- | main/asterisk/AST-2019-007-16.patch | 46 |
3 files changed, 127 insertions, 1 deletions
diff --git a/main/asterisk/APKBUILD b/main/asterisk/APKBUILD index c0dcc888d44..fdc5a44031b 100644 --- a/main/asterisk/APKBUILD +++ b/main/asterisk/APKBUILD @@ -3,7 +3,7 @@ # Maintainer: Timo Teras <timo.teras@iki.fi> pkgname=asterisk pkgver=16.3.0 -pkgrel=2 +pkgrel=3 pkgdesc="Asterisk: A Module Open Source PBX System" pkgusers="asterisk" pkggroups="asterisk" @@ -36,6 +36,8 @@ source="$_download/asterisk-$pkgver.tar.gz AST-2019-002-16.patch AST-2019-003-16.patch AST-2019-004-16.patch + AST-2019-006-16.patch + AST-2019-007-16.patch asterisk.initd asterisk.confd @@ -44,6 +46,9 @@ source="$_download/asterisk-$pkgver.tar.gz builddir="$srcdir/$pkgname-${pkgver/_/-}" # secfixes: +# 16.3.0-r3: +# - CVE-2019-18610 +# - CVE-2019-18790 # 16.3.0-r2: # - CVE-2019-12827 # - CVE-2019-13161 @@ -247,6 +252,8 @@ c76a882588194372d0c45a2bd1a9a946543f2dc07fde9240b3e600682e9737337c7602da35bfaedd 385c9c3068af87451fc5205dbfd00100d2e95983f5358123e42437763dd5ec6d7144f9a42f63afa4b48c01d62b847284d0eae3df0d385019f27efdaa3a20fff6 AST-2019-002-16.patch 5968feeaac0b0eb68eeac6d7022f629518dafe09d00d93f82104d5cbaf58056dcf4d2ab11755f9a9d50847cec328f9d4792290b301bcd115fdaadf6b0a3fa187 AST-2019-003-16.patch 02d84f257b17f39ea80d8287993646a84f93c9760ff8405d334acf6710f86dabf03fc23d44f5f50cf96b32cd0740f3066d1b8328d7c88bb3851cefd19075fe16 AST-2019-004-16.patch +feccdc361943643bc3b88417a0ae020264a941113a8415419eabf2745abb19b5a267865c49b3bf454cb8bc8ee06dc9ed9e631fa79077b1a62a285ee0073e0549 AST-2019-006-16.patch +d53ebc6085474c41cc770fdfa7e259ad575325cc7de8533c18b7387c5b42b27d75037211f446fd2762a84c13676c79a4dccd612434e5b1ae59dd54dcd6e6e2d5 AST-2019-007-16.patch 0044c5db468ec8f2385d18d476f89976f6d036448583a4ef8017ce7a6f8f72105337e6b20037ffe47f561d2877fc9c86720aef23ab037df89b36dc140a5924c4 asterisk.initd ab6b6f08ff43268cbb1abb7ed7d678949991ba495682a644bbaeb017d6adbff0a43297905fd73ae8db1786a28d5b5904f1bc253209a0e388c8a27f26c6ce14ed asterisk.confd 7591d2faf539d05d9ee4e431c78a5e20686721fd79221ad94dffeeaff9282220b09cb9aec214bd7a8d12affaec0276c9c91e6e21af8b6712c0a9502b60b02f2b asterisk.logrotate" diff --git a/main/asterisk/AST-2019-006-16.patch b/main/asterisk/AST-2019-006-16.patch new file mode 100644 index 00000000000..1f589b282f3 --- /dev/null +++ b/main/asterisk/AST-2019-006-16.patch @@ -0,0 +1,73 @@ +From 8cdaa93e658a46e7baf6b606468b5e2c88a0133b Mon Sep 17 00:00:00 2001 +From: Ben Ford <bford@digium.com> +Date: Mon, 21 Oct 2019 14:55:06 -0500 +Subject: [PATCH] chan_sip.c: Prevent address change on unauthenticated SIP request. + +If the name of a peer is known and a SIP request is sent using that +peer's name, the address of the peer will change even if the request +fails the authentication challenge. This means that an endpoint can +be altered and even rendered unusuable, even if it was in a working +state previously. This can only occur when the nat option is set to the +default, or auto_force_rport. + +This change checks the result of authentication first to ensure it is +successful before setting the address and the nat option. + +ASTERISK-28589 #close + +Change-Id: I581c5ed1da60ca89f590bd70872de2b660de02df +--- + +diff --git a/channels/chan_sip.c b/channels/chan_sip.c +index 6ac2e61..4d79a47 100644 +--- a/channels/chan_sip.c ++++ b/channels/chan_sip.c +@@ -19245,18 +19245,6 @@ + bogus_peer = NULL; + } + +- /* build_peer, called through sip_find_peer, is not able to check the +- * sip_pvt->natdetected flag in order to determine if the peer is behind +- * NAT or not when SIP_PAGE3_NAT_AUTO_RPORT or SIP_PAGE3_NAT_AUTO_COMEDIA +- * are set on the peer. So we check for that here and set the peer's +- * address accordingly. +- */ +- set_peer_nat(p, peer); +- +- if (p->natdetected && ast_test_flag(&peer->flags[2], SIP_PAGE3_NAT_AUTO_RPORT)) { +- ast_sockaddr_copy(&peer->addr, &p->recv); +- } +- + if (!ast_apply_acl(peer->acl, addr, "SIP Peer ACL: ")) { + ast_debug(2, "Found peer '%s' for '%s', but fails host access\n", peer->name, of); + sip_unref_peer(peer, "sip_unref_peer: check_peer_ok: from sip_find_peer call, early return of AUTH_ACL_FAILED"); +@@ -19325,6 +19313,21 @@ + ast_string_field_set(p, peermd5secret, NULL); + } + if (!(res = check_auth(p, req, peer->name, p->peersecret, p->peermd5secret, sipmethod, uri2, reliable))) { ++ ++ /* build_peer, called through sip_find_peer, is not able to check the ++ * sip_pvt->natdetected flag in order to determine if the peer is behind ++ * NAT or not when SIP_PAGE3_NAT_AUTO_RPORT or SIP_PAGE3_NAT_AUTO_COMEDIA ++ * are set on the peer. So we check for that here and set the peer's ++ * address accordingly. The address should ONLY be set once we are sure ++ * authentication was a success. If, for example, an INVITE was sent that ++ * matched the peer name but failed the authentication check, the address ++ * would be updated, which is bad. ++ */ ++ set_peer_nat(p, peer); ++ if (p->natdetected && ast_test_flag(&peer->flags[2], SIP_PAGE3_NAT_AUTO_RPORT)) { ++ ast_sockaddr_copy(&peer->addr, &p->recv); ++ } ++ + /* If we have a call limit, set flag */ + if (peer->call_limit) + ast_set_flag(&p->flags[0], SIP_CALL_LIMIT); +@@ -19424,6 +19427,7 @@ + } + } + sip_unref_peer(peer, "check_peer_ok: sip_unref_peer: tossing temp ptr to peer from sip_find_peer"); ++ + return res; + } + diff --git a/main/asterisk/AST-2019-007-16.patch b/main/asterisk/AST-2019-007-16.patch new file mode 100644 index 00000000000..0f187c11876 --- /dev/null +++ b/main/asterisk/AST-2019-007-16.patch @@ -0,0 +1,46 @@ +From 7574be5110e049a44b8c8ead52cd1c2a5d442afa Mon Sep 17 00:00:00 2001 +From: George Joseph <gjoseph@digium.com> +Date: Thu, 24 Oct 2019 11:41:23 -0600 +Subject: [PATCH] manager.c: Prevent the Originate action from running the Originate app + +If an AMI user without the "system" authorization calls the +Originate AMI command with the Originate application, +the second Originate could run the "System" command. + +Action: Originate +Channel: Local/1111 +Application: Originate +Data: Local/2222,app,System,touch /tmp/owned + +If the "system" authorization isn't set, we now block the +Originate app as well as the System, Exec, etc. apps. + +ASTERISK-28580 +Reported by: Eliel SardaƱons + +Change-Id: Ic4c9dedc34c426f03c8c14fce334a71386d8a5fa +--- + +diff --git a/doc/UPGRADE-staging/AMI-Originate.txt b/doc/UPGRADE-staging/AMI-Originate.txt +new file mode 100644 +index 0000000..f2d3133 +--- /dev/null ++++ b/doc/UPGRADE-staging/AMI-Originate.txt +@@ -0,0 +1,5 @@ ++Subject: AMI ++ ++The AMI Originate action, which optionally takes a dialplan application as ++an argument, no longer accepts "Originate" as the application due to ++security concerns. +diff --git a/main/manager.c b/main/manager.c +index f138801..1963151 100644 +--- a/main/manager.c ++++ b/main/manager.c +@@ -5744,6 +5744,7 @@ + EAGI(/bin/rm,-rf /) */ + strcasestr(app, "mixmonitor") || /* MixMonitor(blah,,rm -rf) */ + strcasestr(app, "externalivr") || /* ExternalIVR(rm -rf) */ ++ strcasestr(app, "originate") || /* Originate(Local/1234,app,System,rm -rf) */ + (strstr(appdata, "SHELL") && (bad_appdata = 1)) || /* NoOp(${SHELL(rm -rf /)}) */ + (strstr(appdata, "EVAL") && (bad_appdata = 1)) /* NoOp(${EVAL(${some_var_containing_SHELL})}) */ + )) { |