aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAriadne Conill <ariadne@dereferenced.org>2021-08-10 12:03:16 -0600
committerAriadne Conill <ariadne@dereferenced.org>2021-08-10 12:03:16 -0600
commitb30af4dea59ea152688f542ab3461dbf645c3020 (patch)
tree24b7c4698e81a88cbe50ef64b38dcbdffedce44f
parent000352c2dcfeb6b2c0bdbc8c92d648df5f3fe796 (diff)
downloadaports-b30af4dea59ea152688f542ab3461dbf645c3020.tar.gz
aports-b30af4dea59ea152688f542ab3461dbf645c3020.tar.bz2
aports-b30af4dea59ea152688f542ab3461dbf645c3020.tar.xz
main/asterisk: add mitigation for CVE-2021-32558
-rw-r--r--main/asterisk/APKBUILD12
-rw-r--r--main/asterisk/CVE-2021-32558.patch126
2 files changed, 135 insertions, 3 deletions
diff --git a/main/asterisk/APKBUILD b/main/asterisk/APKBUILD
index 8d939b74dd..ccaddeeabc 100644
--- a/main/asterisk/APKBUILD
+++ b/main/asterisk/APKBUILD
@@ -3,7 +3,7 @@
# Maintainer: Timo Teras <timo.teras@iki.fi>
pkgname=asterisk
pkgver=16.16.1
-pkgrel=0
+pkgrel=1
pkgdesc="Asterisk: A Module Open Source PBX System"
pkgusers="asterisk"
pkggroups="asterisk"
@@ -33,6 +33,7 @@ source="$_download/asterisk-$pkgver.tar.gz
musl-astmm-fix.patch
asterisk-mariadb.patch
asterisk-cdefs.patch
+ CVE-2021-32558.patch
asterisk.initd
asterisk.confd
@@ -41,6 +42,8 @@ source="$_download/asterisk-$pkgver.tar.gz
builddir="$srcdir/$pkgname-${pkgver/_/-}"
# secfixes:
+# 16.16.1-r1:
+# - CVE-2021-32558
# 16.16.1-r0:
# - CVE-2020-35776
# - CVE-2021-26712
@@ -249,12 +252,15 @@ sound_en() {
chown -R asterisk:asterisk "$subpkgdir"/var/*/asterisk
}
-sha512sums="24e8e5e9d7abd415a46b3028528eca55f0c7db76424fd06087bad84c8df7dd1259ab2ea2d843985808d90d5dabf1b17abf5fa0b286c8e353e5088e3c23dea90f asterisk-16.16.1.tar.gz
+sha512sums="
+24e8e5e9d7abd415a46b3028528eca55f0c7db76424fd06087bad84c8df7dd1259ab2ea2d843985808d90d5dabf1b17abf5fa0b286c8e353e5088e3c23dea90f asterisk-16.16.1.tar.gz
aacef3f4796fb1abd33266998b53909cb4b36e7cc5ad2f7bac68bdc43e9a9072d9a4e2e7e681bddfa31f3d04575eb248afe6ea95da780c67e4829c1e22adfe1b asterisk-addon-mp3-r201.patch.gz
f72c2e04de80d3ed9ce841308101383a1655e6da7a3c888ad31fffe63d1280993e08aefcf8e638316d439c68b38ee05362c87503fca1f36343976a01af9d6eb1 musl-mutex-init.patch
fdac3868ed2ba566397e3a71314568787e4a84d37738f210a6e288c4285215879756c576e2fd064be9cf5169a7e08dbbfd341f50a87e4e6dbfae20e19bcc4d71 musl-astmm-fix.patch
c76a882588194372d0c45a2bd1a9a946543f2dc07fde9240b3e600682e9737337c7602da35bfaeddb4d9fe568daa668016237c6f7986e7c44cf5a8dbba291e1f asterisk-mariadb.patch
05b8fc2e585fbd00c18fa6f13f4ecb1a1226777d1f9d66abd9ffd496c14741fb19abaec5c2c83f50da04f41957392344454154315f5826d9eb469b66dac4b95b asterisk-cdefs.patch
+08e4f66ab6890c70b080240cf876c4b5f7d04d8224cb67bbe0c362eb1943f592591f0d28fdd58ea3395fe18dd7ec853d3e9f944f3e4bc76651751564ad8c3f73 CVE-2021-32558.patch
0044c5db468ec8f2385d18d476f89976f6d036448583a4ef8017ce7a6f8f72105337e6b20037ffe47f561d2877fc9c86720aef23ab037df89b36dc140a5924c4 asterisk.initd
ab6b6f08ff43268cbb1abb7ed7d678949991ba495682a644bbaeb017d6adbff0a43297905fd73ae8db1786a28d5b5904f1bc253209a0e388c8a27f26c6ce14ed asterisk.confd
-7591d2faf539d05d9ee4e431c78a5e20686721fd79221ad94dffeeaff9282220b09cb9aec214bd7a8d12affaec0276c9c91e6e21af8b6712c0a9502b60b02f2b asterisk.logrotate"
+7591d2faf539d05d9ee4e431c78a5e20686721fd79221ad94dffeeaff9282220b09cb9aec214bd7a8d12affaec0276c9c91e6e21af8b6712c0a9502b60b02f2b asterisk.logrotate
+"
diff --git a/main/asterisk/CVE-2021-32558.patch b/main/asterisk/CVE-2021-32558.patch
new file mode 100644
index 0000000000..1d90d9a1f0
--- /dev/null
+++ b/main/asterisk/CVE-2021-32558.patch
@@ -0,0 +1,126 @@
+From 2db19e3f2a26b5d0b6e7201349bb17cdfbc8c01b Mon Sep 17 00:00:00 2001
+From: Kevin Harwell <kharwell@sangoma.com>
+Date: Mon, 10 May 2021 17:59:00 -0500
+Subject: [PATCH] AST-2021-008 - chan_iax2: remote crash on unsupported media format
+
+If chan_iax2 received a packet with an unsupported media format, for
+example vp9, then it would set the frame's format to NULL. This could
+then result in a crash later when an attempt was made to access the
+format.
+
+This patch makes it so chan_iax2 now ignores/drops frames received
+with unsupported media format types.
+
+ASTERISK-29392 #close
+
+Change-Id: Ifa869a90dafe33eed8fd9463574fe6f1c0ad3eb1
+---
+
+diff --git a/channels/chan_iax2.c b/channels/chan_iax2.c
+index 3d8cd72..b43cf14 100644
+--- a/channels/chan_iax2.c
++++ b/channels/chan_iax2.c
+@@ -4132,6 +4132,7 @@
+ long ms;
+ long next;
+ struct timeval now = ast_tvnow();
++ struct ast_format *voicefmt;
+
+ /* Make sure we have a valid private structure before going on */
+ ast_mutex_lock(&iaxsl[callno]);
+@@ -4151,10 +4152,9 @@
+
+ ms = ast_tvdiff_ms(now, pvt->rxcore);
+
+- if(ms >= (next = jb_next(pvt->jb))) {
+- struct ast_format *voicefmt;
+- voicefmt = ast_format_compatibility_bitfield2format(pvt->voiceformat);
+- ret = jb_get(pvt->jb, &frame, ms, voicefmt ? ast_format_get_default_ms(voicefmt) : 20);
++ voicefmt = ast_format_compatibility_bitfield2format(pvt->voiceformat);
++ if (voicefmt && ms >= (next = jb_next(pvt->jb))) {
++ ret = jb_get(pvt->jb, &frame, ms, ast_format_get_default_ms(voicefmt));
+ switch(ret) {
+ case JB_OK:
+ fr = frame.data;
+@@ -4182,7 +4182,7 @@
+ pvt = iaxs[callno];
+ }
+ }
+- break;
++ break;
+ case JB_DROP:
+ iax2_frame_free(frame.data);
+ break;
+@@ -6451,8 +6451,14 @@
+ f->frametype = fh->type;
+ if (f->frametype == AST_FRAME_VIDEO) {
+ f->subclass.format = ast_format_compatibility_bitfield2format(uncompress_subclass(fh->csub & ~0x40) | ((fh->csub >> 6) & 0x1));
++ if (!f->subclass.format) {
++ f->subclass.format = ast_format_none;
++ }
+ } else if (f->frametype == AST_FRAME_VOICE) {
+ f->subclass.format = ast_format_compatibility_bitfield2format(uncompress_subclass(fh->csub));
++ if (!f->subclass.format) {
++ f->subclass.format = ast_format_none;
++ }
+ } else {
+ f->subclass.integer = uncompress_subclass(fh->csub);
+ }
+@@ -9929,8 +9935,8 @@
+ } else if (iaxs[fr->callno]->voiceformat == 0) {
+ ast_log(LOG_WARNING, "Received trunked frame before first full voice frame\n");
+ iax2_vnak(fr->callno);
+- } else {
+- f.subclass.format = ast_format_compatibility_bitfield2format(iaxs[fr->callno]->voiceformat);
++ } else if ((f.subclass.format = ast_format_compatibility_bitfield2format(
++ iaxs[fr->callno]->voiceformat))) {
+ f.datalen = len;
+ if (f.datalen >= 0) {
+ if (f.datalen)
+@@ -10173,11 +10179,17 @@
+ f.frametype = fh->type;
+ if (f.frametype == AST_FRAME_VIDEO) {
+ f.subclass.format = ast_format_compatibility_bitfield2format(uncompress_subclass(fh->csub & ~0x40));
++ if (!f.subclass.format) {
++ return 1;
++ }
+ if ((fh->csub >> 6) & 0x1) {
+ f.subclass.frame_ending = 1;
+ }
+ } else if (f.frametype == AST_FRAME_VOICE) {
+ f.subclass.format = ast_format_compatibility_bitfield2format(uncompress_subclass(fh->csub));
++ if (!f.subclass.format) {
++ return 1;
++ }
+ } else {
+ f.subclass.integer = uncompress_subclass(fh->csub);
+ }
+@@ -11795,6 +11807,11 @@
+ f.subclass.frame_ending = 1;
+ }
+ f.subclass.format = ast_format_compatibility_bitfield2format(iaxs[fr->callno]->videoformat);
++ if (!f.subclass.format) {
++ ast_variables_destroy(ies.vars);
++ ast_mutex_unlock(&iaxsl[fr->callno]);
++ return 1;
++ }
+ } else {
+ ast_log(LOG_WARNING, "Received mini frame before first full video frame\n");
+ iax2_vnak(fr->callno);
+@@ -11816,9 +11833,14 @@
+ } else {
+ /* A mini frame */
+ f.frametype = AST_FRAME_VOICE;
+- if (iaxs[fr->callno]->voiceformat > 0)
++ if (iaxs[fr->callno]->voiceformat > 0) {
+ f.subclass.format = ast_format_compatibility_bitfield2format(iaxs[fr->callno]->voiceformat);
+- else {
++ if (!f.subclass.format) {
++ ast_variables_destroy(ies.vars);
++ ast_mutex_unlock(&iaxsl[fr->callno]);
++ return 1;
++ }
++ } else {
+ ast_debug(1, "Received mini frame before first full voice frame\n");
+ iax2_vnak(fr->callno);
+ ast_variables_destroy(ies.vars);