aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLeonardo Arena <rnalrd@alpinelinux.org>2019-09-17 07:14:38 +0000
committerLeonardo Arena <rnalrd@alpinelinux.org>2019-09-17 07:20:30 +0000
commitfd0aefe7beb083e683ebb7f904469d01e2b71f16 (patch)
treee758ba60f350f2e59fd2e4b46789e34a52e1df48
parent190b36f9a208145ae20d54cea9575ebd14bbb213 (diff)
downloadaports-fd0aefe7beb083e683ebb7f904469d01e2b71f16.tar.gz
aports-fd0aefe7beb083e683ebb7f904469d01e2b71f16.tar.bz2
aports-fd0aefe7beb083e683ebb7f904469d01e2b71f16.tar.xz
main/asterisk: security upgrade to 15.6.2 and security fixes
-rw-r--r--main/asterisk/APKBUILD20
-rw-r--r--main/asterisk/AST-2019-001-15.patch34
-rw-r--r--main/asterisk/AST-2019-002-15.patch40
-rw-r--r--main/asterisk/AST-2019-003-15.patch39
-rw-r--r--main/asterisk/AST-2019-004-15.patch171
5 files changed, 302 insertions, 2 deletions
diff --git a/main/asterisk/APKBUILD b/main/asterisk/APKBUILD
index 809627e66d..e34f50cab0 100644
--- a/main/asterisk/APKBUILD
+++ b/main/asterisk/APKBUILD
@@ -2,7 +2,7 @@
# Contributor: Timo Teras <timo.teras@iki.fi>
# Maintainer: Timo Teras <timo.teras@iki.fi>
pkgname=asterisk
-pkgver=15.6.1
+pkgver=15.6.2
pkgrel=0
pkgdesc="Asterisk: A Module Open Source PBX System"
pkgusers="asterisk"
@@ -30,6 +30,10 @@ _download="http://downloads.asterisk.org/pub/telephony/asterisk/releases"
source="$_download/asterisk-$pkgver.tar.gz
http://dev.alpinelinux.org/~tteras/asterisk-addon-mp3-r201.patch.gz
musl-mutex-init.patch
+ AST-2019-001-15.patch
+ AST-2019-002-15.patch
+ AST-2019-003-15.patch
+ AST-2019-004-15.patch
asterisk.initd
asterisk.confd
@@ -37,6 +41,14 @@ source="$_download/asterisk-$pkgver.tar.gz
builddir="$srcdir/$pkgname-${pkgver/_/-}"
+# secfixes:
+# 15.6.2-r0:
+# - CVE-2018-19278
+# - CVE-2019-7251
+# - CVE-2019-12827
+# - CVE-2019-13161
+# - CVE-2019-15297
+
prepare() {
default_prepare
update_config_sub
@@ -222,9 +234,13 @@ sound_en() {
chown -R asterisk:asterisk "$subpkgdir"/var/*/asterisk
}
-sha512sums="b46db036ea1d885a5cf7ddee5a56efc7c02299cf1b8ea87f50d8f84e8a93437ce39671ee33256b5f8d524b1b4cc44fde6eacb86f0cc481f7d74fdd901be40d42 asterisk-15.6.1.tar.gz
+sha512sums="7dac70149769a3be4c6ebe63b4ee0028161c2a96237a4aeb3adac82af81dcad8faf9490f82603bbe6b150eb5f45456dbb10c9877d8bde05896a32b1449e4aa42 asterisk-15.6.2.tar.gz
aacef3f4796fb1abd33266998b53909cb4b36e7cc5ad2f7bac68bdc43e9a9072d9a4e2e7e681bddfa31f3d04575eb248afe6ea95da780c67e4829c1e22adfe1b asterisk-addon-mp3-r201.patch.gz
f72c2e04de80d3ed9ce841308101383a1655e6da7a3c888ad31fffe63d1280993e08aefcf8e638316d439c68b38ee05362c87503fca1f36343976a01af9d6eb1 musl-mutex-init.patch
+3528d29a667f4e27996d87797962100be21743d302eb94cc8828fa8985cf22b961c10b1f4a4e333fee92514a6809c9cf43c3a9a53466b1b8e798ac85f9f193d9 AST-2019-001-15.patch
+94f81acebe10455a5e13df961a41d8c51ddc1399316c6758ff107771c6b785de7aa22aa73573718539fda546d351964714583140e6ef529d7de984cdd1affe18 AST-2019-002-15.patch
+19cbcaf8ef8e525193631e2b1f47f3cf2d4075ca134e96b28df7bcad68530d216a9d7dcbcec8a444590d87e6d1894f6e7cd6ad0e2cb5852656a840164b8e1dc3 AST-2019-003-15.patch
+4c2da08e53ba1ffff8df3152aab2751dcbc3d075cd4863a00a16899fe48caf50119ce335a5e9b923ab894c5f2ea9bfad48110a4e49d337e6457f845bba789d92 AST-2019-004-15.patch
0044c5db468ec8f2385d18d476f89976f6d036448583a4ef8017ce7a6f8f72105337e6b20037ffe47f561d2877fc9c86720aef23ab037df89b36dc140a5924c4 asterisk.initd
ab6b6f08ff43268cbb1abb7ed7d678949991ba495682a644bbaeb017d6adbff0a43297905fd73ae8db1786a28d5b5904f1bc253209a0e388c8a27f26c6ce14ed asterisk.confd
7591d2faf539d05d9ee4e431c78a5e20686721fd79221ad94dffeeaff9282220b09cb9aec214bd7a8d12affaec0276c9c91e6e21af8b6712c0a9502b60b02f2b asterisk.logrotate"
diff --git a/main/asterisk/AST-2019-001-15.patch b/main/asterisk/AST-2019-001-15.patch
new file mode 100644
index 0000000000..f7a68be4c0
--- /dev/null
+++ b/main/asterisk/AST-2019-001-15.patch
@@ -0,0 +1,34 @@
+From 476d60f850c75ca9142aaf783992db74efea6a49 Mon Sep 17 00:00:00 2001
+From: George Joseph <gjoseph@digium.com>
+Date: Wed, 30 Jan 2019 12:25:55 -0700
+Subject: [PATCH] res_pjsip_sdp_rtp: Fix return code from apply_negotiated_sdp_stream
+
+apply_negotiated_sdp_stream was returning a "1" when no joint
+capabilities were found on an outgoing call instead of a "-1".
+This indicated to res_pjsip_session that the handler DID handle
+the sdp when in fact it didn't. Without the appropriate setup,
+a subsequent media frame coming in would have an invalid stream_num
+and cause a seg fault when the stream was attempted to be retrieved.
+
+apply_negotiated_sdp_stream now returns the correct "-1" and any
+media is now discarded before it reaches the core stream processing.
+
+ASTERISK-28620
+Reported by: Sotiris Ganouris
+
+Change-Id: Ia095cb16b4862f2f6ad6d2d2a77453fa2542371f
+---
+
+diff --git a/res/res_pjsip_sdp_rtp.c b/res/res_pjsip_sdp_rtp.c
+index e2067cc..7f5a859 100644
+--- a/res/res_pjsip_sdp_rtp.c
++++ b/res/res_pjsip_sdp_rtp.c
+@@ -1941,7 +1941,7 @@
+ }
+
+ if (set_caps(session, session_media, session_media_transport, remote_stream, 0, asterisk_stream)) {
+- return 1;
++ return -1;
+ }
+
+ /* Set the channel uniqueid on the RTP instance now that it is becoming active */
diff --git a/main/asterisk/AST-2019-002-15.patch b/main/asterisk/AST-2019-002-15.patch
new file mode 100644
index 0000000000..29f4299e3d
--- /dev/null
+++ b/main/asterisk/AST-2019-002-15.patch
@@ -0,0 +1,40 @@
+From ed649e7f5ffcdc1a2dc4b6b2456311d5a1918e24 Mon Sep 17 00:00:00 2001
+From: George Joseph <gjoseph@digium.com>
+Date: Wed, 12 Jun 2019 12:03:04 -0600
+Subject: [PATCH] res_pjsip_messaging: Check for body in in-dialog message
+
+We now check that a body exists and it has a length > 0 before
+attempting to process it.
+
+ASTERISK-28447
+Reported-by: Gil Richard
+
+Change-Id: Ic469544b22ab848734636588d4c93426cc6f4b1f
+---
+ res/res_pjsip_messaging.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/res/res_pjsip_messaging.c b/res/res_pjsip_messaging.c
+index 224721e7f1..cf9d484ab5 100644
+--- a/res/res_pjsip_messaging.c
++++ b/res/res_pjsip_messaging.c
+@@ -91,10 +91,13 @@ static enum pjsip_status_code check_content_type_in_dialog(const pjsip_rx_data *
+ static const pj_str_t text = { "text", 4};
+ static const pj_str_t application = { "application", 11};
+
++ if (!(rdata->msg_info.msg->body && rdata->msg_info.msg->body->len > 0)) {
++ return res;
++ }
++
+ /* We'll accept any text/ or application/ content type */
+- if (rdata->msg_info.msg->body && rdata->msg_info.msg->body->len
+- && (pj_stricmp(&rdata->msg_info.msg->body->content_type.type, &text) == 0
+- || pj_stricmp(&rdata->msg_info.msg->body->content_type.type, &application) == 0)) {
++ if (pj_stricmp(&rdata->msg_info.msg->body->content_type.type, &text) == 0
++ || pj_stricmp(&rdata->msg_info.msg->body->content_type.type, &application) == 0) {
+ res = PJSIP_SC_OK;
+ } else if (rdata->msg_info.ctype
+ && (pj_stricmp(&rdata->msg_info.ctype->media.type, &text) == 0
+--
+2.21.0
+
diff --git a/main/asterisk/AST-2019-003-15.patch b/main/asterisk/AST-2019-003-15.patch
new file mode 100644
index 0000000000..0c8f89a7a1
--- /dev/null
+++ b/main/asterisk/AST-2019-003-15.patch
@@ -0,0 +1,39 @@
+From a8cc63a8b2b973d6d34251d74b8d4576d6796dce Mon Sep 17 00:00:00 2001
+From: Francesco Castellano <francesco.castellano@messagenet.it>
+Date: Fri, 28 Jun 2019 18:15:31 +0200
+Subject: [PATCH] chan_sip: Handle invalid SDP answer to T.38 re-invite
+
+The chan_sip module performs a T.38 re-invite using a single media
+stream of udptl, and expects the SDP answer to be the same.
+
+If an SDP answer is received instead that contains an additional
+media stream with no joint codec a crash will occur as the code
+assumes that at least one joint codec will exist in this
+scenario.
+
+This change removes this assumption.
+
+ASTERISK-28465
+
+Change-Id: I8b02845b53344c6babe867a3f0a5231045c7ac87
+---
+
+diff --git a/channels/chan_sip.c b/channels/chan_sip.c
+index fe2ae1e..6251878 100644
+--- a/channels/chan_sip.c
++++ b/channels/chan_sip.c
+@@ -10921,7 +10921,13 @@
+ ast_rtp_lookup_mime_multiple2(s3, NULL, newnoncodeccapability, 0, 0));
+ }
+
+- if (portno != -1 || vportno != -1 || tportno != -1) {
++ /* When UDPTL is negotiated it is expected that there are no compatible codecs as audio or
++ * video is not being transported, thus we continue in this function further up if that is
++ * the case. If we receive an SDP answer containing both a UDPTL stream and another media
++ * stream however we need to check again to ensure that there is at least one joint codec
++ * instead of assuming there is one.
++ */
++ if ((portno != -1 || vportno != -1 || tportno != -1) && ast_format_cap_count(newjointcapability)) {
+ /* We are now ready to change the sip session and RTP structures with the offered codecs, since
+ they are acceptable */
+ unsigned int framing;
diff --git a/main/asterisk/AST-2019-004-15.patch b/main/asterisk/AST-2019-004-15.patch
new file mode 100644
index 0000000000..561e3d4ed3
--- /dev/null
+++ b/main/asterisk/AST-2019-004-15.patch
@@ -0,0 +1,171 @@
+From f361e65dc2c90aaee9472f97b54083e0a2d49303 Mon Sep 17 00:00:00 2001
+From: Kevin Harwell <kharwell@digium.com>
+Date: Tue, 20 Aug 2019 15:05:45 -0500
+Subject: [PATCH] AST-2019-004 - res_pjsip_t38.c: Add NULL checks before using session media
+
+After receiving a 200 OK with a declined stream in response to a T.38
+initiated re-invite Asterisk would crash when attempting to dereference
+a NULL session media object.
+
+This patch checks to make sure the session media object is not NULL before
+attempting to use it.
+
+ASTERISK-28495
+patches:
+ ast-2019-004.patch submitted by Alexei Gradinari (license 5691)
+
+Change-Id: I168f45f4da29cfe739acf87e597baa2aae7aa572
+---
+
+diff --git a/res/res_pjsip_t38.c b/res/res_pjsip_t38.c
+index fae6fbb..624139f 100644
+--- a/res/res_pjsip_t38.c
++++ b/res/res_pjsip_t38.c
+@@ -203,7 +203,6 @@
+ {
+ RAII_VAR(struct ast_sip_session *, session, obj, ao2_cleanup);
+ RAII_VAR(struct ast_datastore *, datastore, ast_sip_session_get_datastore(session, "t38"), ao2_cleanup);
+- struct ast_sip_session_media *session_media;
+
+ if (!datastore) {
+ return 0;
+@@ -212,8 +211,7 @@
+ ast_debug(2, "Automatically rejecting T.38 request on channel '%s'\n",
+ session->channel ? ast_channel_name(session->channel) : "<gone>");
+
+- session_media = session->pending_media_state->default_session[AST_MEDIA_TYPE_IMAGE];
+- t38_change_state(session, session_media, datastore->data, T38_REJECTED);
++ t38_change_state(session, NULL, datastore->data, T38_REJECTED);
+ ast_sip_session_resume_reinvite(session);
+
+ return 0;
+@@ -322,28 +320,37 @@
+ int index;
+
+ session_media = session->active_media_state->default_session[AST_MEDIA_TYPE_IMAGE];
+- t38_change_state(session, session_media, state, T38_ENABLED);
++ if (!session_media) {
++ ast_log(LOG_WARNING, "Received %d response to T.38 re-invite on '%s' but no active session media\n",
++ status.code, session->channel ? ast_channel_name(session->channel) : "unknown channel");
++ } else {
++ t38_change_state(session, session_media, state, T38_ENABLED);
+
+- /* Stop all the streams in the stored away active state, they'll go back to being active once
+- * we reinvite back.
+- */
+- for (index = 0; index < AST_VECTOR_SIZE(&state->media_state->sessions); ++index) {
+- struct ast_sip_session_media *session_media = AST_VECTOR_GET(&state->media_state->sessions, index);
++ /* Stop all the streams in the stored away active state, they'll go back to being active once
++ * we reinvite back.
++ */
++ for (index = 0; index < AST_VECTOR_SIZE(&state->media_state->sessions); ++index) {
++ struct ast_sip_session_media *session_media = AST_VECTOR_GET(&state->media_state->sessions, index);
+
+- if (session_media && session_media->handler && session_media->handler->stream_stop) {
+- session_media->handler->stream_stop(session_media);
++ if (session_media && session_media->handler && session_media->handler->stream_stop) {
++ session_media->handler->stream_stop(session_media);
++ }
+ }
++
++ return 0;
+ }
+ } else {
+ session_media = session->pending_media_state->default_session[AST_MEDIA_TYPE_IMAGE];
+- t38_change_state(session, session_media, state, T38_REJECTED);
+-
+- /* Abort this attempt at switching to T.38 by resetting the pending state and freeing our stored away active state */
+- ast_sip_session_media_state_free(state->media_state);
+- state->media_state = NULL;
+- ast_sip_session_media_state_reset(session->pending_media_state);
+ }
+
++ /* If no session_media then response contained a declined stream, so disable */
++ t38_change_state(session, NULL, state, session_media ? T38_REJECTED : T38_DISABLED);
++
++ /* Abort this attempt at switching to T.38 by resetting the pending state and freeing our stored away active state */
++ ast_sip_session_media_state_free(state->media_state);
++ state->media_state = NULL;
++ ast_sip_session_media_state_reset(session->pending_media_state);
++
+ return 0;
+ }
+
+@@ -426,12 +433,10 @@
+ /* Negotiation can not take place without a valid max_ifp value. */
+ if (!parameters->max_ifp) {
+ if (data->session->t38state == T38_PEER_REINVITE) {
+- session_media = data->session->pending_media_state->default_session[AST_MEDIA_TYPE_IMAGE];
+- t38_change_state(data->session, session_media, state, T38_REJECTED);
++ t38_change_state(data->session, NULL, state, T38_REJECTED);
+ ast_sip_session_resume_reinvite(data->session);
+ } else if (data->session->t38state == T38_ENABLED) {
+- session_media = data->session->active_media_state->default_session[AST_MEDIA_TYPE_IMAGE];
+- t38_change_state(data->session, session_media, state, T38_DISABLED);
++ t38_change_state(data->session, NULL, state, T38_DISABLED);
+ ast_sip_session_refresh(data->session, NULL, NULL, NULL,
+ AST_SIP_SESSION_REFRESH_METHOD_INVITE, 1, state->media_state);
+ state->media_state = NULL;
+@@ -454,6 +459,11 @@
+ state->our_parms.version = MIN(state->our_parms.version, state->their_parms.version);
+ state->our_parms.rate_management = state->their_parms.rate_management;
+ session_media = data->session->pending_media_state->default_session[AST_MEDIA_TYPE_IMAGE];
++ if (!session_media) {
++ ast_log(LOG_ERROR, "Failed to negotiate parameters for reinvite on channel '%s' (No pending session media).\n",
++ data->session->channel ? ast_channel_name(data->session->channel) : "unknown channel");
++ break;
++ }
+ ast_udptl_set_local_max_ifp(session_media->udptl, state->our_parms.max_ifp);
+ t38_change_state(data->session, session_media, state, T38_ENABLED);
+ ast_sip_session_resume_reinvite(data->session);
+@@ -468,8 +478,13 @@
+ }
+ state->our_parms = *parameters;
+ session_media = media_state->default_session[AST_MEDIA_TYPE_IMAGE];
++ if (!session_media) {
++ ast_log(LOG_ERROR, "Failed to negotiate parameters on channel '%s' (No default session media).\n",
++ data->session->channel ? ast_channel_name(data->session->channel) : "unknown channel");
++ break;
++ }
+ ast_udptl_set_local_max_ifp(session_media->udptl, state->our_parms.max_ifp);
+- t38_change_state(data->session, session_media, state, T38_LOCAL_REINVITE);
++ t38_change_state(data->session, NULL, state, T38_LOCAL_REINVITE);
+ ast_sip_session_refresh(data->session, NULL, t38_reinvite_sdp_cb, t38_reinvite_response_cb,
+ AST_SIP_SESSION_REFRESH_METHOD_INVITE, 1, media_state);
+ }
+@@ -478,12 +493,10 @@
+ case AST_T38_REFUSED:
+ case AST_T38_REQUEST_TERMINATE: /* Shutdown T38 */
+ if (data->session->t38state == T38_PEER_REINVITE) {
+- session_media = data->session->pending_media_state->default_session[AST_MEDIA_TYPE_IMAGE];
+- t38_change_state(data->session, session_media, state, T38_REJECTED);
++ t38_change_state(data->session, NULL, state, T38_REJECTED);
+ ast_sip_session_resume_reinvite(data->session);
+ } else if (data->session->t38state == T38_ENABLED) {
+- session_media = data->session->active_media_state->default_session[AST_MEDIA_TYPE_IMAGE];
+- t38_change_state(data->session, session_media, state, T38_DISABLED);
++ t38_change_state(data->session, NULL, state, T38_DISABLED);
+ ast_sip_session_refresh(data->session, NULL, NULL, NULL, AST_SIP_SESSION_REFRESH_METHOD_INVITE, 1, state->media_state);
+ state->media_state = NULL;
+ }
+@@ -493,6 +506,11 @@
+
+ if (data->session->t38state == T38_PEER_REINVITE) {
+ session_media = data->session->pending_media_state->default_session[AST_MEDIA_TYPE_IMAGE];
++ if (!session_media) {
++ ast_log(LOG_ERROR, "Failed to request parameters for reinvite on channel '%s' (No pending session media).\n",
++ data->session->channel ? ast_channel_name(data->session->channel) : "unknown channel");
++ break;
++ }
+ parameters.max_ifp = ast_udptl_get_far_max_ifp(session_media->udptl);
+ parameters.request_response = AST_T38_REQUEST_NEGOTIATE;
+ ast_queue_control_data(data->session->channel, AST_CONTROL_T38_PARAMETERS, &parameters, sizeof(parameters));
+@@ -788,7 +806,7 @@
+
+ if ((session->t38state == T38_REJECTED) || (session->t38state == T38_DISABLED)) {
+ ast_debug(3, "Declining; T.38 state is rejected or declined\n");
+- t38_change_state(session, session_media, state, T38_DISABLED);
++ t38_change_state(session, NULL, state, T38_DISABLED);
+ return 0;
+ }
+