Commit fd0aefe7 authored by Leonardo Arena's avatar Leonardo Arena

main/asterisk: security upgrade to 15.6.2 and security fixes

- CVE-2018-19278 (included in 15.6.2)
- CVE-2019-7251
- CVE-2019-12827
- CVE-2019-13161
- CVE-2019-15297

Closes #10790
parent 190b36f9
......@@ -2,7 +2,7 @@
# Contributor: Timo Teras <timo.teras@iki.fi>
# Maintainer: Timo Teras <timo.teras@iki.fi>
pkgname=asterisk
pkgver=15.6.1
pkgver=15.6.2
pkgrel=0
pkgdesc="Asterisk: A Module Open Source PBX System"
pkgusers="asterisk"
......@@ -30,6 +30,10 @@ _download="http://downloads.asterisk.org/pub/telephony/asterisk/releases"
source="$_download/asterisk-$pkgver.tar.gz
http://dev.alpinelinux.org/~tteras/asterisk-addon-mp3-r201.patch.gz
musl-mutex-init.patch
AST-2019-001-15.patch
AST-2019-002-15.patch
AST-2019-003-15.patch
AST-2019-004-15.patch
asterisk.initd
asterisk.confd
......@@ -37,6 +41,14 @@ source="$_download/asterisk-$pkgver.tar.gz
builddir="$srcdir/$pkgname-${pkgver/_/-}"
# secfixes:
# 15.6.2-r0:
# - CVE-2018-19278
# - CVE-2019-7251
# - CVE-2019-12827
# - CVE-2019-13161
# - CVE-2019-15297
prepare() {
default_prepare
update_config_sub
......@@ -222,9 +234,13 @@ sound_en() {
chown -R asterisk:asterisk "$subpkgdir"/var/*/asterisk
}
sha512sums="b46db036ea1d885a5cf7ddee5a56efc7c02299cf1b8ea87f50d8f84e8a93437ce39671ee33256b5f8d524b1b4cc44fde6eacb86f0cc481f7d74fdd901be40d42 asterisk-15.6.1.tar.gz
sha512sums="7dac70149769a3be4c6ebe63b4ee0028161c2a96237a4aeb3adac82af81dcad8faf9490f82603bbe6b150eb5f45456dbb10c9877d8bde05896a32b1449e4aa42 asterisk-15.6.2.tar.gz
aacef3f4796fb1abd33266998b53909cb4b36e7cc5ad2f7bac68bdc43e9a9072d9a4e2e7e681bddfa31f3d04575eb248afe6ea95da780c67e4829c1e22adfe1b asterisk-addon-mp3-r201.patch.gz
f72c2e04de80d3ed9ce841308101383a1655e6da7a3c888ad31fffe63d1280993e08aefcf8e638316d439c68b38ee05362c87503fca1f36343976a01af9d6eb1 musl-mutex-init.patch
3528d29a667f4e27996d87797962100be21743d302eb94cc8828fa8985cf22b961c10b1f4a4e333fee92514a6809c9cf43c3a9a53466b1b8e798ac85f9f193d9 AST-2019-001-15.patch
94f81acebe10455a5e13df961a41d8c51ddc1399316c6758ff107771c6b785de7aa22aa73573718539fda546d351964714583140e6ef529d7de984cdd1affe18 AST-2019-002-15.patch
19cbcaf8ef8e525193631e2b1f47f3cf2d4075ca134e96b28df7bcad68530d216a9d7dcbcec8a444590d87e6d1894f6e7cd6ad0e2cb5852656a840164b8e1dc3 AST-2019-003-15.patch
4c2da08e53ba1ffff8df3152aab2751dcbc3d075cd4863a00a16899fe48caf50119ce335a5e9b923ab894c5f2ea9bfad48110a4e49d337e6457f845bba789d92 AST-2019-004-15.patch
0044c5db468ec8f2385d18d476f89976f6d036448583a4ef8017ce7a6f8f72105337e6b20037ffe47f561d2877fc9c86720aef23ab037df89b36dc140a5924c4 asterisk.initd
ab6b6f08ff43268cbb1abb7ed7d678949991ba495682a644bbaeb017d6adbff0a43297905fd73ae8db1786a28d5b5904f1bc253209a0e388c8a27f26c6ce14ed asterisk.confd
7591d2faf539d05d9ee4e431c78a5e20686721fd79221ad94dffeeaff9282220b09cb9aec214bd7a8d12affaec0276c9c91e6e21af8b6712c0a9502b60b02f2b asterisk.logrotate"
From 476d60f850c75ca9142aaf783992db74efea6a49 Mon Sep 17 00:00:00 2001
From: George Joseph <gjoseph@digium.com>
Date: Wed, 30 Jan 2019 12:25:55 -0700
Subject: [PATCH] res_pjsip_sdp_rtp: Fix return code from apply_negotiated_sdp_stream
apply_negotiated_sdp_stream was returning a "1" when no joint
capabilities were found on an outgoing call instead of a "-1".
This indicated to res_pjsip_session that the handler DID handle
the sdp when in fact it didn't. Without the appropriate setup,
a subsequent media frame coming in would have an invalid stream_num
and cause a seg fault when the stream was attempted to be retrieved.
apply_negotiated_sdp_stream now returns the correct "-1" and any
media is now discarded before it reaches the core stream processing.
ASTERISK-28620
Reported by: Sotiris Ganouris
Change-Id: Ia095cb16b4862f2f6ad6d2d2a77453fa2542371f
---
diff --git a/res/res_pjsip_sdp_rtp.c b/res/res_pjsip_sdp_rtp.c
index e2067cc..7f5a859 100644
--- a/res/res_pjsip_sdp_rtp.c
+++ b/res/res_pjsip_sdp_rtp.c
@@ -1941,7 +1941,7 @@
}
if (set_caps(session, session_media, session_media_transport, remote_stream, 0, asterisk_stream)) {
- return 1;
+ return -1;
}
/* Set the channel uniqueid on the RTP instance now that it is becoming active */
From ed649e7f5ffcdc1a2dc4b6b2456311d5a1918e24 Mon Sep 17 00:00:00 2001
From: George Joseph <gjoseph@digium.com>
Date: Wed, 12 Jun 2019 12:03:04 -0600
Subject: [PATCH] res_pjsip_messaging: Check for body in in-dialog message
We now check that a body exists and it has a length > 0 before
attempting to process it.
ASTERISK-28447
Reported-by: Gil Richard
Change-Id: Ic469544b22ab848734636588d4c93426cc6f4b1f
---
res/res_pjsip_messaging.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/res/res_pjsip_messaging.c b/res/res_pjsip_messaging.c
index 224721e7f1..cf9d484ab5 100644
--- a/res/res_pjsip_messaging.c
+++ b/res/res_pjsip_messaging.c
@@ -91,10 +91,13 @@ static enum pjsip_status_code check_content_type_in_dialog(const pjsip_rx_data *
static const pj_str_t text = { "text", 4};
static const pj_str_t application = { "application", 11};
+ if (!(rdata->msg_info.msg->body && rdata->msg_info.msg->body->len > 0)) {
+ return res;
+ }
+
/* We'll accept any text/ or application/ content type */
- if (rdata->msg_info.msg->body && rdata->msg_info.msg->body->len
- && (pj_stricmp(&rdata->msg_info.msg->body->content_type.type, &text) == 0
- || pj_stricmp(&rdata->msg_info.msg->body->content_type.type, &application) == 0)) {
+ if (pj_stricmp(&rdata->msg_info.msg->body->content_type.type, &text) == 0
+ || pj_stricmp(&rdata->msg_info.msg->body->content_type.type, &application) == 0) {
res = PJSIP_SC_OK;
} else if (rdata->msg_info.ctype
&& (pj_stricmp(&rdata->msg_info.ctype->media.type, &text) == 0
--
2.21.0
From a8cc63a8b2b973d6d34251d74b8d4576d6796dce Mon Sep 17 00:00:00 2001
From: Francesco Castellano <francesco.castellano@messagenet.it>
Date: Fri, 28 Jun 2019 18:15:31 +0200
Subject: [PATCH] chan_sip: Handle invalid SDP answer to T.38 re-invite
The chan_sip module performs a T.38 re-invite using a single media
stream of udptl, and expects the SDP answer to be the same.
If an SDP answer is received instead that contains an additional
media stream with no joint codec a crash will occur as the code
assumes that at least one joint codec will exist in this
scenario.
This change removes this assumption.
ASTERISK-28465
Change-Id: I8b02845b53344c6babe867a3f0a5231045c7ac87
---
diff --git a/channels/chan_sip.c b/channels/chan_sip.c
index fe2ae1e..6251878 100644
--- a/channels/chan_sip.c
+++ b/channels/chan_sip.c
@@ -10921,7 +10921,13 @@
ast_rtp_lookup_mime_multiple2(s3, NULL, newnoncodeccapability, 0, 0));
}
- if (portno != -1 || vportno != -1 || tportno != -1) {
+ /* When UDPTL is negotiated it is expected that there are no compatible codecs as audio or
+ * video is not being transported, thus we continue in this function further up if that is
+ * the case. If we receive an SDP answer containing both a UDPTL stream and another media
+ * stream however we need to check again to ensure that there is at least one joint codec
+ * instead of assuming there is one.
+ */
+ if ((portno != -1 || vportno != -1 || tportno != -1) && ast_format_cap_count(newjointcapability)) {
/* We are now ready to change the sip session and RTP structures with the offered codecs, since
they are acceptable */
unsigned int framing;
From f361e65dc2c90aaee9472f97b54083e0a2d49303 Mon Sep 17 00:00:00 2001
From: Kevin Harwell <kharwell@digium.com>
Date: Tue, 20 Aug 2019 15:05:45 -0500
Subject: [PATCH] AST-2019-004 - res_pjsip_t38.c: Add NULL checks before using session media
After receiving a 200 OK with a declined stream in response to a T.38
initiated re-invite Asterisk would crash when attempting to dereference
a NULL session media object.
This patch checks to make sure the session media object is not NULL before
attempting to use it.
ASTERISK-28495
patches:
ast-2019-004.patch submitted by Alexei Gradinari (license 5691)
Change-Id: I168f45f4da29cfe739acf87e597baa2aae7aa572
---
diff --git a/res/res_pjsip_t38.c b/res/res_pjsip_t38.c
index fae6fbb..624139f 100644
--- a/res/res_pjsip_t38.c
+++ b/res/res_pjsip_t38.c
@@ -203,7 +203,6 @@
{
RAII_VAR(struct ast_sip_session *, session, obj, ao2_cleanup);
RAII_VAR(struct ast_datastore *, datastore, ast_sip_session_get_datastore(session, "t38"), ao2_cleanup);
- struct ast_sip_session_media *session_media;
if (!datastore) {
return 0;
@@ -212,8 +211,7 @@
ast_debug(2, "Automatically rejecting T.38 request on channel '%s'\n",
session->channel ? ast_channel_name(session->channel) : "<gone>");
- session_media = session->pending_media_state->default_session[AST_MEDIA_TYPE_IMAGE];
- t38_change_state(session, session_media, datastore->data, T38_REJECTED);
+ t38_change_state(session, NULL, datastore->data, T38_REJECTED);
ast_sip_session_resume_reinvite(session);
return 0;
@@ -322,28 +320,37 @@
int index;
session_media = session->active_media_state->default_session[AST_MEDIA_TYPE_IMAGE];
- t38_change_state(session, session_media, state, T38_ENABLED);
+ if (!session_media) {
+ ast_log(LOG_WARNING, "Received %d response to T.38 re-invite on '%s' but no active session media\n",
+ status.code, session->channel ? ast_channel_name(session->channel) : "unknown channel");
+ } else {
+ t38_change_state(session, session_media, state, T38_ENABLED);
- /* Stop all the streams in the stored away active state, they'll go back to being active once
- * we reinvite back.
- */
- for (index = 0; index < AST_VECTOR_SIZE(&state->media_state->sessions); ++index) {
- struct ast_sip_session_media *session_media = AST_VECTOR_GET(&state->media_state->sessions, index);
+ /* Stop all the streams in the stored away active state, they'll go back to being active once
+ * we reinvite back.
+ */
+ for (index = 0; index < AST_VECTOR_SIZE(&state->media_state->sessions); ++index) {
+ struct ast_sip_session_media *session_media = AST_VECTOR_GET(&state->media_state->sessions, index);
- if (session_media && session_media->handler && session_media->handler->stream_stop) {
- session_media->handler->stream_stop(session_media);
+ if (session_media && session_media->handler && session_media->handler->stream_stop) {
+ session_media->handler->stream_stop(session_media);
+ }
}
+
+ return 0;
}
} else {
session_media = session->pending_media_state->default_session[AST_MEDIA_TYPE_IMAGE];
- t38_change_state(session, session_media, state, T38_REJECTED);
-
- /* Abort this attempt at switching to T.38 by resetting the pending state and freeing our stored away active state */
- ast_sip_session_media_state_free(state->media_state);
- state->media_state = NULL;
- ast_sip_session_media_state_reset(session->pending_media_state);
}
+ /* If no session_media then response contained a declined stream, so disable */
+ t38_change_state(session, NULL, state, session_media ? T38_REJECTED : T38_DISABLED);
+
+ /* Abort this attempt at switching to T.38 by resetting the pending state and freeing our stored away active state */
+ ast_sip_session_media_state_free(state->media_state);
+ state->media_state = NULL;
+ ast_sip_session_media_state_reset(session->pending_media_state);
+
return 0;
}
@@ -426,12 +433,10 @@
/* Negotiation can not take place without a valid max_ifp value. */
if (!parameters->max_ifp) {
if (data->session->t38state == T38_PEER_REINVITE) {
- session_media = data->session->pending_media_state->default_session[AST_MEDIA_TYPE_IMAGE];
- t38_change_state(data->session, session_media, state, T38_REJECTED);
+ t38_change_state(data->session, NULL, state, T38_REJECTED);
ast_sip_session_resume_reinvite(data->session);
} else if (data->session->t38state == T38_ENABLED) {
- session_media = data->session->active_media_state->default_session[AST_MEDIA_TYPE_IMAGE];
- t38_change_state(data->session, session_media, state, T38_DISABLED);
+ t38_change_state(data->session, NULL, state, T38_DISABLED);
ast_sip_session_refresh(data->session, NULL, NULL, NULL,
AST_SIP_SESSION_REFRESH_METHOD_INVITE, 1, state->media_state);
state->media_state = NULL;
@@ -454,6 +459,11 @@
state->our_parms.version = MIN(state->our_parms.version, state->their_parms.version);
state->our_parms.rate_management = state->their_parms.rate_management;
session_media = data->session->pending_media_state->default_session[AST_MEDIA_TYPE_IMAGE];
+ if (!session_media) {
+ ast_log(LOG_ERROR, "Failed to negotiate parameters for reinvite on channel '%s' (No pending session media).\n",
+ data->session->channel ? ast_channel_name(data->session->channel) : "unknown channel");
+ break;
+ }
ast_udptl_set_local_max_ifp(session_media->udptl, state->our_parms.max_ifp);
t38_change_state(data->session, session_media, state, T38_ENABLED);
ast_sip_session_resume_reinvite(data->session);
@@ -468,8 +478,13 @@
}
state->our_parms = *parameters;
session_media = media_state->default_session[AST_MEDIA_TYPE_IMAGE];
+ if (!session_media) {
+ ast_log(LOG_ERROR, "Failed to negotiate parameters on channel '%s' (No default session media).\n",
+ data->session->channel ? ast_channel_name(data->session->channel) : "unknown channel");
+ break;
+ }
ast_udptl_set_local_max_ifp(session_media->udptl, state->our_parms.max_ifp);
- t38_change_state(data->session, session_media, state, T38_LOCAL_REINVITE);
+ t38_change_state(data->session, NULL, state, T38_LOCAL_REINVITE);
ast_sip_session_refresh(data->session, NULL, t38_reinvite_sdp_cb, t38_reinvite_response_cb,
AST_SIP_SESSION_REFRESH_METHOD_INVITE, 1, media_state);
}
@@ -478,12 +493,10 @@
case AST_T38_REFUSED:
case AST_T38_REQUEST_TERMINATE: /* Shutdown T38 */
if (data->session->t38state == T38_PEER_REINVITE) {
- session_media = data->session->pending_media_state->default_session[AST_MEDIA_TYPE_IMAGE];
- t38_change_state(data->session, session_media, state, T38_REJECTED);
+ t38_change_state(data->session, NULL, state, T38_REJECTED);
ast_sip_session_resume_reinvite(data->session);
} else if (data->session->t38state == T38_ENABLED) {
- session_media = data->session->active_media_state->default_session[AST_MEDIA_TYPE_IMAGE];
- t38_change_state(data->session, session_media, state, T38_DISABLED);
+ t38_change_state(data->session, NULL, state, T38_DISABLED);
ast_sip_session_refresh(data->session, NULL, NULL, NULL, AST_SIP_SESSION_REFRESH_METHOD_INVITE, 1, state->media_state);
state->media_state = NULL;
}
@@ -493,6 +506,11 @@
if (data->session->t38state == T38_PEER_REINVITE) {
session_media = data->session->pending_media_state->default_session[AST_MEDIA_TYPE_IMAGE];
+ if (!session_media) {
+ ast_log(LOG_ERROR, "Failed to request parameters for reinvite on channel '%s' (No pending session media).\n",
+ data->session->channel ? ast_channel_name(data->session->channel) : "unknown channel");
+ break;
+ }
parameters.max_ifp = ast_udptl_get_far_max_ifp(session_media->udptl);
parameters.request_response = AST_T38_REQUEST_NEGOTIATE;
ast_queue_control_data(data->session->channel, AST_CONTROL_T38_PARAMETERS, &parameters, sizeof(parameters));
@@ -788,7 +806,7 @@
if ((session->t38state == T38_REJECTED) || (session->t38state == T38_DISABLED)) {
ast_debug(3, "Declining; T.38 state is rejected or declined\n");
- t38_change_state(session, session_media, state, T38_DISABLED);
+ t38_change_state(session, NULL, state, T38_DISABLED);
return 0;
}
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment