ports/114817: [update] asterisk 1.4.8 fixes serious remote buffer overflows
Peter Beckman
beckman at angryox.com
Sun Jul 22 21:20:09 UTC 2007
>Number: 114817
>Category: ports
>Synopsis: [update] asterisk 1.4.8 fixes serious remote buffer overflows
>Confidential: no
>Severity: critical
>Priority: high
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: update
>Submitter-Id: current-users
>Arrival-Date: Sun Jul 22 21:20:08 GMT 2007
>Closed-Date:
>Last-Modified:
>Originator: Peter Beckman <beckman at angryox.com>
>Release: FreeBSD 6.2-RELEASE i386
>Organization:
Telusion Inc
>Environment:
System: FreeBSD fbsd.angryox.com 6.2-RELEASE FreeBSD 6.2-RELEASE #0: Fri Jan 12 10:40:27 UTC 2007 root at dessler.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386
>Description:
Digium has released an emergency security release 1.4.8.
>How-To-Repeat:
>Fix:
This is a patch for the patch files.
Deleted files/patch-include::asterisk::utils.h
Deleted files/patch-main::utils.c
Both deleted patches were fixed in 1.4.8.
THIS PATCH DOES NOT FIX pkg-plist -- that was beyond my comprehension.
It needs to be updated.
diff -ruN asterisk/Makefile asterisk-1.4.8_2/Makefile
--- asterisk/Makefile Tue May 29 21:52:15 2007
+++ asterisk-1.4.8_2/Makefile Wed Jul 18 13:43:31 2007
@@ -6,8 +6,7 @@
#
PORTNAME= asterisk
-PORTVERSION= 1.4.4
-PORTREVISION= 2
+PORTVERSION= 1.4.8
CATEGORIES= net
MASTER_SITES= http://ftp.digium.com/pub/asterisk/ \
http://ftp.digium.com/pub/asterisk/old-releases/
diff -ruN asterisk/distinfo asterisk-1.4.8_2/distinfo
--- asterisk/distinfo Mon May 28 19:16:35 2007
+++ asterisk-1.4.8_2/distinfo Wed Jul 18 13:45:46 2007
@@ -1,3 +1,3 @@
-MD5 (asterisk-1.4.4.tar.gz) = 90f6a2ea5113ad26de393517576a1ede
-SHA256 (asterisk-1.4.4.tar.gz) = 82a28d8f511703de5fc6231123f15a7c2fbda54ff9c0a686e405f74d1c03aca7
-SIZE (asterisk-1.4.4.tar.gz) = 17081631
+MD5 (asterisk-1.4.8.tar.gz) = 7263ff56ad93cbb5efb971a536ee6a51
+SHA256 (asterisk-1.4.8.tar.gz) = 3eabdf2c52d366abe7dd1e303b982fa7aad12945b1ac32ee97dc4b652041a43f
+SIZE (asterisk-1.4.8.tar.gz) = 11171190
diff -ruN asterisk/files/patch-Makefile asterisk-1.4.8_2/files/patch-Makefile
--- asterisk/files/patch-Makefile Mon Apr 16 09:40:15 2007
+++ asterisk-1.4.8_2/files/patch-Makefile Wed Jul 18 16:00:28 2007
@@ -1,9 +1,6 @@
-
-$FreeBSD: ports/net/asterisk/files/patch-Makefile,v 1.19 2007/04/16 08:40:15 sobomax Exp $
-
---- Makefile.orig
-+++ Makefile
-@@ -207,7 +207,7 @@
+--- Makefile.orig Wed Jul 18 16:00:03 2007
++++ Makefile Wed Jul 18 15:59:42 2007
+@@ -210,7 +210,7 @@
ifeq ($(OSARCH),FreeBSD)
# -V is understood by BSD Make, not by GNU make.
@@ -12,7 +9,7 @@
ASTCFLAGS+=$(shell if test $(BSDVERSION) -lt 500016 ; then echo "-D_THREAD_SAFE"; fi)
AST_LIBS+=$(shell if test $(BSDVERSION) -lt 502102 ; then echo "-lc_r"; else echo "-pthread"; fi)
endif
-@@ -371,15 +371,15 @@
+@@ -375,15 +375,15 @@
# Should static HTTP be installed during make samples or even with its own target ala
# webvoicemail? There are portions here that *could* be customized but might also be
# improved a lot. I'll put it here for now.
@@ -33,7 +30,7 @@
$(MAKE) -C sounds install
update:
-@@ -400,45 +400,45 @@
+@@ -404,45 +404,45 @@
OLDHEADERS=$(filter-out $(NEWHEADERS),$(notdir $(wildcard $(DESTDIR)$(ASTHEADERDIR)/*.h)))
bininstall: _all
@@ -67,7 +64,7 @@
+ $(BSD_INSTALL_SCRIPT) contrib/scripts/astgenkey $(DESTDIR)$(ASTSBINDIR)/
+ $(BSD_INSTALL_SCRIPT) contrib/scripts/autosupport $(DESTDIR)$(ASTSBINDIR)/
if [ ! -f $(DESTDIR)$(ASTSBINDIR)/safe_asterisk ]; then \
- cat contrib/scripts/safe_asterisk | sed 's|__ASTERISK_SBIN_DIR__|$(ASTSBINDIR)|;' > $(DESTDIR)$(ASTSBINDIR)/safe_asterisk ;\
+ cat contrib/scripts/safe_asterisk | sed 's|__ASTERISK_SBIN_DIR__|$(ASTSBINDIR)|;s|__ASTERISK_VARRUN_DIR__|$(ASTVARRUNDIR)|;' > $(DESTDIR)$(ASTSBINDIR)/safe_asterisk ;\
chmod 755 $(DESTDIR)$(ASTSBINDIR)/safe_asterisk;\
fi
- $(INSTALL) -d $(DESTDIR)$(ASTHEADERDIR)
@@ -109,7 +106,7 @@
fi
$(SUBDIRS_INSTALL):
-@@ -465,7 +465,7 @@
+@@ -469,7 +469,7 @@
echo " WARNING WARNING WARNING" ;\
fi
@@ -118,7 +115,7 @@
@if [ -x /usr/sbin/asterisk-post-install ]; then \
/usr/sbin/asterisk-post-install $(DESTDIR) . ; \
fi
-@@ -495,31 +495,23 @@
+@@ -499,31 +499,22 @@
upgrade: bininstall
adsi:
@@ -129,7 +126,6 @@
- $(INSTALL) -m 644 $$x $(DESTDIR)$(ASTETCDIR)/`$(BASENAME) $$x` ; \
+ $(BSD_INSTALL_DATA) $$x $(DESTDIR)$(ASTETCDIR)/`$(BASENAME) $$x` ; \
fi ; \
-+ $(BSD_INSTALL_DATA) $$x $(DESTDIR)$(ASTETCDIR)/`$(BASENAME) $$x`-dist ; \
done
samples: adsi
@@ -158,11 +154,10 @@
( \
echo "[directories]" ; \
echo "astetcdir => $(ASTETCDIR)" ; \
-@@ -540,20 +532,23 @@
- echo ";astctlowner = root" ; \
+@@ -545,19 +536,23 @@
echo ";astctlgroup = apache" ; \
echo ";astctl = asterisk.ctl" ; \
-- ) > $(DESTDIR)$(ASTCONFPATH) ; \
+ ) > $(DESTDIR)$(ASTCONFPATH) ; \
+ ) > $(DESTDIR)$(ASTCONFPATH)-dist ; \
+ if [ ! -f $(DESTDIR)$(ASTCONFPATH) ]; then \
+ cp $(DESTDIR)$(ASTCONFPATH)-dist $(DESTDIR)$(ASTCONFPATH); \
@@ -186,7 +181,7 @@
done
@echo " +--------- Asterisk Web Voicemail ----------+"
@echo " + +"
-@@ -580,10 +575,10 @@
+@@ -584,10 +579,10 @@
__rpm: include/asterisk/version.h include/asterisk/buildopts.h spec
rm -rf /tmp/asterisk ; \
@@ -199,7 +194,7 @@
cp -f contrib/init.d/rc.redhat.asterisk /tmp/asterisk/etc/rc.d/init.d/asterisk ; \
rpmbuild --rcfile /usr/lib/rpm/rpmrc:redhat/rpmrc -bb asterisk.spec
-@@ -594,19 +589,19 @@
+@@ -598,19 +593,19 @@
config:
@if [ "${OSARCH}" = "linux-gnu" ]; then \
if [ -f /etc/redhat-release -o -f /etc/fedora-release ]; then \
diff -ruN asterisk/files/patch-agi::Makefile asterisk-1.4.8_2/files/patch-agi::Makefile
--- asterisk/files/patch-agi::Makefile Fri Apr 13 09:06:05 2007
+++ asterisk-1.4.8_2/files/patch-agi::Makefile Wed Jul 18 15:02:10 2007
@@ -1,5 +1,5 @@
---- agi/Makefile.orig Sat Dec 16 23:14:34 2006
-+++ agi/Makefile Wed Mar 28 11:13:21 2007
+--- agi/Makefile.orig Wed Jul 18 14:27:12 2007
++++ agi/Makefile Wed Jul 18 14:28:42 2007
@@ -13,7 +13,9 @@
.PHONY: clean all uninstall
@@ -11,13 +11,13 @@
ifeq ($(OSARCH),SunOS)
LIBS+=-lsocket -lnsl
-@@ -31,8 +33,9 @@ eagi-test: eagi-test.o strcompat.o
+@@ -31,8 +33,9 @@
eagi-sphinx-test: eagi-sphinx-test.o
install: all
- mkdir -p $(DESTDIR)$(AGI_DIR)
- for x in $(AGIS); do $(INSTALL) -m 755 $$x $(DESTDIR)$(AGI_DIR) ; done
-+ $(MKDIR) -p $(DESTDIR)$(AGI_DIR)
++ $(MKDIR) $(DESTDIR)$(AGI_DIR)
+ for x in $(AGIS_BIN); do $(BSD_INSTALL_PROGRAM) $$x $(DESTDIR)$(AGI_DIR) ; done
+ for x in $(AGIS_SCR); do $(BSD_INSTALL_SCRIPT) $$x $(DESTDIR)$(AGI_DIR) ; done
diff -ruN asterisk/files/patch-channels::chan_sip.c asterisk-1.4.8_2/files/patch-channels::chan_sip.c
--- asterisk/files/patch-channels::chan_sip.c Fri Apr 13 09:06:05 2007
+++ asterisk-1.4.8_2/files/patch-channels::chan_sip.c Wed Jul 18 15:02:30 2007
@@ -1,6 +1,6 @@
---- channels/chan_sip.c.orig Wed Mar 28 11:23:42 2007
-+++ channels/chan_sip.c Wed Mar 28 11:36:27 2007
-@@ -484,7 +484,7 @@ static const struct cfsip_options {
+--- channels/chan_sip.c.orig Wed Jul 18 14:16:19 2007
++++ channels/chan_sip.c Wed Jul 18 14:19:23 2007
+@@ -488,7 +488,7 @@
#define DEFAULT_MOHINTERPRET "default"
#define DEFAULT_MOHSUGGEST ""
#define DEFAULT_VMEXTEN "asterisk"
@@ -9,16 +9,16 @@
#define DEFAULT_NOTIFYMIME "application/simple-message-summary"
#define DEFAULT_MWITIME 10
#define DEFAULT_ALLOWGUEST TRUE
-@@ -3822,6 +3823,8 @@ static struct ast_channel *sip_new(struc
- ast_codec_pref_remove2(&tmp->nativeformats, ~i->usercapability);
- fmt = ast_codec_pref_index_audio(&tmp->nativeformats, 0);
+@@ -3874,6 +3874,8 @@
+ /* XXX Why are we choosing a codec from the native formats?? */
+ fmt = ast_best_codec(tmp->nativeformats);
+ pbx_builtin_setvar_helper(tmp, "SIP_CODEC_USED", ast_getformatname(fmt));
+
/* If we have a prefcodec setting, we have an inbound channel that set a
preferred format for this call. Otherwise, we check the jointcapability
We also check for vrtp. If it's not there, we are not allowed do any video anyway.
-@@ -11203,6 +11215,13 @@ static int build_reply_digest(struct sip
+@@ -11270,6 +11272,13 @@
secret = p->peersecret;
md5secret = p->peermd5secret;
}
@@ -32,4 +32,3 @@
if (ast_strlen_zero(username)) /* We have no authentication */
return -1;
-
diff -ruN asterisk/files/patch-channels::chan_skinny.c asterisk-1.4.8_2/files/patch-channels::chan_skinny.c
--- asterisk/files/patch-channels::chan_skinny.c Tue May 23 03:47:04 2006
+++ asterisk-1.4.8_2/files/patch-channels::chan_skinny.c Wed Jul 18 15:02:35 2007
@@ -1,14 +1,11 @@
-
-$FreeBSD: ports/net/asterisk/files/patch-channels::chan_skinny.c,v 1.1 2006/05/23 02:47:04 sobomax Exp $
-
---- channels/chan_skinny.c.orig
-+++ channels/chan_skinny.c
-@@ -99,7 +99,7 @@
+--- channels/chan_skinny.c.orig Wed Jul 18 14:20:47 2007
++++ channels/chan_skinny.c Wed Jul 18 14:21:33 2007
+@@ -107,7 +107,7 @@
#define htolel(x) (x)
#define htoles(x) (x)
#else
-#if defined(SOLARIS) || defined(__Darwin__) || defined(__NetBSD__)
+#if defined(SOLARIS) || defined(__Darwin__) || defined(__NetBSD__) || defined(__FreeBSD__)
#define __bswap_16(x) \
- ((((x) & 0xff00) >> 8) | \
- (((x) & 0x00ff) << 8))
+ ((((x) & 0xff00) >> 8) | \
+ (((x) & 0x00ff) << 8))
diff -ruN asterisk/files/patch-channels::chan_zap.c asterisk-1.4.8_2/files/patch-channels::chan_zap.c
--- asterisk/files/patch-channels::chan_zap.c Tue Jan 17 22:27:45 2006
+++ asterisk-1.4.8_2/files/patch-channels::chan_zap.c Wed Jul 18 15:02:41 2007
@@ -1,20 +1,18 @@
-
-$FreeBSD: ports/net/asterisk/files/patch-channels::chan_zap.c,v 1.4 2006/01/17 22:27:45 sobomax Exp $
-
---- channels/chan_zap.c.orig Tue Nov 29 20:24:39 2005
-+++ channels/chan_zap.c Fri Jan 13 13:28:33 2006
-@@ -638,6 +638,7 @@ static struct zt_pvt {
+--- channels/chan_zap.c.orig Wed Jul 18 14:22:06 2007
++++ channels/chan_zap.c Wed Jul 18 14:25:51 2007
+@@ -531,6 +531,7 @@
int cidlen;
int ringt;
int ringt_base;
-+ int waitnorings;
++ int waitnorings;
int stripmsd;
int callwaitcas;
int callwaitrings;
-@@ -2308,6 +2309,19 @@ static int zt_hangup(struct ast_channel
+@@ -2425,7 +2426,19 @@
}
ast_mutex_lock(&p->lock);
+-
+ switch (p->sig) {
+ case SIG_FXSGS:
+ case SIG_FXSKS:
@@ -28,14 +26,14 @@
+ break;
+ };
+
-
index = zt_get_index(ast, p, 1);
-@@ -6129,7 +6143,37 @@ static void *ss_thread(void *data)
+ if (p->sig == SIG_PRI) {
+@@ -6523,7 +6536,37 @@
ast_setstate(chan, AST_STATE_RING);
chan->rings = 1;
p->ringt = p->ringt_base;
-+ p->waitnorings = 0;
++ p->waitnorings = 0;
res = ast_pbx_run(chan);
+
+ if(p->waitnorings)
@@ -69,9 +67,9 @@
if (res) {
ast_hangup(chan);
ast_log(LOG_WARNING, "PBX exited non-zero\n");
-@@ -6431,7 +6475,7 @@ static void *do_monitor(void *data)
+@@ -6801,7 +6844,7 @@
i = iflist;
- while(i) {
+ while (i) {
if ((i->subs[SUB_REAL].zfd > -1) && i->sig && (!i->radio)) {
- if (!i->owner && !i->subs[SUB_REAL].owner) {
+ if (!i->owner && !i->subs[SUB_REAL].owner && !i->waitnorings) {
diff -ruN asterisk/files/patch-configure asterisk-1.4.8_2/files/patch-configure
--- asterisk/files/patch-configure Fri Apr 13 09:06:05 2007
+++ asterisk-1.4.8_2/files/patch-configure Wed Jul 18 14:36:10 2007
@@ -1,27 +1,6 @@
-
-$FreeBSD: ports/net/asterisk/files/patch-configure,v 1.1 2007/04/13 08:06:05 sobomax Exp $
-
---- configure.orig
-+++ configure
-@@ -23776,7 +23776,7 @@
- echo $ECHO_N "(cached) $ECHO_C" >&6
- else
- ac_check_lib_save_LIBS=$LIBS
--LIBS="-lodbc ${pbxlibdir} -lltdl $LIBS"
-+LIBS="-lodbc ${pbxlibdir} $LIBS"
- cat >conftest.$ac_ext <<_ACEOF
- /* confdefs.h. */
- _ACEOF
-@@ -23855,7 +23855,7 @@
-
-
- if test "${AST_UNIXODBC_FOUND}" = "yes"; then
-- UNIXODBC_LIB="-lodbc -lltdl"
-+ UNIXODBC_LIB="-lodbc"
- UNIXODBC_HEADER_FOUND="1"
- if test "x${UNIXODBC_DIR}" != "x"; then
- UNIXODBC_LIB="${pbxlibdir} ${UNIXODBC_LIB}"
-@@ -28065,7 +28065,7 @@
+--- configure.orig Wed Jul 18 14:33:44 2007
++++ configure Wed Jul 18 14:35:42 2007
+@@ -26700,7 +26700,7 @@
fi
diff -ruN asterisk/files/patch-include::asterisk::utils.h asterisk-1.4.8_2/files/patch-include::asterisk::utils.h
--- asterisk/files/patch-include::asterisk::utils.h Sun Oct 17 19:00:02 2004
+++ asterisk-1.4.8_2/files/patch-include::asterisk::utils.h Thu Jan 1 01:00:00 1970
@@ -1,13 +0,0 @@
-
-$FreeBSD: ports/net/asterisk/files/patch-include::asterisk::utils.h,v 1.1 2004/10/17 18:00:02 sobomax Exp $
-
---- include/asterisk/utils.h 2004/10/10 12:55:50 1.1
-+++ include/asterisk/utils.h 2004/10/10 12:56:43
-@@ -37,7 +37,6 @@
- #ifdef inet_ntoa
- #undef inet_ntoa
- #endif
--#define inet_ntoa __dont__use__inet_ntoa__use__ast_inet_ntoa__instead__
-
- #ifdef LINUX
- #define ast_pthread_create pthread_create
diff -ruN asterisk/files/patch-main::db.c asterisk-1.4.8_2/files/patch-main::db.c
--- asterisk/files/patch-main::db.c Fri Apr 13 09:06:05 2007
+++ asterisk-1.4.8_2/files/patch-main::db.c Wed Jul 18 15:02:54 2007
@@ -1,17 +1,14 @@
-
-$FreeBSD: ports/net/asterisk/files/patch-main::db.c,v 1.1 2007/04/13 08:06:05 sobomax Exp $
-
---- main/db.c.orig Fri Jan 13 11:05:32 2006
-+++ main/db.c Fri Jan 13 11:06:55 2006
-@@ -35,6 +35,7 @@
+--- main/db.c.orig Wed Jul 18 14:41:15 2007
++++ main/db.c Wed Jul 18 14:41:47 2007
+@@ -39,6 +39,7 @@
#include <errno.h>
#include <unistd.h>
#include <dirent.h>
+#include <db.h>
- #include "asterisk.h"
-
-@@ -51,7 +52,6 @@ ASTERISK_FILE_VERSION(__FILE__, "$Revisi
+ #include "asterisk/channel.h"
+ #include "asterisk/file.h"
+@@ -51,7 +52,6 @@
#include "asterisk/utils.h"
#include "asterisk/lock.h"
#include "asterisk/manager.h"
diff -ruN asterisk/files/patch-main::utils.c asterisk-1.4.8_2/files/patch-main::utils.c
--- asterisk/files/patch-main::utils.c Fri Apr 13 09:06:05 2007
+++ asterisk-1.4.8_2/files/patch-main::utils.c Thu Jan 1 01:00:00 1970
@@ -1,14 +0,0 @@
-
-$FreeBSD: ports/net/asterisk/files/patch-main::utils.c,v 1.1 2007/04/13 08:06:05 sobomax Exp $
-
---- main/utils.c
-+++ main/utils.c
-@@ -58,7 +58,7 @@
- static char base64[64];
- static char b2a[256];
-
--#if defined(__FreeBSD__) || defined(__OpenBSD__) || defined( __NetBSD__ ) || defined(__APPLE__) || defined(__CYGWIN__)
-+#if (defined(__FreeBSD__) && __FreeBSD_version < 601103) || defined(__OpenBSD__) || defined( __NetBSD__ ) || defined(__APPLE__) || defined(__CYGWIN__)
-
- /* duh? ERANGE value copied from web... */
- #define ERANGE 34
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-ports-bugs
mailing list