--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: buster-pu: package asterisk/1:16.2.1~dfsg-1+deb10u1
- From: Bernhard Schmidt <berni@debian.org>
- Date: Tue, 20 Aug 2019 22:37:58 +0200
- Message-id: <156633347867.1699.4526191100078417914.reportbug@BOTOX.krs8.birkenwald.de>
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
Hi,
I'd like to update asterisk with a fix for two minor CVEs that have been deemed
no-dsa. Exactly the same change (apart from the d/gbp.conf update for the
Buster branch) has been uploaded to sid as -2 and migrated to testing a month
ago.
Debdiff attached.
Bernhard
diff -Nru asterisk-16.2.1~dfsg/debian/changelog asterisk-16.2.1~dfsg/debian/changelog
--- asterisk-16.2.1~dfsg/debian/changelog 2019-03-07 23:13:24.000000000 +0100
+++ asterisk-16.2.1~dfsg/debian/changelog 2019-08-20 22:31:33.000000000 +0200
@@ -1,3 +1,13 @@
+asterisk (1:16.2.1~dfsg-1+deb10u1) buster; urgency=medium
+
+ * AST-2019-002 / CVE-2019-12827
+ Buffer overflow in res_pjsip_messaging (Closes: #931980)
+ * AST-2019-003 / CVE-2019-13161
+ Remote Crash Vulnerability in chan_sip (Closes: #931981)
+ * d/gbp.conf: Update for Buster branch
+
+ -- Bernhard Schmidt <berni@debian.org> Tue, 20 Aug 2019 22:31:36 +0200
+
asterisk (1:16.2.1~dfsg-1) unstable; urgency=medium
* New upstream version 16.2.1~dfsg
diff -Nru asterisk-16.2.1~dfsg/debian/gbp.conf asterisk-16.2.1~dfsg/debian/gbp.conf
--- asterisk-16.2.1~dfsg/debian/gbp.conf 2019-03-07 23:13:24.000000000 +0100
+++ asterisk-16.2.1~dfsg/debian/gbp.conf 2019-08-20 22:31:33.000000000 +0200
@@ -4,3 +4,4 @@
pristine-tar = True
sign-tags = True
filter = .gitignore
+debian-branch = buster
diff -Nru asterisk-16.2.1~dfsg/debian/patches/AST-2019-002.patch asterisk-16.2.1~dfsg/debian/patches/AST-2019-002.patch
--- asterisk-16.2.1~dfsg/debian/patches/AST-2019-002.patch 1970-01-01 01:00:00.000000000 +0100
+++ asterisk-16.2.1~dfsg/debian/patches/AST-2019-002.patch 2019-08-20 22:31:33.000000000 +0200
@@ -0,0 +1,40 @@
+From 785bf3a755e47d92caef110e6040295764d08127 Mon Sep 17 00:00:00 2001
+From: George Joseph <gjoseph@digium.com>
+Date: Wed, 12 Jun 2019 12:03:04 -0600
+Subject: [PATCH] res_pjsip_messaging: Check for body in in-dialog message
+
+We now check that a body exists and it has a length > 0 before
+attempting to process it.
+
+ASTERISK-28447
+Reported-by: Gil Richard
+
+Change-Id: Ic469544b22ab848734636588d4c93426cc6f4b1f
+---
+ res/res_pjsip_messaging.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/res/res_pjsip_messaging.c b/res/res_pjsip_messaging.c
+index 0e10a8f047..930cf84a53 100644
+--- a/res/res_pjsip_messaging.c
++++ b/res/res_pjsip_messaging.c
+@@ -90,10 +90,13 @@ static enum pjsip_status_code check_content_type_in_dialog(const pjsip_rx_data *
+ static const pj_str_t text = { "text", 4};
+ static const pj_str_t application = { "application", 11};
+
++ if (!(rdata->msg_info.msg->body && rdata->msg_info.msg->body->len > 0)) {
++ return res;
++ }
++
+ /* We'll accept any text/ or application/ content type */
+- if (rdata->msg_info.msg->body && rdata->msg_info.msg->body->len
+- && (pj_stricmp(&rdata->msg_info.msg->body->content_type.type, &text) == 0
+- || pj_stricmp(&rdata->msg_info.msg->body->content_type.type, &application) == 0)) {
++ if (pj_stricmp(&rdata->msg_info.msg->body->content_type.type, &text) == 0
++ || pj_stricmp(&rdata->msg_info.msg->body->content_type.type, &application) == 0) {
+ res = PJSIP_SC_OK;
+ } else if (rdata->msg_info.ctype
+ && (pj_stricmp(&rdata->msg_info.ctype->media.type, &text) == 0
+--
+2.21.0
+
diff -Nru asterisk-16.2.1~dfsg/debian/patches/AST-2019-003.patch asterisk-16.2.1~dfsg/debian/patches/AST-2019-003.patch
--- asterisk-16.2.1~dfsg/debian/patches/AST-2019-003.patch 1970-01-01 01:00:00.000000000 +0100
+++ asterisk-16.2.1~dfsg/debian/patches/AST-2019-003.patch 2019-08-20 22:31:33.000000000 +0200
@@ -0,0 +1,39 @@
+From 1e4df0215af4f192ed06a7fc7589c799f1ec6091 Mon Sep 17 00:00:00 2001
+From: Francesco Castellano <francesco.castellano@messagenet.it>
+Date: Fri, 28 Jun 2019 18:15:31 +0200
+Subject: [PATCH] chan_sip: Handle invalid SDP answer to T.38 re-invite
+
+The chan_sip module performs a T.38 re-invite using a single media
+stream of udptl, and expects the SDP answer to be the same.
+
+If an SDP answer is received instead that contains an additional
+media stream with no joint codec a crash will occur as the code
+assumes that at least one joint codec will exist in this
+scenario.
+
+This change removes this assumption.
+
+ASTERISK-28465
+
+Change-Id: I8b02845b53344c6babe867a3f0a5231045c7ac87
+---
+
+diff --git a/channels/chan_sip.c b/channels/chan_sip.c
+index 898b646..a609ff8 100644
+--- a/channels/chan_sip.c
++++ b/channels/chan_sip.c
+@@ -10965,7 +10965,13 @@
+ ast_rtp_lookup_mime_multiple2(s3, NULL, newnoncodeccapability, 0, 0));
+ }
+
+- if (portno != -1 || vportno != -1 || tportno != -1) {
++ /* When UDPTL is negotiated it is expected that there are no compatible codecs as audio or
++ * video is not being transported, thus we continue in this function further up if that is
++ * the case. If we receive an SDP answer containing both a UDPTL stream and another media
++ * stream however we need to check again to ensure that there is at least one joint codec
++ * instead of assuming there is one.
++ */
++ if ((portno != -1 || vportno != -1 || tportno != -1) && ast_format_cap_count(newjointcapability)) {
+ /* We are now ready to change the sip session and RTP structures with the offered codecs, since
+ they are acceptable */
+ unsigned int framing;
diff -Nru asterisk-16.2.1~dfsg/debian/patches/series asterisk-16.2.1~dfsg/debian/patches/series
--- asterisk-16.2.1~dfsg/debian/patches/series 2019-03-07 23:13:24.000000000 +0100
+++ asterisk-16.2.1~dfsg/debian/patches/series 2019-08-20 22:31:33.000000000 +0200
@@ -32,3 +32,8 @@
build-reproducibly
autoreconf-pjproject
+
+# AST-2019-002 / CVE-2019-12827
+AST-2019-002.patch
+# AST-2019-003 / CVE-2019-13161
+AST-2019-003.patch
--- End Message ---