Skip to content
Commits on Source (2)
Hide whitespace changes
Inline Side-by-side
debian/changelog
View file @ 6f330267
asterisk (1:16.2.1~dfsg-2) unstable; urgency=high
* AST-2019-002 / CVE-2019-12827
Buffer overflow in res_pjsip_messaging (Closes: #931980)
* AST-2019-003 / CVE-2019-13161
Remote Crash Vulnerability in chan_sip (Closes: #931981)
-- Bernhard Schmidt <berni@debian.org> Sat, 13 Jul 2019 23:47:36 +0200
asterisk (1:16.2.1~dfsg-1) unstable; urgency=medium
* New upstream version 16.2.1~dfsg
......
debian/patches/AST-2019-002.patch 0 → 100644
View file @ 6f330267
From 785bf3a755e47d92caef110e6040295764d08127 Mon Sep 17 00:00:00 2001
From: George Joseph <gjoseph@digium.com>
Date: Wed, 12 Jun 2019 12:03:04 -0600
Subject: [PATCH] res_pjsip_messaging: Check for body in in-dialog message
We now check that a body exists and it has a length > 0 before
attempting to process it.
ASTERISK-28447
Reported-by: Gil Richard
Change-Id: Ic469544b22ab848734636588d4c93426cc6f4b1f
---
res/res_pjsip_messaging.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/res/res_pjsip_messaging.c b/res/res_pjsip_messaging.c
index 0e10a8f047..930cf84a53 100644
--- a/res/res_pjsip_messaging.c
+++ b/res/res_pjsip_messaging.c
@@ -90,10 +90,13 @@ static enum pjsip_status_code check_content_type_in_dialog(const pjsip_rx_data *
static const pj_str_t text = { "text", 4};
static const pj_str_t application = { "application", 11};
+ if (!(rdata->msg_info.msg->body && rdata->msg_info.msg->body->len > 0)) {
+ return res;
+ }
+
/* We'll accept any text/ or application/ content type */
- if (rdata->msg_info.msg->body && rdata->msg_info.msg->body->len
- && (pj_stricmp(&rdata->msg_info.msg->body->content_type.type, &text) == 0
- || pj_stricmp(&rdata->msg_info.msg->body->content_type.type, &application) == 0)) {
+ if (pj_stricmp(&rdata->msg_info.msg->body->content_type.type, &text) == 0
+ || pj_stricmp(&rdata->msg_info.msg->body->content_type.type, &application) == 0) {
res = PJSIP_SC_OK;
} else if (rdata->msg_info.ctype
&& (pj_stricmp(&rdata->msg_info.ctype->media.type, &text) == 0
--
2.21.0
debian/patches/AST-2019-003.patch 0 → 100644
View file @ 6f330267
From 1e4df0215af4f192ed06a7fc7589c799f1ec6091 Mon Sep 17 00:00:00 2001
From: Francesco Castellano <francesco.castellano@messagenet.it>
Date: Fri, 28 Jun 2019 18:15:31 +0200
Subject: [PATCH] chan_sip: Handle invalid SDP answer to T.38 re-invite
The chan_sip module performs a T.38 re-invite using a single media
stream of udptl, and expects the SDP answer to be the same.
If an SDP answer is received instead that contains an additional
media stream with no joint codec a crash will occur as the code
assumes that at least one joint codec will exist in this
scenario.
This change removes this assumption.
ASTERISK-28465
Change-Id: I8b02845b53344c6babe867a3f0a5231045c7ac87
---
diff --git a/channels/chan_sip.c b/channels/chan_sip.c
index 898b646..a609ff8 100644
--- a/channels/chan_sip.c
+++ b/channels/chan_sip.c
@@ -10965,7 +10965,13 @@
ast_rtp_lookup_mime_multiple2(s3, NULL, newnoncodeccapability, 0, 0));
}
- if (portno != -1 || vportno != -1 || tportno != -1) {
+ /* When UDPTL is negotiated it is expected that there are no compatible codecs as audio or
+ * video is not being transported, thus we continue in this function further up if that is
+ * the case. If we receive an SDP answer containing both a UDPTL stream and another media
+ * stream however we need to check again to ensure that there is at least one joint codec
+ * instead of assuming there is one.
+ */
+ if ((portno != -1 || vportno != -1 || tportno != -1) && ast_format_cap_count(newjointcapability)) {
/* We are now ready to change the sip session and RTP structures with the offered codecs, since
they are acceptable */
unsigned int framing;
debian/patches/series
View file @ 6f330267
......@@ -32,3 +32,8 @@ ffmpeg-includes.patch
build-reproducibly
autoreconf-pjproject
# AST-2019-002 / CVE-2019-12827
AST-2019-002.patch
# AST-2019-003 / CVE-2019-13161
AST-2019-003.patch