SECURITY update for 1.4 versions (doesn't affect OpenBSD before 4.2);

fixes an overflow in IMAP voicemail storage reachable by anyone who can send email to a VM box accessed from the phone. AST-2007-022, found by sprintf audit. ok ian@
2007-10-11 08:05:18 +00:00 · 2007-10-11 08:05:18 +00:00 · b22c11a7a4
commit b22c11a7a4
parent 260d23a739
3 changed files with 12 additions and 23 deletions
--- a/telephony/asterisk/Makefile
+++ b/telephony/asterisk/Makefile
@ -1,10 +1,10 @@
-# $OpenBSD: Makefile,v 1.24 2007/10/04 11:25:44 sthen Exp $
+# $OpenBSD: Makefile,v 1.25 2007/10/11 08:05:18 sthen Exp $

 SHARED_ONLY=		Yes
 COMMENT-main=		open source multi-protocol PBX and telephony toolkit

-V=			1.4.12
-DISTNAME=		asterisk-${V}
+V=			1.4.13
+DISTNAME=		asterisk-$V
 FULLPKGNAME-main=	${DISTNAME}

 CATEGORIES=		telephony
@ -25,7 +25,8 @@ WANTLIB-main=		c crypto m pthread ssl stdc++ termcap z

 LIB_DEPENDS-main=	popt::devel/popt

-MASTER_SITES=		http://downloads.digium.com/pub/telephony/asterisk/
+MASTER_SITES=		http://downloads.digium.com/pub/telephony/asterisk/ \
+			http://downloads.digium.com/pub/telephony/asterisk/old-releases/

 USE_GMAKE=		Yes
 USE_LIBTOOL=		Yes
@ -165,8 +166,8 @@ CONFIGURE_ARGS+=        --with-gnutls=${LOCALBASE} \
 .endif

 .for i in ${MULTI_PACKAGES:S/-main//}
-FULLPKGNAME${i}=	asterisk${i}-${V}
-RUN_DEPENDS${i}=	:asterisk-${V}:telephony/asterisk
+FULLPKGNAME$i=		asterisk$i-$V
+RUN_DEPENDS$i=		:asterisk-$V:telephony/asterisk
 .endfor

 MAKE_ENV=		ASTCFLAGS="${CFLAGS}" \
--- a/telephony/asterisk/distinfo
+++ b/telephony/asterisk/distinfo
@ -1,5 +1,5 @@
-MD5 (asterisk-1.4.12.tar.gz) = 8qyYuTILl6dAmoBTFeffGQ==
-RMD160 (asterisk-1.4.12.tar.gz) = 6XWkdRodgSuVN/5o5CrBUFlyilE=
-SHA1 (asterisk-1.4.12.tar.gz) = vOZNgFfnUBxtNbSGnvdivYvDBtM=
-SHA256 (asterisk-1.4.12.tar.gz) = ge8nGAMWAQIc5rqzwf5pj7AH5jjOe1oY5RBxJFFnEY8=
-SIZE (asterisk-1.4.12.tar.gz) = 11255703
+MD5 (asterisk-1.4.13.tar.gz) = SbcxFIMcIcyXhNOz9Ptb7A==
+RMD160 (asterisk-1.4.13.tar.gz) = bgImiL18CnrthNbOffaiaS6PFDg=
+SHA1 (asterisk-1.4.13.tar.gz) = dsB9y8Ob937z3m66XTRaHyLR3BY=
+SHA256 (asterisk-1.4.13.tar.gz) = C+ovYSx7brz7l8d9RzpFAYo+ES5WEP9/q4NWG+exlEk=
+SIZE (asterisk-1.4.13.tar.gz) = 11257579
--- a/telephony/asterisk/patches/patch-main_db_c
+++ b/telephony/asterisk/patches/patch-main_db_c
@ -1,12 +0,0 @@
-$OpenBSD: patch-main_db_c,v 1.1 2007/09/05 22:42:52 sthen Exp $
--- main/db.c.orig	Wed Jun 13 13:17:50 2007
-+++ main/db.c	Wed Jun 13 13:17:51 2007
-@@ -63,7 +63,7 @@ AST_MUTEX_DEFINE_STATIC(dblock);
- static int dbinit(void) 
- {
- 	if (!astdb && !(astdb = dbopen((char *)ast_config_AST_DB, O_CREAT | O_RDWR, 0664, DB_BTREE, NULL))) {
-		ast_log(LOG_WARNING, "Unable to open Asterisk database\n");
-+		ast_log(LOG_WARNING, "Unable to open Asterisk database %s\n", ast_config_AST_DB);
- 		return -1;
- 	}
- 	return 0;