AST-2012-014: crashes due to large stack allocations in TCP;
affects remote unauthenticated SIP *over TCP* and remote authenticated
XMPP/HTTP connections.
AST-2012-015: DoS through resource consumption by exploiting device
state caching; exploitable if anonymous calls are permitted.
- while there, revise pbx_spool.c kevent timeout fix; rather than
clamping the timestamp, in the particular problem situation we hit
the loop (where dirlist is empty), pass in NULL rather than
INT_MAX-timenow similar to what's done in the inotify case.
- Fix channel reference leak in ChanSpy.
- dsp.c: Fix multiple issues when no-interdigit delay is present,
and fast DTMF 50ms/50ms.
- Fix bug where final queue member would not be removed from memory.
- Fix memory leak when CEL is successfully written to PostgreSQL database.
- Fix DUNDi message routing bug when neighboring peer is unreachable.
- If using ConfBridge, note that the dialplan arguments have changed.
- If using the built-in HTTP server, note that a bindaddr must now be given,
previously the default was 0.0.0.0 but this must now be given explicitly.
- Internal database now uses SQLite3 not BDB, conversion tools are provided.
See share/doc/asterisk/UPGRADE.txt for more.
- RTP port exhaustion (DoS) if an endpoint responds to SIP INVITEs with
provisional responses but never sends a final response.
- double free with simultaneous access to a single voicemail account.
AST-2012-007, AST-2012-008 fixed in the short-lived 1.8.12.1 release:
* A remotely exploitable crash vulnerability exists in the IAX2 channel
driver if an established call is placed on hold without a suggested music
class. Asterisk will attempt to use an invalid pointer to the music
on hold class name, potentially causing a crash.
* A remotely exploitable crash vulnerability was found in the Skinny (SCCP)
Channel driver. When an SCCP client closes its connection to the server,
a pointer in a structure is set to NULL. If the client was not in the
on-hook state at the time the connection was closed, this pointer is later
dereferenced. This allows remote authenticated connections the ability to
cause a crash in the server, denying services to legitimate users.
Also from 1.8.12.2
* Resolve crash in subscribing for MWI notifications.
ASTOBJ_UNREF sets the variable to NULL after unreffing it, so the
variable should definitely not be used after that. To solve this in
the two cases that affect subscribing for MWI notifications, we
instead save the ref locally, and unref them in the error
conditions.
use and possible uninitialized var use, some memory leaks, a couple of
possible deadlocks and other issues.
While there, enable the http post module (done as a subpackage to
avoid pulling gmime/glib2 into the main package) and WANTLIB cleanup.
AEL dialplan users should see UPGRADE.txt for information about
changes to inheritance of the 'h' extension.
* A permission escalation vulnerability in Asterisk Manager Interface. This
would potentially allow remote authenticated users the ability to execute
commands on the system shell with the privileges of the user running the
Asterisk application.
* A heap overflow vulnerability in the Skinny Channel driver. The keypad
button message event failed to check the length of a fixed length buffer
before appending a received digit to the end of that buffer. A remote
authenticated user could send sufficient keypad button message events that
the buffer would be overrun.
* A remote crash vulnerability in the SIP channel driver when processing UPDATE
requests. If a SIP UPDATE request was received indicating a connected line
update after a channel was terminated but before the final destruction of the
associated SIP dialog, Asterisk would attempt a connected line update on a
non-existing channel, causing a crash.
- crash in app_voicemail
- resource leak in SIP TCP/TLS
- ACK routing for non-2xx responses
- buffer overrun/memory leak in 'sip show peers' (race when adding peers whilst displaying)
- various locking problems
AST-2012-002: stack buffer overflow (remote unauthenticated sessions).
requires a dialplan using the Milliwatt application with the 'o' option,
and internal_timing off. Affects all 1.4+ Asterisk versions.
AST-2012-003: stack buffer overflow (remote unauth'd sessions) in HTTP
manager interface; triggered by long digest authentication strings.
Code injection possibility. Affects 1.8+.
- includes the iLBC codec which now has a free copyright license; patent
licensing has a "no litigation" clause (see codecs/ilbc/LICENSE_ADDENDUM)
so mark as not permitted for CDs
configurations with video disabled and the sRTP module loaded.
Funnily enough this didn't affect the port until about an hour
ago when sRTP was enabled.
AST-2011-008: If a remote user sends a SIP packet containing a null,
Asterisk assumes available data extends past the null to the
end of the packet when the buffer is actually truncated when
copied. This causes SIP header parsing to modify data past
the end of the buffer altering unrelated memory structures.
This vulnerability does not affect TCP/TLS connections.
-- Resolved in 1.6.2.18.1 and 1.8.4.3
AST-2011-009: A remote user sending a SIP packet containing a Contact header
with a missing left angle bracket (<) causes Asterisk to
access a null pointer.
-- Resolved in 1.8.4.3
AST-2011-010: A memory address was inadvertently transmitted over the
network via IAX2 via an option control frame and the remote party would try
to access it.
-- Resolved in 1.4.41.1, 1.6.2.18.1, and 1.8.4.3
- Fix compliance with RFC 3261 section 18.2.2. (aka Cisco phone fix)
- Resolve a change in IPv6 header parsing due to the Cisco phone fix issue.
- Resolve potential crash when using SIP TLS support.
- Improve reliability when using SIP TLS.
- AST-2011-006, shell access via remote authenticated manager
sessions (logged-in manager users can execute shell commands via
the manager interface without having the "system" privilege that
should be required)
- AST-2011-005, DoS with remote unauthenticated sessions (add limits
to prevent unauthenticated users from tying up all available FDs for
the manager interface, SIP-over-TCP, Skinny and the built in HTTP
server).
(updating by way of upstream patch file, the full tar.gz isn't
available yet).
"Due to a failed merge, Asterisk 1.8.2.1 which should have included
the security fix did not. Asterisk 1.8.2.2 contains the the changes
which should have been included in Asterisk 1.8.2.1." ok ajacoutot@
when forming an outgoing SIP request while in pedantic mode, which
can cause a stack buffer to be made to overflow if supplied with
carefully crafted caller ID information"
http://downloads.asterisk.org/pub/security/AST-2011-001.html
This is also a major version update to the long-term support
1.8 branch, previous versions of this diff have been tested by
various ports@ readers, thanks for testing.
Please review /usr/local/share/doc/asterisk/UPGRADE.txt
(also note that memory use has increased).
ok ajacoutot@ jasper@
