14.7.821 Sep 2018 16:05
AST-2018-009: crash processing websocket HTTP Upgrade requests
The HTTP request processing in res_http_websocket allocates additional.
Space on the stack for various headers received during an Upgrade request.
An attacker could send a specially crafted request that causes this code
to overflow the stack, resulting in a crash.
No longer allocate memory from the stack in a loop to parse the header.
Values. NOTE: There is a slight API change when using the passed in
Strings as is. We now require the passed in strings to no longer have
Leading or trailing whitespace. This isn't a problem as the only callers
Have already done this before passing the strings to the affected
14.7.713 Jun 2018 09:45
Update for 14.7.7
AST-2018-008: enumeration of endpoints from ACL rejected addresses.
When endpoint specific ACL rules block a SIP request they respond with a
403 forbidden. However, if an endpoint is not identified then a 401.
Unauthorized response is sent. This vulnerability just diswhich
Requests hit a defined endpoint. The ACL rules cannot be bypassed to gain
Access to the disendpoints.
Made endpoint specific ACL rules now respond with a 401 unauthorized.
Which is the same as if an endpoint were not identified. The is
Accomplished by replacing the found endpoint with the artificial endpoint
Which always fails authentication.
14.7.623 Feb 2018 06:25
AST-2018-003: Crash with an invalid SDP fmtp attribute
Pjproject's fmtp retrieval function failed to catch invalid fmtp attributes.
Because of this Asterisk would crash if given an SDP with an invalid fmtp.
When retrieving the format this patch now makes sure the fmtp attribute is.
Available. If not available it now returns an error status. AST-2018-002: Crash with an invalid SDP media format description
Pjproject's media format parsing algorithm failed to catch invalid values.
Because of this Asterisk would crash if given an SDP with a invalid media.
When parsing the media format description this patch now properly parses the.
Value and returns an error status if it can't successfully parse/convert the
Value. AST-2018-005: res_pjsip_transport_management: Move to core
Since res_pjsip_transport_management provides several attack.
Mitigation features, its functionality moved to res_pjsip and
This module has been removed. This way the features will always
be available if res_pjsip is loaded. AST-2018-005: tdata leaks when calling pjsip_endpt_send_response(2).
Authenticate() creates a tdata and uses it to send a challenge or
Failure response. When pjsip_endpt_send_response2() succeeds, it
Automatically decrements the tdata ref count but when it fails, it
Doesn't. Since we weren't checking for a return status, we weren't
Decrementing the count ourselves on error and were therefore leaking
Session_reinvite_on_rx_request wasn't decrementing the ref count
if an error happened while sending a 491 response.
Pre_session_setup wasn't decrementing the ref count if
While sending an error after a pjsip_inv_verify_request failure.
Ast_sip_send_response wasn't decrementing the ref count on error. AST-2018-005: Add a check for NULL tdata in ast_sip_failover_request
It was discovered that there are some corner cases where a pjsip tsx.
Might have no last_tx so calling ast_sip_failover_request with
14.7.524 Dec 2017 06:45
AST-2017-014: res_pjsip - Missing contact header can cause crash
Those SIP messages that create dialogs require a contact header to be present.
If the contact header was missing from the message it could cause Asterisk to.
This patch checks to make sure SIP messages that create a dialog contain the.
Contact header. If the message does not and it is required Asterisk now returns
a "400 Missing Contact header" response. Also added NULL checks when retrieving.
The contact header that were missing as a "just in case".
14.7.415 Dec 2017 06:05
AST-2017-012: Place single RTCP report block at beginning of report.
When the RTCP code was transitioned over to Stasis a code change.
Was made to keep track of how many reports are present. This count
Controlled where report blocks were placed in the RTCP report.
If a compound RTCP packet was received this logic would incorrectly.
Place a report block in the wrong location resulting in a write
to an invalid location.
This change removes this counting logic and always places the report.
Block at the first position. If in the future multiple reports are
Supported the logic can be extended but for now keeping a count
Serves no purpose.
14.7.303 Dec 2017 12:25
AST-2017-013: chan_skinny: Call pthread_detach when sess threads end
Chan_skinny creates a new thread for each new session. In trying
to be a good cleanup citizen, the threads are joinable and the.
Unload_module function does a pthread_cancel() and a pthread_join()
on any sessions that are active at that time. This has an.
Unintended side effect though. Since you can call pthread_join on a
Thread that's already terminated, pthreads keeps the thread's
Storage around until you explicitly call pthread_join (or
Pthread_detach()). Since only the module_unload function was
Calling pthread_join, and even then only on the ones active at the
Tme, the storage for every thread/session ever created sticks
Around until asterisk exits.
A thread can detach itself so the session_destroy() function.
Now calls pthread_detach() just before it frees the session
Memory allocation. The module_unload function still takes care
of the ones that are still active should the module be unloaded.
14.7.218 Nov 2017 00:05
Res_pjsip: Add to list of valid characters for from_user.
a regression where some characters were unable to be used in.
The from_user field of an endpoint. Additionally, the backtick was
Removed from the list of valid characters, since it is not valid,
And it was replaced with a single quote, which is a valid character. res_pjsip_registrar.c: AOR and pjproject group deadlock.
One of the patches for ASTERISK_27147 introduced a deadlock regression.
When the connection oriented transport shut down, the code attempted to.
Remove the associated contact. However, that same transport had just
Requested a registration that we hadn't responded to yet. Depending
Upon timing we could deadlock.
Made send the REGISTER response after we completed processing the.
Request contacts and released the AOR lock to avoid the deadlock.
14.7.109 Nov 2017 14:25
AST-2017-009: pjproject: Add validation of numeric header values
Parsing the numeric header fields like cseq, ttl, port, etc. all.
Had the potential to overflow, either causing unintended values to
be captured or, if the values were subsequently converted back to.
Strings, a buffer overrun. To address this, new "strto" functions
Have been created that do range checking and those functions are
Used wherever possible in the parser.
Created pjlib/include/limits.h and pjlib/include/compat/limits.h
to either include the system limits.h or define common numeric.
Limits if there is no system limits.h.
Created strto*_validate functions in sip_parser that take bounds.
And on failure call the on_str_parse_error function which prints
an error message and calls PJ_THROW.
Updated sip_parser to validate the numeric fields.
an in sip_transport that prevented error messages.
From being properly displayed.
Added "volatile" to some variables referenced in PJ_CATCH blocks
as the optimizer was sometimes optimizing them away.
Length calculation in sip_transaction/create_tsx_key_2543
to account for signed ints being 11 characters, not 9. AST-2017-011 - res_pjsip_session: session leak when a call is rejected.
A previous commit made it so when an invite session transitioned into a.
Disconnected state destruction of the Asterisk pjsip session object was
Postponed until either a transport error occurred or the event timer
Expired. However, if a call was rejected (for instance a 488) before the
Session was fully established the event timer may not have been initiated,
or it was canceled without triggering either of the session finalizing states.
Really the only time destruction of the session should be delayed is when a
BYE is being transacted. This is because it's possible in some cases for the.
Session to be disconnected, but the BYE is still transacting.
This patch makes it so the session object always gets released (no more.
Memory leak) when the pjsip session is in a dis
14.6.220 Sep 2017 18:05
AST-2017-008: Improve RTP and RTCP packet processing.
Validate RTCP packets before processing them.
Validate that the received packet is of a minimum length and apply the
RFC3550 RTCP packet validation checks.
Potentially reading garbage beyond the received RTCP record data.
Rtp- themssrc only being set once when the remote could change.
The SSRC. We would effectively stop handling the RTCP statistic records.
Rtp- themssrc to not treat a zero value as special by adding.
Rtp- themssrc_valid to indicate if rtp- themssrc is available. strict RTP learning from always accepting the first new address
Packet as the new stream.
Strict RTP to initialize the expected sequence number with the.
Last received sequence number instead of the last transmitted sequence
The predicted next sequence number calculation in.
Rtp_learning_rtp_seq_update() to handle overflow.
14.6.102 Sep 2017 06:45
Pjsip_message_ip_updater: handling "tel" URIs
Sanitize_tdata was assuming all URIs were SIP URIs so when a non
SIP uri was in the From, To or Contact headers, the unconditional.
Cast of a non-pjsip_sip_uri structure to pjsip_sip_uri caused
a segfault when trying to access uri- other_param.
Added PJSIP_URI_SCHEME_IS_SIP(uri) PJSIP_URI_SCHEME_IS_SIPS(uri).
Checks before attempting to cast or use the returned uri. AST-2017-006: app_minivm application MinivmNotify command injection
An admin can configure app_minivm with an externnotify program to be run.
When a voicemail is received. The app_minivm application MinivmNotify
Uses ast_safe_system() for this purpose which is vulnerable to command
Injection since the Caller-ID name and number values given to externnotify
Can come from an external untrusted source.
Add ast_safe_execvp() function. This gives modules the ability to run.
External commands with greater safety compared to ast_safe_system().
Specifically when some parameters are filled by untrusted sources the new.
Function does not allow malicious input to break argument encoding. This
May be of particular concern where CALLERID(name) or CALLERID(num) may be
Used as a parameter to a script run by ast_safe_system() which could
Potentially allow arbitrary command execution.
Changed app_minivm.c:run_externnotify() to use the new ast_safe_execvp().
Instead of ast_safe_system() to avoid command injection.
Document code injection potential from untrusted data sources for other.
Shell commands that are under user control. res_rtp_asterisk: Only learn a new source in learn state.
This change moves the logic which learns a new source address.
For RTP so it only occurs in the learning state. The learning
State is entered on initial allocation of RTP or if we are
Told that the remote address for the media has changed. While
in the learning state if we continue to receive media from.
The original source we restart the learning process. It is
Only once we receive a sufficien
14.4.121 May 2017 12:25
AST-2017-003: Handle zero-length body parts correctly. AST-2017-004: chan_skinny: Add EOF check in skinny_session
The while(1) loop in skinny_session wasn't checking for EOF so
a packet that was longer than a header but still truncated.
Would spin the while loop infinitely. Not only does this
Permanently tie up a thread and drive a core to 100 utilization,
The call of ast_log() in such a tight loop eats all available
Added poll with timeout to top of read loop.
AST-2017-002: Ensure transaction key buffer is large enough.
14.3.106 Apr 2017 06:45
CDR: Protect from data overflow in ast_cdr_setuserfield.
Ast_cdr_setuserfield wrote to a length field using strcpy. This could.
Result in a buffer overrun when called from chan_sip or func_cdr. This patch
Adds a maximum bytes written to the field by using ast_copy_string instead.
14.2.109 Dec 2016 23:45
Update for 14.2.1
chan_sip: Do not allow non-SP/HTAB between header key and colon.
RFC says SIP headers look like:
HCOLON = *( SP / HTAB ) ":" SWS
SWS = LWS ; sep whitespace
LWS = *WSP CRLF 1*WSP ; linear whitespace
WSP = SP / HTAB ; from rfc2234.
chan_sip implemented this:
HCOLON = *( LOWCTL / SP ) ":" SWS
LOWCTL = x00-1F ; CTL without DEL.
This discrepancy meant that SIP proxies in front of Asterisk with
chan_sip could pass on unknown headers with x00- x1F in them, which
would be treated by Asterisk as a different (known) header. For
example, the "To x01:" header would gladly be forwarded by some proxies
as irrelevant, but chan_sip would treat it as the relevant "To:" header.
Those relying on a SIP proxy to scrub certain headers could mistakenly
get unexpected and unvalidated data fed to Asterisk.
This change so chan_sip only considers SP/HTAB as valid tokens
before the colon, making it agree on the headers with other speakers of
SIP. res_format_attr_opus: crash when fmtp contains spaces.
When an opus offer or answer was received that contained an
fmtp line with spaces between the attributes the module would
fail to properly parse it and crash due to recursion.
This change makes the module handle the space properly and
also removes the recursion requirement.
14.1.212 Nov 2016 10:05
Revert "chan_sip: lastrtprx always updated"
This reverts commit 93332cb1d0eea18021ea6538237297e627d6e2fc.
Unfortunately, the aforementioned commit caused a regression (incoming calls
would eventually disconnect). Thus it is being removed.
14.1.103 Nov 2016 19:25
App_voicemail: Clear voice mailbox in MailboxExists and MAILBOX_EXISTS.
When executing the MailboxExists dialplan application and
MAILBOX_EXISTS dialplan function the passed in temporary voice.
Mailbox was not cleared, causing it to try to free garbage.
14.0.204 Oct 2016 03:15
Release summaries: Remove previous versions
version: Update for 14.0.2.
lastclean: Update for 14.0.2.
realtime: Add database scripts for 14.0.2.
logger: Output early verbose messages to console.
Verbose messages should be printed to the console if the sublevel is
less than option_verbose. This ensures the welcome message with
copyright and license are printed at daemon and interactive rasterisk
startup. Remove "format_ogg_opus: New format".
This reverts commit 40aa28131bc30b4516da2b20eb1a1e043920169c. download_externals: with re-install.
Needed to ignore an xmlstarlet return code for optional element.
14.0.026 Sep 2016 20:45
asterisk 14.0.0 Released.