Your message dated Mon, 07 May 2007 16:36:40 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#421994: fixed in yate 1.2.0-1.dfsg-1
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: yate
Version: 1.0.0-1.dfsg-2
Tags: security patch upstream pending
Severity: grave
Yate 1.0.0-1.dfsg-2 in Debian stable and 1.1.0-1.dfsg-1 in testing and
unstable contains a Denial of Service Vulnerability.
The patch applied by upstream to CVS and released in yate 1.2.0 can be
found as an attachment. The patch applies successfully to both yate
1.0.0 and yate 1.1.0.
yate 1.2.0-1.dfsg-1 is available in pkg-voip svn. It has been tested on
x86, but not built by Buildserver.NET yet.
Thanks,
Mikael
-------- Original Message --------
Subject: Radware Security Advisory - Yate 1.1.0 Denial of Service
Vulnerability
Date: Tue, 1 May 2007 20:52:51 +0300
From: [EMAIL PROTECTED]
To: [EMAIL PROTECTED], [EMAIL PROTECTED],
[EMAIL PROTECTED], [EMAIL PROTECTED]
Newsgroups:
gmane.comp.security.bugtraq,gmane.comp.security.full-disclosure,gmane.comp.voip.security.voipsa
Yate 1.1.0 Denial of Service Vulnerability
Risk: Medium
Background:
Yate (Yet Another Telephony Engine) is a production-ready
next-generation telephony engine.
More information about this application could be obtained from the
following site:
http://yate.null.ro/
Description:
The SIP channel module of Yate contains a denial of service
vulnerability, introduced by a
null pointer dereference, which could be provoked by having the SIP
module process SIP messages
containing the "Call-Info" header, without the "purpose" parameter as
part of its value.
The flaw can be seen in the following source code snippet:
File: yate/modules/ysipchan.cpp
Lines: 1585 - 1594
1: const SIPHeaderLine* hl =
m_tr->initialMessage()->getHeader("Call-Info");
2: if (hl) {
3: const NamedString* type = hl->getParam("purpose");
4: if (!type || *type == "info")
5: mp type->addParam("caller_info_uri",*type);
6: else if (*type == "icon")
7: m->addParam("caller_icon_uri",*type);
8: else if (*type == "card")
9: m->addParam("caller_card_uri",*type);
10: }
Once the "Call-Info" header is found in the SIP message (line 1), there
is an attempt to extract
the "purpose" parameter (line 3).
Afterwards, a decision is made to set the "caller_info_uri" parameter
(line 5) to the value of the
"Call-Info" header, though due to a programming error, instead of
assigning the parameter with the
header value, it is being assigned with the value of the "purpose"
parameter - allowing for a null
pointer dereference, when the call to getParam() (line 3) returns 0 in
case of a missing "purpose" parameter.
Analysis:
Exploiting this vulnerability could allow for denial of service to Yate
and disruption of the VoIP
infrastructure.
By default no authentication is required to exploit this vulnerability,
allowing for spoofed UDP SIP
messages to trigger the flaw.
Radware DefensePro IPS Solution:
Radware DefensePro customers are protected against this vulnerability
since the release of signature
database version 0006.0030.00 by RWID's 7334,7338 and 7342.
Detection:
Radware Security Operations Center has confirmed the existence of this
vulnerability in Yate 1.1.0.
Previous versions are also suspected to be vulnerable.
Workaround:
A workaround for this vulnerability is currently not known.
Vendor Response:
The maintainers of Yate addressed this vulnerability with the release of
Yate 1.2.0.
CVE Information:
The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2007-1693 to this issue.
Disclosure Timeline:
March 25, 2007 - Initial vendor notification
March 25, 2007 - Initial vendor response
March 26, 2007 - Vendor fixes flaw in CVS
April 16, 2007 - Vendor releases fixed version
April 30, 2007 - Attack database release
May 1, 2007 - Advisory release
Credit:
Yuri Gushin, Radware Security Operations Center
Legal Information:
Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing
based on currently available information. Use of the information
constitutes acceptance for use in
an AS IS condition. There are no warranties with regard to this
information. Neither the author
nor the publisher accepts any liability for any direct, indirect, or
consequential loss or damage
arising from use of, or reliance on, this information.
Mon Mar 26 13:00:29 CEST 2007 paulc
* [yate @ 2007-03-26 11:00:29 by paulc]
Fixed Call-Info parsing bug found by Yuri Gushin from Radware Inc.
diff -rN -u old-upstream/modules/ysipchan.cpp new-upstream/modules/ysipchan.cpp
--- old-upstream/modules/ysipchan.cpp 2007-05-02 19:23:11.000000000 +0200
+++ new-upstream/modules/ysipchan.cpp 2007-05-02 19:23:12.000000000 +0200
@@ -1656,11 +1656,11 @@
if (hl) {
const NamedString* type = hl->getParam("purpose");
if (!type || *type == "info")
- m->addParam("caller_info_uri",*type);
+ m->addParam("caller_info_uri",*hl);
else if (*type == "icon")
- m->addParam("caller_icon_uri",*type);
+ m->addParam("caller_icon_uri",*hl);
else if (*type == "card")
- m->addParam("caller_card_uri",*type);
+ m->addParam("caller_card_uri",*hl);
}
if (line) {
--- End Message ---
--- Begin Message ---
Source: yate
Source-Version: 1.2.0-1.dfsg-1
We believe that the bug you reported is fixed in the latest version of
yate, which is due to be installed in the Debian FTP archive:
libyate1.2.0_1.2.0-1.dfsg-1_i386.deb
to pool/main/y/yate/libyate1.2.0_1.2.0-1.dfsg-1_i386.deb
yate-alsa_1.2.0-1.dfsg-1_i386.deb
to pool/main/y/yate/yate-alsa_1.2.0-1.dfsg-1_i386.deb
yate-dev_1.2.0-1.dfsg-1_i386.deb
to pool/main/y/yate/yate-dev_1.2.0-1.dfsg-1_i386.deb
yate-doc_1.2.0-1.dfsg-1_all.deb
to pool/main/y/yate/yate-doc_1.2.0-1.dfsg-1_all.deb
yate-gtk2_1.2.0-1.dfsg-1_i386.deb
to pool/main/y/yate/yate-gtk2_1.2.0-1.dfsg-1_i386.deb
yate-mysql_1.2.0-1.dfsg-1_i386.deb
to pool/main/y/yate/yate-mysql_1.2.0-1.dfsg-1_i386.deb
yate-openh323_1.2.0-1.dfsg-1_i386.deb
to pool/main/y/yate/yate-openh323_1.2.0-1.dfsg-1_i386.deb
yate-pgsql_1.2.0-1.dfsg-1_i386.deb
to pool/main/y/yate/yate-pgsql_1.2.0-1.dfsg-1_i386.deb
yate_1.2.0-1.dfsg-1.diff.gz
to pool/main/y/yate/yate_1.2.0-1.dfsg-1.diff.gz
yate_1.2.0-1.dfsg-1.dsc
to pool/main/y/yate/yate_1.2.0-1.dfsg-1.dsc
yate_1.2.0-1.dfsg-1_i386.deb
to pool/main/y/yate/yate_1.2.0-1.dfsg-1_i386.deb
yate_1.2.0-1.dfsg.orig.tar.gz
to pool/main/y/yate/yate_1.2.0-1.dfsg.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Mark Purcell <[EMAIL PROTECTED]> (supplier of updated yate package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Wed, 02 May 2007 21:06:13 +0100
Source: yate
Binary: yate-pgsql libyate1.2.0 yate-dev yate-mysql yate-alsa yate yate-doc
yate-gtk2 yate-openh323
Architecture: source i386 all
Version: 1.2.0-1.dfsg-1
Distribution: unstable
Urgency: high
Maintainer: Debian VoIP Team <[EMAIL PROTECTED]>
Changed-By: Mark Purcell <[EMAIL PROTECTED]>
Description:
libyate1.2.0 - Shared library for YATE
yate - Yet Another Telephony Engine (YATE)
yate-alsa - ALSA module for yate
yate-dev - Development files for YATE
yate-doc - Documentation for yate
yate-gtk2 - YATE and GTK+ 2 based universal telephony client
yate-mysql - MySQL support module for yate
yate-openh323 - OpenH323 module for YATE
yate-pgsql - Postgresql module for yate
Closes: 419455 421994
Changes:
yate (1.2.0-1.dfsg-1) unstable; urgency=high
.
[ Mikael Magnusson ]
* New upstream release
* MD5 patch applied by upstream.
* osschan patch applied by upstream.
* yate: Add yjinglechan, ystunchan and speexcodec modules.
* zaptel.h moved to /usr/include/zaptel (Closes: #419455)
.
[ Mark Purcell ]
* Urgency high as this addresess DoS vulnerability
- CVE-2007-1693 [Fwd: Radware Security Advisory - Yate 1.1.0 Denial of
Service Vulnerability] (Closes: #421994)
* Cleanup debian/patches and add zaptel-headers.dpatch
Files:
ec9a5ad11b1acdf0105ac5874311ff57 1190 comm optional yate_1.2.0-1.dfsg-1.dsc
54bc9606a7dcbf40ef18929ad710018f 1211277 comm optional
yate_1.2.0-1.dfsg.orig.tar.gz
08347ac77cf0f78a35dab35ccd0b60d6 9177 comm optional yate_1.2.0-1.dfsg-1.diff.gz
cbdc9c1c7afe8ddb10b1a39f2b25ecf2 198160 doc optional
yate-doc_1.2.0-1.dfsg-1_all.deb
a83b902626208495f58ce1833fc63aa4 633258 comm optional
yate_1.2.0-1.dfsg-1_i386.deb
e0547f83acddc68fdf70874afccc893a 146292 libs optional
libyate1.2.0_1.2.0-1.dfsg-1_i386.deb
d9383b046c021bf4f20f837695e6c9e8 54092 libdevel optional
yate-dev_1.2.0-1.dfsg-1_i386.deb
9860c5a8b7cbed7fd35a4a0d9af1faf9 18704 comm optional
yate-pgsql_1.2.0-1.dfsg-1_i386.deb
064e1d2a5e55ae6dde6c9a48e93dfb7f 80578 comm optional
yate-openh323_1.2.0-1.dfsg-1_i386.deb
bf18b412aac495342af7f2096feb4137 268450 comm optional
yate-gtk2_1.2.0-1.dfsg-1_i386.deb
1baa3c1e07a3a46978544180ed32fadb 23090 comm optional
yate-alsa_1.2.0-1.dfsg-1_i386.deb
ceb5bc95da4acd9a81104ec7ce3cfda7 18476 comm optional
yate-mysql_1.2.0-1.dfsg-1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFGOO/loCzanz0IthIRAp96AJ4mVWvhJWeyCcEsCBq7IcTFedF45gCfTZU1
IYMt/TTvBkNM3Xf20zvTGHI=
=FMnC
-----END PGP SIGNATURE-----
--- End Message ---
