Network Management SPAM Rejected
***ALERT******ALERT******ALERT******ALERT******ALERT***
If you have received this message, your email has been marked
SPAM by NETMAN.COM.
The message has not been forwarded on to the intended user.
We do NOT ALLOW unsolicited emailing on this domain.
Please remove this email address from your lists.
If your email was NOT unsolicited, please contact the Email
user for futher options. You can also check the HEADER of
the message to see if your mail server is listed on our
Relay Black Lists. We use SPAMCOP, RELAYS.VISI.COM and
ORDB.ORG. You should see an X-HEADER (see below) with the
relay list that listed your server. Contact the relay list
provider for further removal instructions.
Network Management, Inc.
Original Message:
Received: from SMTP32-FWD by sbnets.com
(SMTP32) id AB05CA8CE0080182A; Sat, 18 Nov 2006 19:18:13 -0600
Received: from master.debian.org [70.103.162.29] by mail.netman.com with ESMTP
(SMTPD32-8.15) id A05CA8CE0080; Sat, 18 Nov 2006 19:16:12 -0600
Received: from qa by master.debian.org with local (Exim 4.50)
id 1GlbI2-0000qe-9z
for [EMAIL PROTECTED]; Sun, 19 Nov 2006 01:16:10 +0000
Received: from spohr.debian.org ([140.211.166.43]) by master.debian.org
with esmtp (Exim 4.50) id 1Glalp-0006CP-Rn for
[EMAIL PROTECTED]; Sun, 19 Nov 2006 00:42:54 +0000
Received: from debbugs by spohr.debian.org with local (Exim 4.50) id
1GlacL-0003h6-6l; Sat, 18 Nov 2006 16:33:05 -0800
X-Loop: [EMAIL PROTECTED]
Subject: Bug#395080: CVE-2006-5445: Denial of service in chan_sip
Reply-To: Ben Hutchings <[EMAIL PROTECTED]>, [EMAIL PROTECTED]
Resent-From: Ben Hutchings <[EMAIL PROTECTED]>
Resent-To: debian-bugs-dist@lists.debian.org
Resent-CC: Debian VoIP Team <[EMAIL PROTECTED]>
Resent-Date: Sun, 19 Nov 2006 00:33:04 +0000
Resent-Message-Id: <[EMAIL PROTECTED]>
X-Debian-PR-Message: report 395080
X-Debian-PR-Package: asterisk
X-Debian-PR-Keywords: security
X-Debian-PR-Source: asterisk
Received: via spool by [EMAIL PROTECTED]
id=B395080.116389617328043 (code B ref 395080); Sun, 19 Nov 2006 00:33:04
+0000
Received: (at 395080) by bugs.debian.org; 19 Nov 2006 00:29:33 +0000
Received: from shadbolt.e.decadent.org.uk ([88.96.1.126]) by
spohr.debian.org with esmtp (Exim 4.50) id 1GlaYv-0007HP-4C for
[EMAIL PROTECTED]; Sat, 18 Nov 2006 16:29:33 -0800
Received: from [192.168.4.138] (helo=deadeye.i.decadentplace.org.uk) by
shadbolt.decadent.org.uk with esmtp (Exim 4.50) id 1GlaYl-0008N4-Kp for
[EMAIL PROTECTED]; Sun, 19 Nov 2006 00:29:29 +0000
Received: from womble by deadeye.i.decadentplace.org.uk with local (Exim
4.63) (envelope-from <[EMAIL PROTECTED]>) id 1GlaYx-0008Sz-D0 for
[EMAIL PROTECTED]; Sun, 19 Nov 2006 00:29:35 +0000
From: Ben Hutchings <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature";
boundary="=-P2fnCnnG9WVR+A50K/+E"
Date: Sun, 19 Nov 2006 00:29:35 +0000
Message-Id: <[EMAIL PROTECTED]>
MIME-Version: 1.0
X-Mailer: Evolution 2.6.3
X-Sa-Exim-Connect-Ip: 192.168.4.138
X-Sa-Exim-Mail-From: [EMAIL PROTECTED]
X-Sa-Exim-Version: 4.2 (built Thu, 03 Mar 2005 10:44:12 +0100)
X-Sa-Exim-Scanned: Yes (on shadbolt.decadent.org.uk)
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-3.0 required=4.0 tests=BAYES_00 autolearn=no
version=2.60-bugs.debian.org_2005_01_02
Resent-Sender: Debian BTS <[EMAIL PROTECTED]>
Resent-Date: Sat, 18 Nov 2006 16:33:05 -0800
Delivered-To: [EMAIL PROTECTED]
Precedence: list
X-Loop: [EMAIL PROTECTED]
X-PTS-Package: asterisk
X-PTS-Keyword: bts
X-Unsubscribe: echo 'unsubscribe asterisk' | mail [EMAIL PROTECTED]
X-IMAIL-SPAM-DNSBL: (SpamCop,b05ca8ce0080182a,127.0.0.2)
--=-P2fnCnnG9WVR+A50K/+E
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable
The fix for CVE-2006-5445 in the 1.2 branch appears to be:
http://svn.digium.com/view/asterisk/branches/1.2/channels/chan_sip.c?r1=3D4=
5306&r2=3D45380
There's no corresponding fix in the 1.0 branch.
Here's my attempt at backporting it. This is untested, since I don't
run Asterisk myself.
The initialisation of the SIP context (sip_pvt) is a bit different in
1.0 and I've copied what looks like the corresponding code from
sip_alloc() into transmit_response_using_temp(). I added a call to
build_contact() because __send_response() indirectly uses the
our_contact member.
In 1.0 there's no validate commands before the call find_call() and
there's no sip_method array. Therefore I wrote string comparisons
against all the commands that are allowed to create a new SIP context
based on the flags in the 1.2 code, minus "PUBLISH" because that isn't
supported at all (I'm not sure this is correct; we may end up sending
the wrong error message).
Ben.
--- asterisk-1.0.7.dfsg.1/channels/chan_sip.c.orig 2006-11-18
20:25:43.0000=
00000 +0000
+++ asterisk-1.0.7.dfsg.1/channels/chan_sip.c 2006-11-18 23:22:41.000000000=
+0000
@@ -557,6 +557,7 @@
static struct ast_ha *localaddr;
=20
static struct ast_frame *sip_read(struct ast_channel *ast);
+static int transmit_response_using_temp(char *callid, struct sockaddr_in *=
sin, int useglobal_nat, struct sip_request *req, char *msg);
static int transmit_response(struct sip_pvt *p, char *msg, struct sip_requ=
est *req);
static int transmit_response_with_sdp(struct sip_pvt *p, char *msg, struct=
sip_request *req, int retrans);
static int transmit_response_with_auth(struct sip_pvt *p, char *msg, struc=
t sip_request *req, char *rand, int reliable, char *header);
@@ -2364,7 +2365,7 @@
char *callid;
char tmp[256] =3D "";
char iabuf[INET_ADDRSTRLEN];
- char *cmd;
+ const char *cmd =3D req->rlPart1;
char *tag =3D "", *c;
=20
callid =3D get_header(req, "Call-ID");
@@ -2378,11 +2379,6 @@
SIP implementations, and thus Asterisk does not enable this
behavior
by default. Short version: You'll need this option to
support confere=
ncing
on the pingtel */
- strncpy(tmp, req->header[0], sizeof(tmp) - 1);
- cmd =3D tmp;
- c =3D strchr(tmp, ' ');
- if (c)
- *c =3D '\0';
if (!strcasecmp(cmd, "SIP/2.0"))
strncpy(tmp, get_header(req, "To"), sizeof(tmp) - 1);
else
@@ -2414,9 +2410,19 @@
p =3D p->next;
}
ast_mutex_unlock(&iflock);
- p =3D sip_alloc(callid, sin, 1);
- if (p)
- ast_mutex_lock(&p->lock);
+
+ if (strcasecmp(cmd, "REGISTER")
+ && strcasecmp(cmd, "OPTIONS")
+ && strcasecmp(cmd, "INVITE")
+ && strcasecmp(cmd, "SUBSCRIBE")
+ && strcasecmp(cmd, "MESSAGE")) {
+ if (strcasecmp(cmd, "RESPONSE"))
+ transmit_response_using_temp(callid, sin, 1, req, "481
Call leg/transac=
tion does not exist");
+ } else {
+ p =3D sip_alloc(callid, sin, 1);
+ if (p)
+ ast_mutex_lock(&p->lock);
+ }
return p;
}
=20
@@ -3218,6 +3224,45 @@
return send_response(p, &resp, reliable, seqno);
}
=20
+/*--- transmit_response_using_temp: Transmit response, no retransmits, usi=
ng temporary pvt */
+static int transmit_response_using_temp(char *callid, struct sockaddr_in *=
sin, int useglobal_nat, struct sip_request *req, char *msg)
+{
+ struct sip_pvt *p =3D alloca(sizeof(*p));
+ char iabuf[INET_ADDRSTRLEN];
+
+ memset(p, 0, sizeof(*p));
+
+ if (sin) {
+ memcpy(&p->sa, sin, sizeof(p->sa));
+ if (ast_sip_ouraddrfor(&p->sa.sin_addr, &p->ourip))
+ memcpy(&p->ourip, &__ourip, sizeof(p->ourip));
+ } else
+ memcpy(&p->ourip, &__ourip, sizeof(p->ourip));
+ p->branch =3D rand();
+ p->tag =3D rand();
+ p->ocseq =3D 101;
+
+ if (useglobal_nat && sin) {
+ /* Setup NAT structure according to global settings if we have
an addres=
s */
+ p->nat =3D global_nat;
+ memcpy(&p->recv, sin, sizeof(p->recv));
+ }
+
+ strncpy(p->fromdomain, default_fromdomain, sizeof(p->fromdomain) - 1);
+ /* z9hG4bK is a magic cookie. See RFC 3261 section 8.1.1.7 */
+ if (p->nat !=3D SIP_NAT_NEVER)
+ snprintf(p->via, sizeof(p->via), "SIP/2.0/UDP
%s:%d;branch=3Dz9hG4bK%08x=
;rport", ast_inet_ntoa(iabuf, sizeof(iabuf), p->ourip), ourport, p->branch)=
;
+ else
+ snprintf(p->via, sizeof(p->via), "SIP/2.0/UDP
%s:%d;branch=3Dz9hG4bK%08x=
", ast_inet_ntoa(iabuf, sizeof(iabuf), p->ourip), ourport, p->branch);
+ strncpy(p->callid, callid, sizeof(p->callid) - 1);
+
+ build_contact(p);
+
+ __transmit_response(p, msg, req, 0);
+
+ return 0;
+}
+
/*--- transmit_response: Transmit response, no retransmits */
static int transmit_response(struct sip_pvt *p, char *msg, struct sip_requ=
est *req)=20
{
-- END --
--=20
Ben Hutchings
Reality is just a crutch for people who can't handle science fiction.
--=-P2fnCnnG9WVR+A50K/+E
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iD8DBQBFX6Vv79ZNCRIGYgcRAsZeAJ4lC0tX3UdP2HVf4jlti+PpIti1tQCbB/2m
m7IYohGCKFNDQ5/XwXNga3w=
=CLSC
-----END PGP SIGNATURE-----
--=-P2fnCnnG9WVR+A50K/+E--
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
