asterisk-16.x: bump to 16.10.0

Patches refreshed, no longer needed patches are dropped. This adds directory "/usr/share/asterisk/firmware/iax" to silence a run-time warning. Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
2020-05-14 21:46:29 +02:00 · 2020-05-14 21:46:29 +02:00 · 54d0fb32eb
commit 54d0fb32eb
parent 80d0fbd405
8 changed files with 9 additions and 146 deletions
--- a/net/asterisk-16.x/Makefile
+++ b/net/asterisk-16.x/Makefile
@ -9,12 +9,12 @@ include $(TOPDIR)/rules.mk
 AST_MAJOR_VERSION:=16
 PKG_NAME:=asterisk$(AST_MAJOR_VERSION)
-PKG_VERSION:=$(AST_MAJOR_VERSION).6.1
+PKG_VERSION:=$(AST_MAJOR_VERSION).10.0
-PKG_RELEASE:=4
+PKG_RELEASE:=1
 PKG_SOURCE:=asterisk-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=https://downloads.asterisk.org/pub/telephony/asterisk/releases
-PKG_HASH:=9a028b4e3e608c1b8325671a249183adc00e1b29a95d82cb5e6fb35980aef053
+PKG_HASH:=8733f137b4b4e01d90bb796fa41d992e656b4cf1c28d2d7e81863a6839975702
 PKG_BUILD_DIR:=$(BUILD_DIR)/asterisk-$(PKG_VERSION)
 PKG_BUILD_DEPENDS:=libxml2/host
@ -496,9 +496,10 @@ $(call Package/$(PKG_NAME)/install/sbin,$(1),safe_asterisk)
 $(call Package/$(PKG_NAME)/install/sbin,$(1),astgenkey)
 $(foreach m,$(AST_CFG_FILES),$(call Package/$(PKG_NAME)/install/conffile,$(1),$(m));)
 $(foreach m,$(AST_EMB_MODULES),$(call Package/$(PKG_NAME)/install/module,$(1),$(m));)
 	$(INSTALL_DIR) $(1)/usr/share/asterisk/sounds/
 	$(INSTALL_DIR) $(1)/etc/config
 	$(INSTALL_DIR) $(1)/etc/init.d
 	$(INSTALL_DIR) $(1)/usr/share/asterisk/firmware/iax
 	$(INSTALL_DIR) $(1)/usr/share/asterisk/sounds
 	$(INSTALL_BIN) ./files/asterisk.init $(1)/etc/init.d/asterisk
 	$(INSTALL_CONF) ./files/asterisk.conf $(1)/etc/config/asterisk
 endef
--- a/net/asterisk-16.x/patches/001-disable-semaphores-on-uclibc-otherwise-allow.patch
+++ b/net/asterisk-16.x/patches/001-disable-semaphores-on-uclibc-otherwise-allow.patch
@ -1,6 +1,6 @@
 --- a/configure.ac
 +++ b/configure.ac
-@@ -1033,15 +1033,18 @@ AC_LINK_IFELSE(
+@@ -1031,15 +1031,18 @@ AC_LINK_IFELSE(
 # Some platforms define sem_init(), but only support sem_open(). joyous.
 AC_MSG_CHECKING(for working unnamed semaphores)
--- a/net/asterisk-16.x/patches/002-configure-fix-detection-of-re-entrant-resolver-funct.patch
+++ b/net/asterisk-16.x/patches/002-configure-fix-detection-of-re-entrant-resolver-funct.patch
@ -18,7 +18,7 @@ Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
 --- a/configure.ac
 +++ b/configure.ac
-@@ -1427,7 +1427,11 @@ AC_LINK_IFELSE(
+@@ -1425,7 +1425,11 @@ AC_LINK_IFELSE(
 			#include <arpa/nameser.h>
 			#endif
 			#include <resolv.h>],
--- a/net/asterisk-16.x/patches/056-fix-check_expr2-build.patch
+++ b/net/asterisk-16.x/patches/056-fix-check_expr2-build.patch
@ -1,19 +0,0 @@
 --- a/utils/Makefile
 +++ b/utils/Makefile
@@ -180,14 +180,13 @@ conf2ael: conf2ael.o ast_expr2f.o ast_ex
 check_expr2: $(ASTTOPDIR)/main/ast_expr2f.c $(ASTTOPDIR)/main/ast_expr2.c $(ASTTOPDIR)/main/ast_expr2.h astmm.o
 	$(ECHO_PREFIX) echo "   [CC] ast_expr2f.c -> ast_expr2fz.o"
 -	$(CC) -g -c -I$(ASTTOPDIR)/include -DSTANDALONE $(ASTTOPDIR)/main/ast_expr2f.c -o ast_expr2fz.o
 +	$(CC) -g -c -I$(ASTTOPDIR)/include $(_ASTCFLAGS) $(ASTTOPDIR)/main/ast_expr2f.c -o ast_expr2fz.o
 	$(ECHO_PREFIX) echo "   [CC] ast_expr2.c -> ast_expr2z.o"
 -	$(CC) -g -c -I$(ASTTOPDIR)/include -DSTANDALONE2 $(ASTTOPDIR)/main/ast_expr2.c -o ast_expr2z.o
 +	$(CC) -g -c -I$(ASTTOPDIR)/include $(_ASTCFLAGS) -DSTANDALONE2 $(ASTTOPDIR)/main/ast_expr2.c -o ast_expr2z.o
 	$(ECHO_PREFIX) echo "   [LD] ast_expr2fz.o ast_expr2z.o  -> check_expr2"
 	$(CC) -g -o check_expr2 ast_expr2fz.o ast_expr2z.o astmm.o -lm $(_ASTLDFLAGS)
 	$(ECHO_PREFIX) echo "   [RM] ast_expr2fz.o ast_expr2z.o"
 	rm ast_expr2z.o ast_expr2fz.o
 -	./check_expr2 expr2.testinput
 smsq: smsq.o strcompat.o
 smsq: LIBS+=$(POPT_LIB)
--- a/net/asterisk-16.x/patches/100-build-reproducibly.patch
+++ b/net/asterisk-16.x/patches/100-build-reproducibly.patch
@ -17,7 +17,7 @@
  * build.h
 --- a/Makefile
 +++ b/Makefile
-@@ -484,7 +484,7 @@ doc/core-en_US.xml: makeopts .lastclean
+@@ -488,7 +488,7 @@ doc/core-en_US.xml: makeopts .lastclean
 	@echo "<docs xmlns:xi=\"http://www.w3.org/2001/XInclude\">" >> $@
 	@for x in $(MOD_SUBDIRS); do \
 		printf "$$x " ; \
--- a/net/asterisk-16.x/patches/130-eventfd.patch
+++ b/net/asterisk-16.x/patches/130-eventfd.patch
@ -1,6 +1,6 @@
 --- a/configure.ac
 +++ b/configure.ac
-@@ -1206,7 +1206,7 @@ if test "${ac_cv_have_variable_fdset}x"
+@@ -1204,7 +1204,7 @@ if test "${ac_cv_have_variable_fdset}x"
 fi
 AC_MSG_CHECKING([if we have usable eventfd support])
--- a/net/asterisk-16.x/patches/AST-2019-006-16.diff
+++ b/net/asterisk-16.x/patches/AST-2019-006-16.diff
@ -1,73 +0,0 @@
 From 8cdaa93e658a46e7baf6b606468b5e2c88a0133b Mon Sep 17 00:00:00 2001
 From: Ben Ford <bford@digium.com>
 Date: Mon, 21 Oct 2019 14:55:06 -0500
 Subject: [PATCH] chan_sip.c: Prevent address change on unauthenticated SIP request.
 If the name of a peer is known and a SIP request is sent using that
 peer's name, the address of the peer will change even if the request
 fails the authentication challenge. This means that an endpoint can
 be altered and even rendered unusuable, even if it was in a working
 state previously. This can only occur when the nat option is set to the
 default, or auto_force_rport.
 This change checks the result of authentication first to ensure it is
 successful before setting the address and the nat option.
 ASTERISK-28589 #close
 Change-Id: I581c5ed1da60ca89f590bd70872de2b660de02df
 ---
 diff --git a/channels/chan_sip.c b/channels/chan_sip.c
 index 6ac2e61..4d79a47 100644
 --- a/channels/chan_sip.c
 +++ b/channels/chan_sip.c
@@ -19245,18 +19245,6 @@
 		bogus_peer = NULL;
 	}
 -	/*  build_peer, called through sip_find_peer, is not able to check the
 -	 *  sip_pvt->natdetected flag in order to determine if the peer is behind
 -	 *  NAT or not when SIP_PAGE3_NAT_AUTO_RPORT or SIP_PAGE3_NAT_AUTO_COMEDIA
 -	 *  are set on the peer.  So we check for that here and set the peer's
 -	 *  address accordingly.
 -	 */
 -	set_peer_nat(p, peer);
 -
 -	if (p->natdetected && ast_test_flag(&peer->flags[2], SIP_PAGE3_NAT_AUTO_RPORT)) {
 -		ast_sockaddr_copy(&peer->addr, &p->recv);
 -	}
 -
 	if (!ast_apply_acl(peer->acl, addr, "SIP Peer ACL: ")) {
 		ast_debug(2, "Found peer '%s' for '%s', but fails host access\n", peer->name, of);
 		sip_unref_peer(peer, "sip_unref_peer: check_peer_ok: from sip_find_peer call, early return of AUTH_ACL_FAILED");
@@ -19325,6 +19313,21 @@
 		ast_string_field_set(p, peermd5secret, NULL);
 	}
 	if (!(res = check_auth(p, req, peer->name, p->peersecret, p->peermd5secret, sipmethod, uri2, reliable))) {
 +
 +		/* build_peer, called through sip_find_peer, is not able to check the
 +		 * sip_pvt->natdetected flag in order to determine if the peer is behind
 +		 * NAT or not when SIP_PAGE3_NAT_AUTO_RPORT or SIP_PAGE3_NAT_AUTO_COMEDIA
 +		 * are set on the peer. So we check for that here and set the peer's
 +		 * address accordingly. The address should ONLY be set once we are sure
 +		 * authentication was a success. If, for example, an INVITE was sent that
 +		 * matched the peer name but failed the authentication check, the address
 +		 * would be updated, which is bad.
 +		 */
 +		set_peer_nat(p, peer);
 +		if (p->natdetected && ast_test_flag(&peer->flags[2], SIP_PAGE3_NAT_AUTO_RPORT)) {
 +			ast_sockaddr_copy(&peer->addr, &p->recv);
 +		}
 +
 		/* If we have a call limit, set flag */
 		if (peer->call_limit)
 			ast_set_flag(&p->flags[0], SIP_CALL_LIMIT);
@@ -19424,6 +19427,7 @@
 		}
 	}
 	sip_unref_peer(peer, "check_peer_ok: sip_unref_peer: tossing temp ptr to peer from sip_find_peer");
 +
 	return res;
 }
--- a/net/asterisk-16.x/patches/AST-2019-007-16.diff
+++ b/net/asterisk-16.x/patches/AST-2019-007-16.diff
@ -1,46 +0,0 @@
 From 7574be5110e049a44b8c8ead52cd1c2a5d442afa Mon Sep 17 00:00:00 2001
 From: George Joseph <gjoseph@digium.com>
 Date: Thu, 24 Oct 2019 11:41:23 -0600
 Subject: [PATCH] manager.c:  Prevent the Originate action from running the Originate app
 If an AMI user without the "system" authorization calls the
 Originate AMI command with the Originate application,
 the second Originate could run the "System" command.
 Action: Originate
 Channel: Local/1111
 Application: Originate
 Data: Local/2222,app,System,touch /tmp/owned
 If the "system" authorization isn't set, we now block the
 Originate app as well as the System, Exec, etc. apps.
 ASTERISK-28580
 Reported by: Eliel Sardañons
 Change-Id: Ic4c9dedc34c426f03c8c14fce334a71386d8a5fa
 ---
 diff --git a/doc/UPGRADE-staging/AMI-Originate.txt b/doc/UPGRADE-staging/AMI-Originate.txt
 new file mode 100644
 index 0000000..f2d3133
 --- /dev/null
 +++ b/doc/UPGRADE-staging/AMI-Originate.txt
@@ -0,0 +1,5 @@
 +Subject: AMI
 +
 +The AMI Originate action, which optionally takes a dialplan application as
 +an argument, no longer accepts "Originate" as the application due to
 +security concerns.
 diff --git a/main/manager.c b/main/manager.c
 index f138801..1963151 100644
 --- a/main/manager.c
 +++ b/main/manager.c
@@ -5744,6 +5744,7 @@
 				                                     EAGI(/bin/rm,-rf /)       */
 				strcasestr(app, "mixmonitor") ||  /* MixMonitor(blah,,rm -rf)  */
 				strcasestr(app, "externalivr") || /* ExternalIVR(rm -rf)       */
 +				strcasestr(app, "originate") ||   /* Originate(Local/1234,app,System,rm -rf) */
 				(strstr(appdata, "SHELL") && (bad_appdata = 1)) ||       /* NoOp(${SHELL(rm -rf /)})  */
 				(strstr(appdata, "EVAL") && (bad_appdata = 1))           /* NoOp(${EVAL(${some_var_containing_SHELL})}) */
 				)) {