From ef17798ecff2e36e690bb4f771e0017681c031c6 Mon Sep 17 00:00:00 2001 From: Andre Heider Date: Sat, 29 Sep 2018 09:23:28 +0200 Subject: [PATCH 1/3] pjproject: update config_site.h Sync asterisk settings, see [0]. [0] https://github.com/asterisk/asterisk/blob/master/third-party/pjproject/patches/config_site.h Signed-off-by: Andre Heider --- libs/pjproject/Makefile | 2 +- libs/pjproject/patches/150-config_site.patch | 35 ++++++-------------- 2 files changed, 12 insertions(+), 25 deletions(-) diff --git a/libs/pjproject/Makefile b/libs/pjproject/Makefile index 2f35d72..c9dffee 100644 --- a/libs/pjproject/Makefile +++ b/libs/pjproject/Makefile @@ -11,7 +11,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=pjproject PKG_VERSION:=2.7.2 -PKG_RELEASE:=2 +PKG_RELEASE:=3 PKG_SOURCE:=pjproject-$(PKG_VERSION).tar.bz2 PKG_SOURCE_URL:=http://www.pjsip.org/release/$(PKG_VERSION) diff --git a/libs/pjproject/patches/150-config_site.patch b/libs/pjproject/patches/150-config_site.patch index 5805137..7e1c897 100644 --- a/libs/pjproject/patches/150-config_site.patch +++ b/libs/pjproject/patches/150-config_site.patch @@ -1,6 +1,6 @@ --- /dev/null +++ b/pjlib/include/pj/config_site.h -@@ -0,0 +1,92 @@ +@@ -0,0 +1,79 @@ +/* + * Asterisk config_site.h + */ @@ -8,37 +8,16 @@ +#include + +/* -+ * Since both pjproject and asterisk source files will include config_site.h, -+ * we need to make sure that only pjproject source files include asterisk_malloc_debug.h. -+ */ -+ -+/* #if defined(MALLOC_DEBUG) && !defined(_ASTERISK_ASTMM_H) -+ * #include "asterisk_malloc_debug.h" -+ * #endif -+ */ -+ -+/* + * Defining PJMEDIA_HAS_SRTP to 0 does NOT disable Asterisk's ability to use srtp. + * It only disables the pjmedia srtp transport which Asterisk doesn't use. + * The reason for the disable is that while Asterisk works fine with older libsrtp + * versions, newer versions of pjproject won't compile with them. + */ -+ -+/* -+ * This doesn't disable SRTP completely, so we have to keep using the external -+ * libsrtp, otherwise pjsip would just build the internal one. -+ */ -+ +#define PJMEDIA_HAS_SRTP 0 + -+/* -+ * Defining PJMEDIA_HAS_WEBRTC_AEC to 0 does NOT disable Asterisk's ability to use -+ * webrtc. It only disables the pjmedia webrtc transport which Asterisk doesn't use. -+ */ -+#define PJMEDIA_HAS_WEBRTC_AEC 0 -+ +#define PJ_HAS_IPV6 1 +#define NDEBUG 1 ++ +#define PJ_MAX_HOSTNAME (256) +#define PJSIP_MAX_URL_SIZE (512) +#ifdef PJ_HAS_LINUX_EPOLL @@ -79,7 +58,7 @@ + Enabling it will result in SEGFAULTS when URIs containing escape sequences are encountered. +*/ +#undef PJSIP_UNESCAPE_IN_PLACE -+#define PJSIP_MAX_PKT_LEN 6000 ++#define PJSIP_MAX_PKT_LEN 32000 + +#undef PJ_TODO +#define PJ_TODO(x) @@ -93,3 +72,11 @@ +#define PJMEDIA_MAX_SDP_BANDW 4 +#define PJMEDIA_MAX_SDP_ATTR (PJMEDIA_MAX_SDP_FMT*2 + 4) +#define PJMEDIA_MAX_SDP_MEDIA 16 ++ ++/* ++ * Turn off the periodic sending of CRLNCRLN. Default is on (90 seconds), ++ * which conflicts with the global section's keep_alive_interval option in ++ * pjsip.conf. ++ */ ++#define PJSIP_TCP_KEEP_ALIVE_INTERVAL 0 ++#define PJSIP_TLS_KEEP_ALIVE_INTERVAL 0 From 7a9a78a3986164cfefd7dd25dba250fd59952001 Mon Sep 17 00:00:00 2001 From: Andre Heider Date: Thu, 27 Sep 2018 11:46:13 +0200 Subject: [PATCH 2/3] asterisk-15.x: update to 15.6.1 Update to the current 15.x release, see [0]. Drop merged patches and refresh the rest. Get rid of the unknown --without-pwlib configure switch. Drop the direct ncurses dependency, it's unused in case of an external libedit [1]. [0] http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-15-current [1] https://issues.asterisk.org/jira/browse/ASTERISK-27761 Signed-off-by: Andre Heider --- net/asterisk-15.x/Makefile | 10 +- .../001-disable-semaphores-check.patch | 2 +- .../patches/002-undef-res-ninit.patch | 2 +- .../patches/004-disable-check-for-hrirs.patch | 2 +- .../patches/056-fix-check_expr2-build.patch | 4 +- .../patches/100-build-reproducibly.patch | 2 +- .../patches/110-AST-2018-007-15.diff | 49 --------- .../patches/120-AST-2018-008-15.diff | 101 ------------------ .../patches/130-AST-2018-009-15.diff | 89 --------------- 9 files changed, 10 insertions(+), 251 deletions(-) delete mode 100644 net/asterisk-15.x/patches/110-AST-2018-007-15.diff delete mode 100644 net/asterisk-15.x/patches/120-AST-2018-008-15.diff delete mode 100644 net/asterisk-15.x/patches/130-AST-2018-009-15.diff diff --git a/net/asterisk-15.x/Makefile b/net/asterisk-15.x/Makefile index 6423997..b1d3b37 100644 --- a/net/asterisk-15.x/Makefile +++ b/net/asterisk-15.x/Makefile @@ -8,12 +8,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=asterisk15 -PKG_VERSION:=15.3.0 -PKG_RELEASE:=4 +PKG_VERSION:=15.6.1 +PKG_RELEASE:=1 PKG_SOURCE:=asterisk-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://downloads.asterisk.org/pub/telephony/asterisk/releases -PKG_HASH:=f424f89f23b72f267ff9baab82d449bebbbf00c54e54fcd06b8fca13788b012c +PKG_HASH:=9cb86585fb4efcd86423fa7586e55d9d3c74fda43a2e0b1b9c9eb3742df73155 PKG_BUILD_DIR:=$(BUILD_DIR)/asterisk-$(PKG_VERSION) PKG_BUILD_DEPENDS:=libxml2/host @@ -430,7 +430,7 @@ define Package/asterisk15 $(call Package/asterisk15/Default) TITLE:=Complete open source PBX, v$(PKG_VERSION) MENU:=1 - DEPENDS:=$(CXX_DEPENDS) +jansson +libcap +libedit +libncurses +libopenssl +libsqlite3 +libuuid +libxml2 +zlib + DEPENDS:=$(CXX_DEPENDS) +jansson +libcap +libedit +libopenssl +libsqlite3 +libuuid +libxml2 +zlib endef define Package/asterisk15/description @@ -538,7 +538,6 @@ CONFIGURE_ARGS+= \ --without-pjproject-bundled \ --with-libedit="$(STAGING_DIR)/usr" \ --with-libxml2 \ - --with-ncurses="$(STAGING_DIR)/usr" \ $(if $(CONFIG_PACKAGE_$(PKG_NAME)-res-snmp),--with-netsnmp="$(STAGING_DIR)/usr",--without-netsnmp) \ --without-newt \ --without-osptk \ @@ -546,7 +545,6 @@ CONFIGURE_ARGS+= \ $(if $(CONFIG_PACKAGE_$(PKG_NAME)-pgsql),--with-postgres="$(STAGING_DIR)/usr",--without-postgres) \ $(if $(CONFIG_PACKAGE_$(PKG_NAME)-util-smsq),--with-popt="$(STAGING_DIR)/usr",--without-popt) \ $(if $(CONFIG_PACKAGE_$(PKG_NAME)-chan-console),--with-portaudio="$(STAGING_DIR)/usr",--without-portaudio) \ - --without-pwlib \ --without-radius \ $(if $(CONFIG_PACKAGE_$(PKG_NAME)-res-fax-spandsp),--with-spandsp="$(STAGING_DIR)/usr",--without-spandsp) \ --without-sdl \ diff --git a/net/asterisk-15.x/patches/001-disable-semaphores-check.patch b/net/asterisk-15.x/patches/001-disable-semaphores-check.patch index 9b18063..64487ed 100644 --- a/net/asterisk-15.x/patches/001-disable-semaphores-check.patch +++ b/net/asterisk-15.x/patches/001-disable-semaphores-check.patch @@ -1,6 +1,6 @@ --- a/configure.ac +++ b/configure.ac -@@ -985,19 +985,6 @@ AC_LINK_IFELSE( +@@ -1048,19 +1048,6 @@ AC_LINK_IFELSE( ] ) diff --git a/net/asterisk-15.x/patches/002-undef-res-ninit.patch b/net/asterisk-15.x/patches/002-undef-res-ninit.patch index c77178d..b2f8e3a 100644 --- a/net/asterisk-15.x/patches/002-undef-res-ninit.patch +++ b/net/asterisk-15.x/patches/002-undef-res-ninit.patch @@ -1,6 +1,6 @@ --- a/configure.ac +++ b/configure.ac -@@ -1319,7 +1319,6 @@ AC_LINK_IFELSE( +@@ -1395,7 +1395,6 @@ AC_LINK_IFELSE( #include ], [int foo = res_ninit(NULL);])], AC_MSG_RESULT(yes) diff --git a/net/asterisk-15.x/patches/004-disable-check-for-hrirs.patch b/net/asterisk-15.x/patches/004-disable-check-for-hrirs.patch index 38a9c69..04f8b4f 100644 --- a/net/asterisk-15.x/patches/004-disable-check-for-hrirs.patch +++ b/net/asterisk-15.x/patches/004-disable-check-for-hrirs.patch @@ -1,6 +1,6 @@ --- a/configure.ac +++ b/configure.ac -@@ -2709,7 +2709,7 @@ else +@@ -2790,7 +2790,7 @@ else fi # conf_bridge (binaural rendering): check if HRIRs are available diff --git a/net/asterisk-15.x/patches/056-fix-check_expr2-build.patch b/net/asterisk-15.x/patches/056-fix-check_expr2-build.patch index bbbf42c..cc60d3f 100644 --- a/net/asterisk-15.x/patches/056-fix-check_expr2-build.patch +++ b/net/asterisk-15.x/patches/056-fix-check_expr2-build.patch @@ -1,7 +1,7 @@ --- a/utils/Makefile +++ b/utils/Makefile -@@ -182,7 +182,6 @@ check_expr2: $(ASTTOPDIR)/main/ast_expr2 - $(CC) -g -o check_expr2 ast_expr2fz.o ast_expr2z.o -lm +@@ -183,7 +183,6 @@ check_expr2: $(ASTTOPDIR)/main/ast_expr2 + $(CC) -g -o check_expr2 ast_expr2fz.o ast_expr2z.o -lm $(_ASTLDFLAGS) $(ECHO_PREFIX) echo " [RM] ast_expr2fz.o ast_expr2z.o" rm ast_expr2z.o ast_expr2fz.o - ./check_expr2 expr2.testinput diff --git a/net/asterisk-15.x/patches/100-build-reproducibly.patch b/net/asterisk-15.x/patches/100-build-reproducibly.patch index 96a49bf..9c090b7 100644 --- a/net/asterisk-15.x/patches/100-build-reproducibly.patch +++ b/net/asterisk-15.x/patches/100-build-reproducibly.patch @@ -17,7 +17,7 @@ * build.h --- a/Makefile +++ b/Makefile -@@ -479,7 +479,7 @@ doc/core-en_US.xml: makeopts .lastclean +@@ -487,7 +487,7 @@ doc/core-en_US.xml: makeopts .lastclean @echo "" >> $@ @for x in $(MOD_SUBDIRS); do \ printf "$$x " ; \ diff --git a/net/asterisk-15.x/patches/110-AST-2018-007-15.diff b/net/asterisk-15.x/patches/110-AST-2018-007-15.diff deleted file mode 100644 index 8f12808..0000000 --- a/net/asterisk-15.x/patches/110-AST-2018-007-15.diff +++ /dev/null @@ -1,49 +0,0 @@ -From 380b5ae0a1e4a68bfb098319a7ab86d3d34c2fcb Mon Sep 17 00:00:00 2001 -From: Sean Bright -Date: Mon, 16 Apr 2018 15:13:58 -0400 -Subject: [PATCH] AST-2018-007: iostreams potential DoS when client connection closed prematurely - -Before Asterisk sends an HTTP response (at least in the case of errors), -it attempts to read & discard the content of the request. If the client -lies about the Content-Length, or the connection is closed from the -client side before "Content-Length" bytes are sent, the request handling -thread will busy loop. - -ASTERISK-27807 - -Change-Id: I945c5fc888ed92be625b8c35039fc6d2aa89c762 ---- - -diff --git a/main/iostream.c b/main/iostream.c -index 4cddd43..20188cb 100644 ---- a/main/iostream.c -+++ b/main/iostream.c -@@ -197,11 +197,18 @@ - } - } - break; -+ case SSL_ERROR_SYSCALL: -+ /* Some non-recoverable I/O error occurred. The OpenSSL error queue may -+ * contain more information on the error. For socket I/O on Unix systems, -+ * consult errno for details. */ -+ ast_debug(1, "TLS non-recoverable I/O error occurred: %s, %s\n", ERR_error_string(sslerr, err), -+ ssl_error_to_string(sslerr, res)); -+ return -1; - default: - /* Report EOF for an undecoded SSL or transport error. */ - ast_debug(1, "TLS transport or SSL error reading data: %s, %s\n", ERR_error_string(sslerr, err), - ssl_error_to_string(sslerr, res)); -- return 0; -+ return -1; - } - if (!ms) { - /* Report EOF for a timeout */ -@@ -317,7 +324,7 @@ - - while (remaining) { - ret = ast_iostream_read(stream, buf, remaining > sizeof(buf) ? sizeof(buf) : remaining); -- if (ret < 0) { -+ if (ret <= 0) { - return ret; - } - remaining -= ret; diff --git a/net/asterisk-15.x/patches/120-AST-2018-008-15.diff b/net/asterisk-15.x/patches/120-AST-2018-008-15.diff deleted file mode 100644 index 2130c7d..0000000 --- a/net/asterisk-15.x/patches/120-AST-2018-008-15.diff +++ /dev/null @@ -1,101 +0,0 @@ -From f597032e833a4d3e8e710e5b1416ba780f002b8b Mon Sep 17 00:00:00 2001 -From: Richard Mudgett -Date: Mon, 30 Apr 2018 17:38:58 -0500 -Subject: [PATCH] AST-2018-008: Fix enumeration of endpoints from ACL rejected addresses. - -When endpoint specific ACL rules block a SIP request they respond with a -403 forbidden. However, if an endpoint is not identified then a 401 -unauthorized response is sent. This vulnerability just discloses which -requests hit a defined endpoint. The ACL rules cannot be bypassed to gain -access to the disclosed endpoints. - -* Made endpoint specific ACL rules now respond with a 401 unauthorized -which is the same as if an endpoint were not identified. The fix is -accomplished by replacing the found endpoint with the artificial endpoint -which always fails authentication. - -ASTERISK-27818 - -Change-Id: Icb275a54ff8e2df6c671a6d9bda37b5d732b3b32 ---- - -diff --git a/res/res_pjsip/pjsip_distributor.c b/res/res_pjsip/pjsip_distributor.c -index 51b95a2..0af447d 100644 ---- a/res/res_pjsip/pjsip_distributor.c -+++ b/res/res_pjsip/pjsip_distributor.c -@@ -676,6 +676,26 @@ - ao2_unlock(unid); - } - -+static int apply_endpoint_acl(pjsip_rx_data *rdata, struct ast_sip_endpoint *endpoint); -+static int apply_endpoint_contact_acl(pjsip_rx_data *rdata, struct ast_sip_endpoint *endpoint); -+ -+static void apply_acls(pjsip_rx_data *rdata) -+{ -+ struct ast_sip_endpoint *endpoint; -+ -+ /* Is the endpoint allowed with the source or contact address? */ -+ endpoint = rdata->endpt_info.mod_data[endpoint_mod.id]; -+ if (endpoint != artificial_endpoint -+ && (apply_endpoint_acl(rdata, endpoint) -+ || apply_endpoint_contact_acl(rdata, endpoint))) { -+ ast_debug(1, "Endpoint '%s' not allowed by ACL\n", -+ ast_sorcery_object_get_id(endpoint)); -+ -+ /* Replace the rdata endpoint with the artificial endpoint. */ -+ ao2_replace(rdata->endpt_info.mod_data[endpoint_mod.id], artificial_endpoint); -+ } -+} -+ - static pj_bool_t endpoint_lookup(pjsip_rx_data *rdata) - { - struct ast_sip_endpoint *endpoint; -@@ -695,6 +715,7 @@ - ao2_unlink(unidentified_requests, unid); - ao2_ref(unid, -1); - } -+ apply_acls(rdata); - return PJ_FALSE; - } - -@@ -759,6 +780,8 @@ - ast_sip_report_invalid_endpoint(name, rdata); - } - } -+ -+ apply_acls(rdata); - return PJ_FALSE; - } - -@@ -842,16 +865,11 @@ - - ast_assert(endpoint != NULL); - -- if (endpoint!=artificial_endpoint) { -- if (apply_endpoint_acl(rdata, endpoint) || apply_endpoint_contact_acl(rdata, endpoint)) { -- if (!is_ack) { -- pjsip_endpt_respond_stateless(ast_sip_get_pjsip_endpoint(), rdata, 403, NULL, NULL, NULL); -- } -- return PJ_TRUE; -- } -+ if (is_ack) { -+ return PJ_FALSE; - } - -- if (!is_ack && ast_sip_requires_authentication(endpoint, rdata)) { -+ if (ast_sip_requires_authentication(endpoint, rdata)) { - pjsip_tx_data *tdata; - struct unidentified_request *unid; - -@@ -888,6 +906,10 @@ - return PJ_TRUE; - } - pjsip_tx_data_dec_ref(tdata); -+ } else if (endpoint == artificial_endpoint) { -+ /* Uh. Oh. The artificial endpoint couldn't challenge so block the request. */ -+ pjsip_endpt_respond_stateless(ast_sip_get_pjsip_endpoint(), rdata, 500, NULL, NULL, NULL); -+ return PJ_TRUE; - } - - return PJ_FALSE; - diff --git a/net/asterisk-15.x/patches/130-AST-2018-009-15.diff b/net/asterisk-15.x/patches/130-AST-2018-009-15.diff deleted file mode 100644 index b41807d..0000000 --- a/net/asterisk-15.x/patches/130-AST-2018-009-15.diff +++ /dev/null @@ -1,89 +0,0 @@ -From 7d964e4b2e689f0dd7353e96d1782e92f59e9be6 Mon Sep 17 00:00:00 2001 -From: Sean Bright -Date: Thu, 16 Aug 2018 11:45:53 -0400 -Subject: [PATCH] AST-2018-009: Fix crash processing websocket HTTP Upgrade - requests - -The HTTP request processing in res_http_websocket allocates additional -space on the stack for various headers received during an Upgrade request. -An attacker could send a specially crafted request that causes this code -to overflow the stack, resulting in a crash. - -* No longer allocate memory from the stack in a loop to parse the header -values. NOTE: There is a slight API change when using the passed in -strings as is. We now require the passed in strings to no longer have -leading or trailing whitespace. This isn't a problem as the only callers -have already done this before passing the strings to the affected -function. - -ASTERISK-28013 #close - -Change-Id: Ia564825a8a95e085fd17e658cb777fe1afa8091a ---- - res/res_http_websocket.c | 25 ++++++++++++++----------- - 1 file changed, 14 insertions(+), 11 deletions(-) - -diff --git a/res/res_http_websocket.c b/res/res_http_websocket.c -index aaaba7d..e7ce830 100644 ---- a/res/res_http_websocket.c -+++ b/res/res_http_websocket.c -@@ -758,7 +758,8 @@ static void websocket_bad_request(struct ast_tcptls_session_instance *ser) - int AST_OPTIONAL_API_NAME(ast_websocket_uri_cb)(struct ast_tcptls_session_instance *ser, const struct ast_http_uri *urih, const char *uri, enum ast_http_method method, struct ast_variable *get_vars, struct ast_variable *headers) - { - struct ast_variable *v; -- char *upgrade = NULL, *key = NULL, *key1 = NULL, *key2 = NULL, *protos = NULL, *requested_protocols = NULL, *protocol = NULL; -+ const char *upgrade = NULL, *key = NULL, *key1 = NULL, *key2 = NULL, *protos = NULL; -+ char *requested_protocols = NULL, *protocol = NULL; - int version = 0, flags = 1; - struct ast_websocket_protocol *protocol_handler = NULL; - struct ast_websocket *session; -@@ -777,16 +778,15 @@ int AST_OPTIONAL_API_NAME(ast_websocket_uri_cb)(struct ast_tcptls_session_instan - /* Get the minimum headers required to satisfy our needs */ - for (v = headers; v; v = v->next) { - if (!strcasecmp(v->name, "Upgrade")) { -- upgrade = ast_strip(ast_strdupa(v->value)); -+ upgrade = v->value; - } else if (!strcasecmp(v->name, "Sec-WebSocket-Key")) { -- key = ast_strip(ast_strdupa(v->value)); -+ key = v->value; - } else if (!strcasecmp(v->name, "Sec-WebSocket-Key1")) { -- key1 = ast_strip(ast_strdupa(v->value)); -+ key1 = v->value; - } else if (!strcasecmp(v->name, "Sec-WebSocket-Key2")) { -- key2 = ast_strip(ast_strdupa(v->value)); -+ key2 = v->value; - } else if (!strcasecmp(v->name, "Sec-WebSocket-Protocol")) { -- requested_protocols = ast_strip(ast_strdupa(v->value)); -- protos = ast_strdupa(requested_protocols); -+ protos = v->value; - } else if (!strcasecmp(v->name, "Sec-WebSocket-Version")) { - if (sscanf(v->value, "%30d", &version) != 1) { - version = 0; -@@ -800,7 +800,7 @@ int AST_OPTIONAL_API_NAME(ast_websocket_uri_cb)(struct ast_tcptls_session_instan - ast_sockaddr_stringify(&ser->remote_address)); - ast_http_error(ser, 426, "Upgrade Required", NULL); - return 0; -- } else if (ast_strlen_zero(requested_protocols)) { -+ } else if (ast_strlen_zero(protos)) { - /* If there's only a single protocol registered, and the - * client doesn't specify what protocol it's using, go ahead - * and accept the connection */ -@@ -821,9 +821,12 @@ int AST_OPTIONAL_API_NAME(ast_websocket_uri_cb)(struct ast_tcptls_session_instan - return 0; - } - -- /* Iterate through the requested protocols trying to find one that we have a handler for */ -- while (!protocol_handler && (protocol = strsep(&requested_protocols, ","))) { -- protocol_handler = ao2_find(server->protocols, ast_strip(protocol), OBJ_KEY); -+ if (!protocol_handler && protos) { -+ requested_protocols = ast_strdupa(protos); -+ /* Iterate through the requested protocols trying to find one that we have a handler for */ -+ while (!protocol_handler && (protocol = strsep(&requested_protocols, ","))) { -+ protocol_handler = ao2_find(server->protocols, ast_strip(protocol), OBJ_KEY); -+ } - } - - /* If no protocol handler exists bump this back to the requester */ --- -2.7.4 - From f6bf5395aca783f7f1b59ddbbc3659a139ceb9f9 Mon Sep 17 00:00:00 2001 From: Andre Heider Date: Fri, 28 Sep 2018 07:50:24 +0200 Subject: [PATCH 3/3] asterisk-13.x: update to 13.23.1 Update to the current 13.x release, see [0]. Drop merged patches and refresh the rest. Get rid of the unknown --without-pwlib configure switch. Drop the direct ncurses dependency, it's unused in case of an external libedit [1]. [0] http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-13-current [1] https://issues.asterisk.org/jira/browse/ASTERISK-27761 Signed-off-by: Andre Heider --- net/asterisk-13.x/Makefile | 10 +- .../001-disable-semaphores-check.patch | 2 +- .../patches/002-undef-res-ninit.patch | 2 +- .../patches/050-musl-glob-compat.patch | 5 +- .../patches/052-musl-libcap.patch | 8 +- .../patches/056-fix-check_expr2-build.patch | 4 +- .../patches/100-build-reproducibly.patch | 2 +- .../patches/110-AST-2018-008-13.diff | 101 ------------------ .../patches/120-AST-2018-009-13.diff | 89 --------------- 9 files changed, 15 insertions(+), 208 deletions(-) delete mode 100644 net/asterisk-13.x/patches/110-AST-2018-008-13.diff delete mode 100644 net/asterisk-13.x/patches/120-AST-2018-009-13.diff diff --git a/net/asterisk-13.x/Makefile b/net/asterisk-13.x/Makefile index c10e571..95723ad 100644 --- a/net/asterisk-13.x/Makefile +++ b/net/asterisk-13.x/Makefile @@ -10,12 +10,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=asterisk13 -PKG_VERSION:=13.20.0 -PKG_RELEASE:=4 +PKG_VERSION:=13.23.1 +PKG_RELEASE:=1 PKG_SOURCE:=asterisk-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://downloads.asterisk.org/pub/telephony/asterisk/releases -PKG_HASH:=a3d6d953f844867ea11e0be22ee6225049cd4f5870df6ab23454623bcfbc94d5 +PKG_HASH:=c772acbfdddb9250bfe07f7e20a7efb6a79a6c123832727429486c78d44fc78c PKG_BUILD_DIR:=$(BUILD_DIR)/asterisk-$(PKG_VERSION) PKG_BUILD_DEPENDS:=libxml2/host @@ -425,7 +425,7 @@ define Package/asterisk13 $(call Package/asterisk13/Default) TITLE:=Complete open source PBX, v$(PKG_VERSION) MENU:=1 - DEPENDS:=$(CXX_DEPENDS) +jansson +libcap +libedit +libncurses +libopenssl +libsqlite3 +libuuid +libxml2 +zlib + DEPENDS:=$(CXX_DEPENDS) +jansson +libcap +libedit +libopenssl +libsqlite3 +libuuid +libxml2 +zlib endef define Package/asterisk13/description @@ -532,7 +532,6 @@ CONFIGURE_ARGS+= \ --without-nbs \ --with-libedit="$(STAGING_DIR)/usr" \ --with-libxml2 \ - --with-ncurses="$(STAGING_DIR)/usr" \ $(if $(CONFIG_PACKAGE_$(PKG_NAME)-res-snmp),--with-netsnmp="$(STAGING_DIR)/usr",--without-netsnmp) \ --without-newt \ $(if $(CONFIG_PACKAGE_$(PKG_NAME)-format-ogg-vorbis),--with-ogg="$(STAGING_DIR)/usr",--without-ogg) \ @@ -541,7 +540,6 @@ CONFIGURE_ARGS+= \ $(if $(CONFIG_PACKAGE_$(PKG_NAME)-pgsql),--with-postgres="$(STAGING_DIR)/usr",--without-postgres) \ $(if $(CONFIG_PACKAGE_$(PKG_NAME)-util-smsq),--with-popt="$(STAGING_DIR)/usr",--without-popt) \ $(if $(CONFIG_PACKAGE_$(PKG_NAME)-chan-console),--with-portaudio="$(STAGING_DIR)/usr",--without-portaudio) \ - --without-pwlib \ --without-radius \ $(if $(CONFIG_PACKAGE_$(PKG_NAME)-res-fax-spandsp),--with-spandsp="$(STAGING_DIR)/usr",--without-spandsp) \ --without-sdl \ diff --git a/net/asterisk-13.x/patches/001-disable-semaphores-check.patch b/net/asterisk-13.x/patches/001-disable-semaphores-check.patch index fa09129..8249342 100644 --- a/net/asterisk-13.x/patches/001-disable-semaphores-check.patch +++ b/net/asterisk-13.x/patches/001-disable-semaphores-check.patch @@ -1,6 +1,6 @@ --- a/configure.ac +++ b/configure.ac -@@ -953,19 +953,6 @@ AC_LINK_IFELSE( +@@ -1016,19 +1016,6 @@ AC_LINK_IFELSE( ] ) diff --git a/net/asterisk-13.x/patches/002-undef-res-ninit.patch b/net/asterisk-13.x/patches/002-undef-res-ninit.patch index 93d87bf..76bcb61 100644 --- a/net/asterisk-13.x/patches/002-undef-res-ninit.patch +++ b/net/asterisk-13.x/patches/002-undef-res-ninit.patch @@ -1,6 +1,6 @@ --- a/configure.ac +++ b/configure.ac -@@ -1287,7 +1287,6 @@ AC_LINK_IFELSE( +@@ -1363,7 +1363,6 @@ AC_LINK_IFELSE( #include ], [int foo = res_ninit(NULL);])], AC_MSG_RESULT(yes) diff --git a/net/asterisk-13.x/patches/050-musl-glob-compat.patch b/net/asterisk-13.x/patches/050-musl-glob-compat.patch index e7cc2b3..e7d50de 100644 --- a/net/asterisk-13.x/patches/050-musl-glob-compat.patch +++ b/net/asterisk-13.x/patches/050-musl-glob-compat.patch @@ -1,6 +1,6 @@ --- a/res/ael/ael.flex +++ b/res/ael/ael.flex -@@ -79,6 +79,12 @@ +@@ -79,6 +79,12 @@ ASTERISK_FILE_VERSION(__FILE__, "$Revisi #if !defined(GLOB_ABORTED) #define GLOB_ABORTED GLOB_ABEND #endif @@ -13,10 +13,9 @@ #include "asterisk/logger.h" #include "asterisk/utils.h" -Only in asterisk-11.7.0: res/ael/ael.tab.o --- a/res/ael/ael_lex.c +++ b/res/ael/ael_lex.c -@@ -838,6 +838,12 @@ +@@ -838,6 +838,12 @@ ASTERISK_FILE_VERSION(__FILE__, "$Revisi #if !defined(GLOB_ABORTED) #define GLOB_ABORTED GLOB_ABEND #endif diff --git a/net/asterisk-13.x/patches/052-musl-libcap.patch b/net/asterisk-13.x/patches/052-musl-libcap.patch index 01d2f5c..315c685 100644 --- a/net/asterisk-13.x/patches/052-musl-libcap.patch +++ b/net/asterisk-13.x/patches/052-musl-libcap.patch @@ -1,6 +1,6 @@ --- a/configure.ac +++ b/configure.ac -@@ -170,6 +170,9 @@ case "${host_os}" in +@@ -175,6 +175,9 @@ case "${host_os}" in linux-gnu*) OSARCH=linux-gnu ;; @@ -10,9 +10,9 @@ kfreebsd*-gnu) OSARCH=kfreebsd-gnu ;; -@@ -1411,9 +1414,11 @@ if test "${PBX_BFD}" = "0"; then - AST_EXT_LIB_CHECK([BFD], [bfd], [bfd_check_format], [bfd.h], [-ldl -liberty -lz]) - fi +@@ -1495,9 +1498,11 @@ AST_EXT_LIB_CHECK([BFD], [bfd], [bfd_ope + # openSUSE requires -lz + AST_EXT_LIB_CHECK([BFD], [bfd], [bfd_openr], [bfd.h], [-ldl -liberty -lz]) -if test "x${OSARCH}" = "xlinux-gnu" ; then +case "${OSARCH}" in diff --git a/net/asterisk-13.x/patches/056-fix-check_expr2-build.patch b/net/asterisk-13.x/patches/056-fix-check_expr2-build.patch index 71d5e31..1b6620a 100644 --- a/net/asterisk-13.x/patches/056-fix-check_expr2-build.patch +++ b/net/asterisk-13.x/patches/056-fix-check_expr2-build.patch @@ -1,7 +1,7 @@ --- a/utils/Makefile +++ b/utils/Makefile -@@ -179,7 +179,6 @@ check_expr2: $(ASTTOPDIR)/main/ast_expr2 - $(CC) -g -o check_expr2 ast_expr2fz.o ast_expr2z.o -lm +@@ -180,7 +180,6 @@ check_expr2: $(ASTTOPDIR)/main/ast_expr2 + $(CC) -g -o check_expr2 ast_expr2fz.o ast_expr2z.o -lm $(_ASTLDFLAGS) $(ECHO_PREFIX) echo " [RM] ast_expr2fz.o ast_expr2z.o" rm ast_expr2z.o ast_expr2fz.o - ./check_expr2 expr2.testinput diff --git a/net/asterisk-13.x/patches/100-build-reproducibly.patch b/net/asterisk-13.x/patches/100-build-reproducibly.patch index 6273436..dd12fd6 100644 --- a/net/asterisk-13.x/patches/100-build-reproducibly.patch +++ b/net/asterisk-13.x/patches/100-build-reproducibly.patch @@ -17,7 +17,7 @@ * build.h --- a/Makefile +++ b/Makefile -@@ -480,7 +480,7 @@ doc/core-en_US.xml: makeopts .lastclean +@@ -488,7 +488,7 @@ doc/core-en_US.xml: makeopts .lastclean @echo "" >> $@ @for x in $(MOD_SUBDIRS); do \ printf "$$x " ; \ diff --git a/net/asterisk-13.x/patches/110-AST-2018-008-13.diff b/net/asterisk-13.x/patches/110-AST-2018-008-13.diff deleted file mode 100644 index f73d86f..0000000 --- a/net/asterisk-13.x/patches/110-AST-2018-008-13.diff +++ /dev/null @@ -1,101 +0,0 @@ -From 4eeb16d1a316aa3d6f5710a2f6beffb0fecb6121 Mon Sep 17 00:00:00 2001 -From: Richard Mudgett -Date: Mon, 30 Apr 2018 17:38:58 -0500 -Subject: [PATCH] AST-2018-008: Fix enumeration of endpoints from ACL rejected addresses. - -When endpoint specific ACL rules block a SIP request they respond with a -403 forbidden. However, if an endpoint is not identified then a 401 -unauthorized response is sent. This vulnerability just discloses which -requests hit a defined endpoint. The ACL rules cannot be bypassed to gain -access to the disclosed endpoints. - -* Made endpoint specific ACL rules now respond with a 401 unauthorized -which is the same as if an endpoint were not identified. The fix is -accomplished by replacing the found endpoint with the artificial endpoint -which always fails authentication. - -ASTERISK-27818 - -Change-Id: Icb275a54ff8e2df6c671a6d9bda37b5d732b3b32 ---- - -diff --git a/res/res_pjsip/pjsip_distributor.c b/res/res_pjsip/pjsip_distributor.c -index e056b60..19266df 100644 ---- a/res/res_pjsip/pjsip_distributor.c -+++ b/res/res_pjsip/pjsip_distributor.c -@@ -666,6 +666,26 @@ - ao2_unlock(unid); - } - -+static int apply_endpoint_acl(pjsip_rx_data *rdata, struct ast_sip_endpoint *endpoint); -+static int apply_endpoint_contact_acl(pjsip_rx_data *rdata, struct ast_sip_endpoint *endpoint); -+ -+static void apply_acls(pjsip_rx_data *rdata) -+{ -+ struct ast_sip_endpoint *endpoint; -+ -+ /* Is the endpoint allowed with the source or contact address? */ -+ endpoint = rdata->endpt_info.mod_data[endpoint_mod.id]; -+ if (endpoint != artificial_endpoint -+ && (apply_endpoint_acl(rdata, endpoint) -+ || apply_endpoint_contact_acl(rdata, endpoint))) { -+ ast_debug(1, "Endpoint '%s' not allowed by ACL\n", -+ ast_sorcery_object_get_id(endpoint)); -+ -+ /* Replace the rdata endpoint with the artificial endpoint. */ -+ ao2_replace(rdata->endpt_info.mod_data[endpoint_mod.id], artificial_endpoint); -+ } -+} -+ - static pj_bool_t endpoint_lookup(pjsip_rx_data *rdata) - { - struct ast_sip_endpoint *endpoint; -@@ -684,6 +704,7 @@ - ao2_unlink(unidentified_requests, unid); - ao2_ref(unid, -1); - } -+ apply_acls(rdata); - return PJ_FALSE; - } - -@@ -743,6 +764,8 @@ - ast_sip_report_invalid_endpoint(name, rdata); - } - } -+ -+ apply_acls(rdata); - return PJ_FALSE; - } - -@@ -826,16 +849,11 @@ - - ast_assert(endpoint != NULL); - -- if (endpoint!=artificial_endpoint) { -- if (apply_endpoint_acl(rdata, endpoint) || apply_endpoint_contact_acl(rdata, endpoint)) { -- if (!is_ack) { -- pjsip_endpt_respond_stateless(ast_sip_get_pjsip_endpoint(), rdata, 403, NULL, NULL, NULL); -- } -- return PJ_TRUE; -- } -+ if (is_ack) { -+ return PJ_FALSE; - } - -- if (!is_ack && ast_sip_requires_authentication(endpoint, rdata)) { -+ if (ast_sip_requires_authentication(endpoint, rdata)) { - pjsip_tx_data *tdata; - struct unidentified_request *unid; - -@@ -871,6 +889,10 @@ - return PJ_TRUE; - } - pjsip_tx_data_dec_ref(tdata); -+ } else if (endpoint == artificial_endpoint) { -+ /* Uh. Oh. The artificial endpoint couldn't challenge so block the request. */ -+ pjsip_endpt_respond_stateless(ast_sip_get_pjsip_endpoint(), rdata, 500, NULL, NULL, NULL); -+ return PJ_TRUE; - } - - return PJ_FALSE; - diff --git a/net/asterisk-13.x/patches/120-AST-2018-009-13.diff b/net/asterisk-13.x/patches/120-AST-2018-009-13.diff deleted file mode 100644 index 986810b..0000000 --- a/net/asterisk-13.x/patches/120-AST-2018-009-13.diff +++ /dev/null @@ -1,89 +0,0 @@ -From e6b0c4d27e0392a7b4b4b6717a6d1e0ea049b550 Mon Sep 17 00:00:00 2001 -From: Sean Bright -Date: Thu, 16 Aug 2018 11:45:53 -0400 -Subject: [PATCH] AST-2018-009: Fix crash processing websocket HTTP Upgrade - requests - -The HTTP request processing in res_http_websocket allocates additional -space on the stack for various headers received during an Upgrade request. -An attacker could send a specially crafted request that causes this code -to overflow the stack, resulting in a crash. - -* No longer allocate memory from the stack in a loop to parse the header -values. NOTE: There is a slight API change when using the passed in -strings as is. We now require the passed in strings to no longer have -leading or trailing whitespace. This isn't a problem as the only callers -have already done this before passing the strings to the affected -function. - -ASTERISK-28013 #close - -Change-Id: Ia564825a8a95e085fd17e658cb777fe1afa8091a ---- - res/res_http_websocket.c | 25 ++++++++++++++----------- - 1 file changed, 14 insertions(+), 11 deletions(-) - -diff --git a/res/res_http_websocket.c b/res/res_http_websocket.c -index 440bf41..0ff876b 100644 ---- a/res/res_http_websocket.c -+++ b/res/res_http_websocket.c -@@ -736,7 +736,8 @@ static void websocket_bad_request(struct ast_tcptls_session_instance *ser) - int AST_OPTIONAL_API_NAME(ast_websocket_uri_cb)(struct ast_tcptls_session_instance *ser, const struct ast_http_uri *urih, const char *uri, enum ast_http_method method, struct ast_variable *get_vars, struct ast_variable *headers) - { - struct ast_variable *v; -- char *upgrade = NULL, *key = NULL, *key1 = NULL, *key2 = NULL, *protos = NULL, *requested_protocols = NULL, *protocol = NULL; -+ const char *upgrade = NULL, *key = NULL, *key1 = NULL, *key2 = NULL, *protos = NULL; -+ char *requested_protocols = NULL, *protocol = NULL; - int version = 0, flags = 1; - struct ast_websocket_protocol *protocol_handler = NULL; - struct ast_websocket *session; -@@ -755,16 +756,15 @@ int AST_OPTIONAL_API_NAME(ast_websocket_uri_cb)(struct ast_tcptls_session_instan - /* Get the minimum headers required to satisfy our needs */ - for (v = headers; v; v = v->next) { - if (!strcasecmp(v->name, "Upgrade")) { -- upgrade = ast_strip(ast_strdupa(v->value)); -+ upgrade = v->value; - } else if (!strcasecmp(v->name, "Sec-WebSocket-Key")) { -- key = ast_strip(ast_strdupa(v->value)); -+ key = v->value; - } else if (!strcasecmp(v->name, "Sec-WebSocket-Key1")) { -- key1 = ast_strip(ast_strdupa(v->value)); -+ key1 = v->value; - } else if (!strcasecmp(v->name, "Sec-WebSocket-Key2")) { -- key2 = ast_strip(ast_strdupa(v->value)); -+ key2 = v->value; - } else if (!strcasecmp(v->name, "Sec-WebSocket-Protocol")) { -- requested_protocols = ast_strip(ast_strdupa(v->value)); -- protos = ast_strdupa(requested_protocols); -+ protos = v->value; - } else if (!strcasecmp(v->name, "Sec-WebSocket-Version")) { - if (sscanf(v->value, "%30d", &version) != 1) { - version = 0; -@@ -778,7 +778,7 @@ int AST_OPTIONAL_API_NAME(ast_websocket_uri_cb)(struct ast_tcptls_session_instan - ast_sockaddr_stringify(&ser->remote_address)); - ast_http_error(ser, 426, "Upgrade Required", NULL); - return 0; -- } else if (ast_strlen_zero(requested_protocols)) { -+ } else if (ast_strlen_zero(protos)) { - /* If there's only a single protocol registered, and the - * client doesn't specify what protocol it's using, go ahead - * and accept the connection */ -@@ -799,9 +799,12 @@ int AST_OPTIONAL_API_NAME(ast_websocket_uri_cb)(struct ast_tcptls_session_instan - return 0; - } - -- /* Iterate through the requested protocols trying to find one that we have a handler for */ -- while (!protocol_handler && (protocol = strsep(&requested_protocols, ","))) { -- protocol_handler = ao2_find(server->protocols, ast_strip(protocol), OBJ_KEY); -+ if (!protocol_handler && protos) { -+ requested_protocols = ast_strdupa(protos); -+ /* Iterate through the requested protocols trying to find one that we have a handler for */ -+ while (!protocol_handler && (protocol = strsep(&requested_protocols, ","))) { -+ protocol_handler = ao2_find(server->protocols, ast_strip(protocol), OBJ_KEY); -+ } - } - - /* If no protocol handler exists bump this back to the requester */ --- -2.7.4 -