main/kamailio: upgrade to 4.2.7, security fix (CVE-2016-2385). Fixes #5352

author: Leonardo Arena <rnalrd@alpinelinux.org> 2016-04-11 10:44:24 +0000
committer: Leonardo Arena <rnalrd@alpinelinux.org> 2016-04-11 10:44:39 +0000
commit: a9eea283365cdd1c9b50afb6e1df09fcb491471c (patch)
tree: 5aaa686cf41c703b6c61f79035c038ce0333cf26
parent: f01a94cc49111315ca6463f14885d2bd8273dc7c (diff)
download: aports-a9eea283365cdd1c9b50afb6e1df09fcb491471c.tar.bz2
aports-a9eea283365cdd1c9b50afb6e1df09fcb491471c.tar.xz
3 files changed, 49 insertions, 54 deletions
diff --git a/main/kamailio/APKBUILD b/main/kamailio/APKBUILD
index 61ed43c85c..4bdff9d7f4 100644
--- a/main/kamailio/APKBUILD
+++ b/main/kamailio/APKBUILD
@@ -1,8 +1,8 @@
 # Contributor: Michael Mason <ms13sp@gmail.com>
 # Maintainer: Nathan Angelacos <nangel@alpinelinux.org>
 pkgname=kamailio
-pkgver=4.2.3
-pkgrel=1
+pkgver=4.2.7
+pkgrel=0
 pkgdesc="Open Source SIP Server"
 url="http://www.kamailio.org/"
 arch="all"
@@ -208,9 +208,10 @@ done
 source="http://www.kamailio.org/pub/kamailio/$pkgver/src/kamailio-${pkgver}_src.tar.gz
 	kamailio-4.2-backslash.patch
 	0001-musl-fixes.patch
-	sqlops-fix-use-after-free-by-deep-copying-result-nam.patch
 	default_ctl.patch
 	kamctl_build.patch
+	CVE-2016-2385.patch
+
 	kamailio.cfg
 	kamailio.initd
 	"
@@ -434,27 +435,27 @@ uuid() {
 		"$_mod_list_uuid"
 }
 
-md5sums="f94eb1db3820dba22bd3fdae464e93b3  kamailio-4.2.3_src.tar.gz
+md5sums="cec08c9f004635d794b1c5bebafaff82  kamailio-4.2.7_src.tar.gz
 bad1ac2d4c95043df271d2ea6d37627a  kamailio-4.2-backslash.patch
 4685288dc54680597b00f956dc95d4d6  0001-musl-fixes.patch
-c76507d21eef8091756a74153fc68994  sqlops-fix-use-after-free-by-deep-copying-result-nam.patch
 841fa62c432c5d8aeb57ad70d2ec3030  default_ctl.patch
 d0052e6054884b9cec955af4480c7c85  kamctl_build.patch
+38282b05e14c0aa1eb4b3d9689dd673a  CVE-2016-2385.patch
 299706d97e30a4f0d9b4c873df422866  kamailio.cfg
 0e0a271fd3ddb7e87c01c26c7d041d59  kamailio.initd"
-sha256sums="7dbbca4a515778d3e903380adcc49f727ddc4853238cb905e14c811a5671ed80  kamailio-4.2.3_src.tar.gz
+sha256sums="c95cddf34bad0de08b100bdf49ae46479c1905d73bf6375668be74c57c20f224  kamailio-4.2.7_src.tar.gz
 d7e59be721ed0ad4621d404493b9a519708d801e9d4914b0164b819fa1abcd13  kamailio-4.2-backslash.patch
 b98555ff304b51b82c6cf7e01d757b15ea4f05bd2e603c84d4384df6a6be62b6  0001-musl-fixes.patch
-1182e3af5b771aa027caa0c1f6c4195532b51b8fcd274621593fcd086d4d2a58  sqlops-fix-use-after-free-by-deep-copying-result-nam.patch
 755efa4ad126c672bc67c53268260b57f7da1f454cdc1a1601778ed7c7d5f0e5  default_ctl.patch
 e00eefed792acbc1ee6eca8fa7389f9973bd53b68fa7abc573f19f1ff26812a1  kamctl_build.patch
+3d8f1c5f22665f3add1b34bf81be0beda3e2e87623cfd1ffa3dd1e635a300e50  CVE-2016-2385.patch
 8b742ff710ef67ff59ec07a260690ebcdda24fb6f0b7b64dc50433a1bacf99f2  kamailio.cfg
 a90d3ab09a3ed58892e94710a1f80492a61ffad1ccf7ccb5b851bb8f538d32c4  kamailio.initd"
-sha512sums="2f42499fe84eefac236fe3d4aa3c7bc424944236f00b95a7071feaa816b3df5764f84076d57b2137908dab7ff06a2440cc7a53a799216befd9511f8718a2eee5  kamailio-4.2.3_src.tar.gz
+sha512sums="21395b56c4e928c0893a05bbf01f19c5d02ce1bc53fa1970c2568cbafd71d2af4883c476624fbfd3fc72d953f1a2a8e2fab67c5ff254a0d0f3cbb55489189e2d  kamailio-4.2.7_src.tar.gz
 a9bb1e8f9f373264b8351ddae099a36a46ddd46fdec09e468d297ba4f64bb4896e7d6e599da70a424e8a28695ab3f3b4ac940afab534593a6b9d08ae462f001a  kamailio-4.2-backslash.patch
 dea7ef2ccf01357576045ba375d41301e2447b4454324007c7ca1862322835c57045852017192ca5434b32dd1b7a2e9669209b7111889dab335b74f042d0f11f  0001-musl-fixes.patch
-284a13873cf7cf4ae4c1d90c757974ef634863bdde146d4af9feb86e4d96e07a694c299189e8acef838246637dcf36199ac386cecfc4871cefe64b71aa6278b3  sqlops-fix-use-after-free-by-deep-copying-result-nam.patch
 2321d8afe29b53057ce21e0552dfb80fd6a0e7dc0caf3c4798a8b253518f4c8c546797302933373f4b055a4531329a36ee2d7117b0a88fe39cf153bfef91a656  default_ctl.patch
 4c2c9bde3a4c44feca2863bb03cb031aa55e1c3df21dc7c0acb3a392c34cb36d9a132bcbdf451a0624f8ec202152f1cf238c89280c32f1c04312ce80427a18c6  kamctl_build.patch
+9e5daf343bfaccc1519cfeb2f024e62811c022cc04541c7fb18e5b4d2d35a3fda51487dcb6bd0cdc14a112a92b0c58ecbc043ba59f3daf307bf7a2d5eef73ebb  CVE-2016-2385.patch
 c1abf69b48847dc8c7ab0d11ef9adb531aa4635f9d44db6933981edc5a47df374664fb24867b19aa64abbcc9777bf1cd0360d9aea54e27b081065928c61e0f0b  kamailio.cfg
 5ddaa059cdef10462c904f061f7bb085e62ad7501e2ed41f797d9e68822bce4e0e5ca09c1586c3901c920f8ce563c8c3ede860752c2b9bdb8f09908388ef337f  kamailio.initd"
diff --git a/main/kamailio/CVE-2016-2385.patch b/main/kamailio/CVE-2016-2385.patch
new file mode 100644
index 0000000000..b4d9315d6b
--- /dev/null
+++ b/main/kamailio/CVE-2016-2385.patch
@@ -0,0 +1,39 @@
+From bc4a545aa050dd36c982bf102464edbc14a88753 Mon Sep 17 00:00:00 2001
+From: Daniel-Constantin Mierla <miconda@gmail.com>
+Date: Fri, 12 Feb 2016 18:04:19 +0100
+Subject: [PATCH] seas: safety check for target buffer size before copying
+ message in encode_msg()
+
+- avoid buffer overflow for large SIP messages
+- reported by Stelios Tsampas
+
+(cherry picked from commit f50c9c853e7809810099c970780c30b0765b0643)
+(cherry picked from commit 18cd34781d2bdda9c19314c0494f6a655dbe6089)
+---
+ modules/seas/encode_msg.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/modules/seas/encode_msg.c b/modules/seas/encode_msg.c
+index 06d31a3..e56b5fb 100644
+--- a/modules/seas/encode_msg.c
++++ b/modules/seas/encode_msg.c
+@@ -158,6 +158,7 @@ int encode_msg(struct sip_msg *msg,char *payload,int len)
+ 
+    if(len < MAX_ENCODED_MSG + MAX_MESSAGE_LEN)
+       return -1;
++
+    if(parse_headers(msg,HDR_EOH_F,0)<0){
+       myerror="in parse_headers";
+       goto error;
+@@ -266,6 +267,11 @@ int encode_msg(struct sip_msg *msg,char *payload,int len)
+    /*j+=k;*/
+    /*pkg_free(payload2);*/
+    /*now we copy the actual message after the headers-meta-section*/
++
++	if(len < j + msg->len + 1) {
++   	   LM_ERR("not enough space to encode sip message\n");
++   	   return -1;
++	}
+    memcpy(&payload[j],msg->buf,msg->len);
+    LM_DBG("msglen = %d,msg starts at %d\n",msg->len,j);
+    j=htons(j);
diff --git a/main/kamailio/sqlops-fix-use-after-free-by-deep-copying-result-nam.patch b/main/kamailio/sqlops-fix-use-after-free-by-deep-copying-result-nam.patch
deleted file mode 100644
index 593afab03c..0000000000
--- a/main/kamailio/sqlops-fix-use-after-free-by-deep-copying-result-nam.patch
+++ /dev/null
@@ -1,45 +0,0 @@
-From 6e2604464e64cfaaf1e0327228f53f4787b69470 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Timo=20Ter=C3=A4s?= <timo.teras@iki.fi>
-Date: Mon, 9 Mar 2015 16:30:53 +0200
-Subject: [PATCH] sqlops: fix use-after-free by deep copying result name
-
-When creating a new result handle, deep copy the result name.
-Otherwise we might end up accessing the name after it's freed.
----
- modules/sqlops/sql_api.c | 7 +++++--
- 1 file changed, 5 insertions(+), 2 deletions(-)
-
-diff --git a/modules/sqlops/sql_api.c b/modules/sqlops/sql_api.c
-index cf0efee..db87fbf 100644
---- a/modules/sqlops/sql_api.c
-+++ b/modules/sqlops/sql_api.c
-@@ -197,14 +197,16 @@ sql_result_t* sql_get_result(str *name)
- 			return sr;
- 		sr = sr->next;
- 	}
--	sr = (sql_result_t*)pkg_malloc(sizeof(sql_result_t));
-+	sr = (sql_result_t*)pkg_malloc(sizeof(sql_result_t) + name->len);
- 	if(sr==NULL)
- 	{
- 		LM_ERR("no pkg memory\n");
- 		return NULL;
- 	}
- 	memset(sr, 0, sizeof(sql_result_t));
--	sr->name = *name;
-+	memcpy(sr+1, name->s, name->len);
-+	sr->name.s = (char *)(sr + 1);
-+	sr->name.len = name->len;
- 	sr->resid = resid;
- 	sr->next = _sql_result_root;
- 	_sql_result_root = sr;
-@@ -683,6 +685,7 @@ void sql_destroy(void)
- 		pkg_free(r);
- 		r = r0;
- 	}
-+	_sql_result_root = NULL;
- }
- 
- /**
--- 
-2.3.5
-
author	Leonardo Arena <rnalrd@alpinelinux.org>	2016-04-11 10:44:24 +0000
committer	Leonardo Arena <rnalrd@alpinelinux.org>	2016-04-11 10:44:39 +0000
commit	a9eea283365cdd1c9b50afb6e1df09fcb491471c (patch)
tree	5aaa686cf41c703b6c61f79035c038ce0333cf26
parent	f01a94cc49111315ca6463f14885d2bd8273dc7c (diff)
download	aports-a9eea283365cdd1c9b50afb6e1df09fcb491471c.tar.bz2 aports-a9eea283365cdd1c9b50afb6e1df09fcb491471c.tar.xz