diff options
author | Leonardo Arena <rnalrd@alpinelinux.org> | 2016-04-11 10:44:24 +0000 |
---|---|---|
committer | Leonardo Arena <rnalrd@alpinelinux.org> | 2016-04-11 10:44:39 +0000 |
commit | a9eea283365cdd1c9b50afb6e1df09fcb491471c (patch) | |
tree | 5aaa686cf41c703b6c61f79035c038ce0333cf26 | |
parent | f01a94cc49111315ca6463f14885d2bd8273dc7c (diff) | |
download | aports-a9eea283365cdd1c9b50afb6e1df09fcb491471c.tar.bz2 aports-a9eea283365cdd1c9b50afb6e1df09fcb491471c.tar.xz |
main/kamailio: upgrade to 4.2.7, security fix (CVE-2016-2385). Fixes #5352
-rw-r--r-- | main/kamailio/APKBUILD | 19 | ||||
-rw-r--r-- | main/kamailio/CVE-2016-2385.patch | 39 | ||||
-rw-r--r-- | main/kamailio/sqlops-fix-use-after-free-by-deep-copying-result-nam.patch | 45 |
3 files changed, 49 insertions, 54 deletions
diff --git a/main/kamailio/APKBUILD b/main/kamailio/APKBUILD index 61ed43c85c..4bdff9d7f4 100644 --- a/main/kamailio/APKBUILD +++ b/main/kamailio/APKBUILD @@ -1,8 +1,8 @@ # Contributor: Michael Mason <ms13sp@gmail.com> # Maintainer: Nathan Angelacos <nangel@alpinelinux.org> pkgname=kamailio -pkgver=4.2.3 -pkgrel=1 +pkgver=4.2.7 +pkgrel=0 pkgdesc="Open Source SIP Server" url="http://www.kamailio.org/" arch="all" @@ -208,9 +208,10 @@ done source="http://www.kamailio.org/pub/kamailio/$pkgver/src/kamailio-${pkgver}_src.tar.gz kamailio-4.2-backslash.patch 0001-musl-fixes.patch - sqlops-fix-use-after-free-by-deep-copying-result-nam.patch default_ctl.patch kamctl_build.patch + CVE-2016-2385.patch + kamailio.cfg kamailio.initd " @@ -434,27 +435,27 @@ uuid() { "$_mod_list_uuid" } -md5sums="f94eb1db3820dba22bd3fdae464e93b3 kamailio-4.2.3_src.tar.gz +md5sums="cec08c9f004635d794b1c5bebafaff82 kamailio-4.2.7_src.tar.gz bad1ac2d4c95043df271d2ea6d37627a kamailio-4.2-backslash.patch 4685288dc54680597b00f956dc95d4d6 0001-musl-fixes.patch -c76507d21eef8091756a74153fc68994 sqlops-fix-use-after-free-by-deep-copying-result-nam.patch 841fa62c432c5d8aeb57ad70d2ec3030 default_ctl.patch d0052e6054884b9cec955af4480c7c85 kamctl_build.patch +38282b05e14c0aa1eb4b3d9689dd673a CVE-2016-2385.patch 299706d97e30a4f0d9b4c873df422866 kamailio.cfg 0e0a271fd3ddb7e87c01c26c7d041d59 kamailio.initd" -sha256sums="7dbbca4a515778d3e903380adcc49f727ddc4853238cb905e14c811a5671ed80 kamailio-4.2.3_src.tar.gz +sha256sums="c95cddf34bad0de08b100bdf49ae46479c1905d73bf6375668be74c57c20f224 kamailio-4.2.7_src.tar.gz d7e59be721ed0ad4621d404493b9a519708d801e9d4914b0164b819fa1abcd13 kamailio-4.2-backslash.patch b98555ff304b51b82c6cf7e01d757b15ea4f05bd2e603c84d4384df6a6be62b6 0001-musl-fixes.patch -1182e3af5b771aa027caa0c1f6c4195532b51b8fcd274621593fcd086d4d2a58 sqlops-fix-use-after-free-by-deep-copying-result-nam.patch 755efa4ad126c672bc67c53268260b57f7da1f454cdc1a1601778ed7c7d5f0e5 default_ctl.patch e00eefed792acbc1ee6eca8fa7389f9973bd53b68fa7abc573f19f1ff26812a1 kamctl_build.patch +3d8f1c5f22665f3add1b34bf81be0beda3e2e87623cfd1ffa3dd1e635a300e50 CVE-2016-2385.patch 8b742ff710ef67ff59ec07a260690ebcdda24fb6f0b7b64dc50433a1bacf99f2 kamailio.cfg a90d3ab09a3ed58892e94710a1f80492a61ffad1ccf7ccb5b851bb8f538d32c4 kamailio.initd" -sha512sums="2f42499fe84eefac236fe3d4aa3c7bc424944236f00b95a7071feaa816b3df5764f84076d57b2137908dab7ff06a2440cc7a53a799216befd9511f8718a2eee5 kamailio-4.2.3_src.tar.gz +sha512sums="21395b56c4e928c0893a05bbf01f19c5d02ce1bc53fa1970c2568cbafd71d2af4883c476624fbfd3fc72d953f1a2a8e2fab67c5ff254a0d0f3cbb55489189e2d kamailio-4.2.7_src.tar.gz a9bb1e8f9f373264b8351ddae099a36a46ddd46fdec09e468d297ba4f64bb4896e7d6e599da70a424e8a28695ab3f3b4ac940afab534593a6b9d08ae462f001a kamailio-4.2-backslash.patch dea7ef2ccf01357576045ba375d41301e2447b4454324007c7ca1862322835c57045852017192ca5434b32dd1b7a2e9669209b7111889dab335b74f042d0f11f 0001-musl-fixes.patch -284a13873cf7cf4ae4c1d90c757974ef634863bdde146d4af9feb86e4d96e07a694c299189e8acef838246637dcf36199ac386cecfc4871cefe64b71aa6278b3 sqlops-fix-use-after-free-by-deep-copying-result-nam.patch 2321d8afe29b53057ce21e0552dfb80fd6a0e7dc0caf3c4798a8b253518f4c8c546797302933373f4b055a4531329a36ee2d7117b0a88fe39cf153bfef91a656 default_ctl.patch 4c2c9bde3a4c44feca2863bb03cb031aa55e1c3df21dc7c0acb3a392c34cb36d9a132bcbdf451a0624f8ec202152f1cf238c89280c32f1c04312ce80427a18c6 kamctl_build.patch +9e5daf343bfaccc1519cfeb2f024e62811c022cc04541c7fb18e5b4d2d35a3fda51487dcb6bd0cdc14a112a92b0c58ecbc043ba59f3daf307bf7a2d5eef73ebb CVE-2016-2385.patch c1abf69b48847dc8c7ab0d11ef9adb531aa4635f9d44db6933981edc5a47df374664fb24867b19aa64abbcc9777bf1cd0360d9aea54e27b081065928c61e0f0b kamailio.cfg 5ddaa059cdef10462c904f061f7bb085e62ad7501e2ed41f797d9e68822bce4e0e5ca09c1586c3901c920f8ce563c8c3ede860752c2b9bdb8f09908388ef337f kamailio.initd" diff --git a/main/kamailio/CVE-2016-2385.patch b/main/kamailio/CVE-2016-2385.patch new file mode 100644 index 0000000000..b4d9315d6b --- /dev/null +++ b/main/kamailio/CVE-2016-2385.patch @@ -0,0 +1,39 @@ +From bc4a545aa050dd36c982bf102464edbc14a88753 Mon Sep 17 00:00:00 2001 +From: Daniel-Constantin Mierla <miconda@gmail.com> +Date: Fri, 12 Feb 2016 18:04:19 +0100 +Subject: [PATCH] seas: safety check for target buffer size before copying + message in encode_msg() + +- avoid buffer overflow for large SIP messages +- reported by Stelios Tsampas + +(cherry picked from commit f50c9c853e7809810099c970780c30b0765b0643) +(cherry picked from commit 18cd34781d2bdda9c19314c0494f6a655dbe6089) +--- + modules/seas/encode_msg.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/modules/seas/encode_msg.c b/modules/seas/encode_msg.c +index 06d31a3..e56b5fb 100644 +--- a/modules/seas/encode_msg.c ++++ b/modules/seas/encode_msg.c +@@ -158,6 +158,7 @@ int encode_msg(struct sip_msg *msg,char *payload,int len) + + if(len < MAX_ENCODED_MSG + MAX_MESSAGE_LEN) + return -1; ++ + if(parse_headers(msg,HDR_EOH_F,0)<0){ + myerror="in parse_headers"; + goto error; +@@ -266,6 +267,11 @@ int encode_msg(struct sip_msg *msg,char *payload,int len) + /*j+=k;*/ + /*pkg_free(payload2);*/ + /*now we copy the actual message after the headers-meta-section*/ ++ ++ if(len < j + msg->len + 1) { ++ LM_ERR("not enough space to encode sip message\n"); ++ return -1; ++ } + memcpy(&payload[j],msg->buf,msg->len); + LM_DBG("msglen = %d,msg starts at %d\n",msg->len,j); + j=htons(j); diff --git a/main/kamailio/sqlops-fix-use-after-free-by-deep-copying-result-nam.patch b/main/kamailio/sqlops-fix-use-after-free-by-deep-copying-result-nam.patch deleted file mode 100644 index 593afab03c..0000000000 --- a/main/kamailio/sqlops-fix-use-after-free-by-deep-copying-result-nam.patch +++ /dev/null @@ -1,45 +0,0 @@ -From 6e2604464e64cfaaf1e0327228f53f4787b69470 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Timo=20Ter=C3=A4s?= <timo.teras@iki.fi> -Date: Mon, 9 Mar 2015 16:30:53 +0200 -Subject: [PATCH] sqlops: fix use-after-free by deep copying result name - -When creating a new result handle, deep copy the result name. -Otherwise we might end up accessing the name after it's freed. ---- - modules/sqlops/sql_api.c | 7 +++++-- - 1 file changed, 5 insertions(+), 2 deletions(-) - -diff --git a/modules/sqlops/sql_api.c b/modules/sqlops/sql_api.c -index cf0efee..db87fbf 100644 ---- a/modules/sqlops/sql_api.c -+++ b/modules/sqlops/sql_api.c -@@ -197,14 +197,16 @@ sql_result_t* sql_get_result(str *name) - return sr; - sr = sr->next; - } -- sr = (sql_result_t*)pkg_malloc(sizeof(sql_result_t)); -+ sr = (sql_result_t*)pkg_malloc(sizeof(sql_result_t) + name->len); - if(sr==NULL) - { - LM_ERR("no pkg memory\n"); - return NULL; - } - memset(sr, 0, sizeof(sql_result_t)); -- sr->name = *name; -+ memcpy(sr+1, name->s, name->len); -+ sr->name.s = (char *)(sr + 1); -+ sr->name.len = name->len; - sr->resid = resid; - sr->next = _sql_result_root; - _sql_result_root = sr; -@@ -683,6 +685,7 @@ void sql_destroy(void) - pkg_free(r); - r = r0; - } -+ _sql_result_root = NULL; - } - - /** --- -2.3.5 - |