[asterisk-dev] Permit/deny with negation patch

Tilghman Lesher tilghman at meg.abyt.es
Tue Mar 20 13:59:47 CDT 2012


On Thu, Mar 8, 2012 at 11:11 AM, Tilghman Lesher <tilghman at meg.abyt.es> wrote:
> https://reviewboard.asterisk.org/r/1592/
>
> I have a patch that has been languishing on the review tracker, even
> though it got a "Ship It" several months ago, and someone pointed out
> that it could plausibly be a bug fix, because permit/deny in realtime
> is incredibly difficult to use properly, because it depends upon the
> columns coming back from the database in a particular order.  There's
> a plausible argument that this, therefore, could be a bug fix for
> realtime.  Furthermore, since permit/deny controls a security aspect
> of realtime peers, if a realtime backend (such as LDAP) was not
> consistent in returning columns in a particular order, it could be
> considered a possible security issue.
>
> So I'm asking the developer community for opinions.  Ostensibly, this
> would otherwise only go into trunk, as a new feature.  However, if
> it's only a bug fix, it could go into 1.8 forwards, and if it's a
> security fix, it could go into 1.4, 1.6.2, and forward, and generate
> the release of a security document and new releases for these branches
> that are in security support mode.
>
> I don't consider this a high security issue, as nobody has yet
> demonstrated that this is vulnerable in the wild.  It is likely that
> only certain systems _might_ be vulnerable in very limited
> circumstances, so the developer community (specifically those who use
> permit/deny in realtime peers) are encouraged to voice their opinions
> and even to try out the patch.
>
> So in summary, is this a security fix?  Or only a bug fix?  Or just a
> new feature?

So seeing no objection, we'll make this a security issue and patch
1.4, right?  Bueller?  Bueller?

-Tilghman



More information about the asterisk-dev mailing list