[svn-commits] qwell: branch 1.8-digiumphones r363161 - in /branches/1.8-digiumphones: ./ ch...

SVN commits to the Digium repositories svn-commits at lists.digium.com
Mon Apr 23 10:17:24 CDT 2012 

Author: qwell
Date: Mon Apr 23 10:17:20 2012
New Revision: 363161

URL: http://svnview.digium.com/svn/asterisk?view=rev&rev=363161
Log:
Multiple revisions 363102,363106,363141

........
  r363102 | mjordan | 2012-04-23 08:37:55 -0500 (Mon, 23 Apr 2012) | 16 lines
  
  AST-2012-005: Fix remotely exploitable heap overflow in keypad button handling
  
  When handling a keypad button message event, the received digit is placed into
  a fixed length buffer that acts as a queue.  When a new message event is
  received, the length of that buffer is not checked before placing the new digit
  on the end of the queue.  The situation exists where sufficient keypad button
  message events would occur that would cause the buffer to be overrun.  This
  patch explicitly checks that there is sufficient room in the buffer before
  appending a new digit.
  
  (closes issue ASTERISK-19592)
  Reported by: Russell Bryant
  ........
  
  Merged revisions 363100 from http://svn.asterisk.org/svn/asterisk/branches/1.6.2
........
  r363106 | mjordan | 2012-04-23 09:05:02 -0500 (Mon, 23 Apr 2012) | 17 lines
  
  AST-2012-006: Fix crash in UPDATE handling when no channel owner exists
  
  If Asterisk receives a SIP UPDATE request after a call has been terminated and
  the channel has been destroyed but before the SIP dialog has been destroyed, a
  condition exists where a connected line update would be attempted on a
  non-existing channel.  This would cause Asterisk to crash.  The patch resolves
  this by first ensuring that the SIP dialog has an owning channel before
  attempting a connected line update.  If an UPDATE request is received and no
  channel is associated with the dialog, a 481 response is sent.
  
  (closes issue ASTERISK-19770)
  Reported by: Thomas Arimont
  Tested by: Matt Jordan
  Patches:
    ASTERISK-19278-2012-04-16.diff uploaded by Matt Jordan (license 6283)
........
  r363141 | jrose | 2012-04-23 09:33:16 -0500 (Mon, 23 Apr 2012) | 20 lines
  
  AST-2012-004: Fix an error that allows AMI users to run shell commands sans authorization.
  
  As detailed in the advisory, AMI users without write authorization for SYSTEM class AMI
  actions were able to run system commands by going through other AMI commands which did
  not require that authorization. Specifically, GetVar and Status allowed users to do this
  by setting their variable/s options to the SHELL or EVAL functions.
  Also, within 1.8, 10, and trunk there was a similar flaw with the Originate action that
  allowed users with originate permission to run MixMonitor and supply a shell command
  in the Data argument. That flaw is fixed in those versions of this patch.
  
  (closes issue ASTERISK-17465)
  Reported By: David Woolley
  Patches:
  	162_ami_readfunc_security_r2.diff uploaded by jrose (license 6182)
  	18_ami_readfunc_security_r2.diff uploaded by jrose (license 6182)
  	10_ami_readfunc_security_r2.diff uploaded by jrose (license 6182)
  ........
  
  Merged revisions 363117 from http://svn.asterisk.org/svn/asterisk/branches/1.6.2
........

Merged revisions 363102,363106,363141 from http://svn.asterisk.org/svn/asterisk/branches/1.8

Modified:
    branches/1.8-digiumphones/   (props changed)
    branches/1.8-digiumphones/channels/chan_sip.c
    branches/1.8-digiumphones/channels/chan_skinny.c
    branches/1.8-digiumphones/main/manager.c

Propchange: branches/1.8-digiumphones/
------------------------------------------------------------------------------
Binary property 'branch-1.6.2-merged' - no diff available.

Propchange: branches/1.8-digiumphones/
------------------------------------------------------------------------------
--- branch-1.8-merged (original)
+++ branch-1.8-merged Mon Apr 23 10:17:20 2012
@@ -1,1 +1,1 @@
-/branches/1.8:1-357100,357665,358162,359656-359808,359810-359891,359893-359979,360086,360884
+/branches/1.8:1-357100,357665,358162,359656-359808,359810-359891,359893-359979,360086,360884,363102-363141

Modified: branches/1.8-digiumphones/channels/chan_sip.c
URL: http://svnview.digium.com/svn/asterisk/branches/1.8-digiumphones/channels/chan_sip.c?view=diff&rev=363161&r1=363160&r2=363161
==============================================================================
--- branches/1.8-digiumphones/channels/chan_sip.c (original)
+++ branches/1.8-digiumphones/channels/chan_sip.c Mon Apr 23 10:17:20 2012
@@ -22492,6 +22492,10 @@
 		transmit_response(p, "501 Method Not Implemented", req);
 		return 0;
 	}
+	if (!p->owner) {
+		transmit_response(p, "481 Call/Transaction Does Not Exist", req);
+		return 0;
+	}
 	if (get_rpid(p, req)) {
 		struct ast_party_connected_line connected;
 		struct ast_set_party_connected_line update_connected;

Modified: branches/1.8-digiumphones/channels/chan_skinny.c
URL: http://svnview.digium.com/svn/asterisk/branches/1.8-digiumphones/channels/chan_skinny.c?view=diff&rev=363161&r1=363160&r2=363161
==============================================================================
--- branches/1.8-digiumphones/channels/chan_skinny.c (original)
+++ branches/1.8-digiumphones/channels/chan_skinny.c Mon Apr 23 10:17:20 2012
@@ -6147,7 +6147,8 @@
 	struct skinny_speeddial *sd;
 	struct skinny_line *l;
 	struct skinny_device *d = s->device;
-	
+	size_t len;
+
 	if ((!s->device) && (letohl(req->e) != REGISTER_MESSAGE && letohl(req->e) != ALARM_MESSAGE)) {
 		ast_log(LOG_WARNING, "Client sent message #%d without first registering.\n", req->e);
 		ast_free(req);
@@ -6212,8 +6213,13 @@
 				ast_log(LOG_WARNING, "Unsupported digit %d\n", digit);
 			}
 
-			d->exten[strlen(d->exten)] = dgt;
-			d->exten[strlen(d->exten)+1] = '\0';
+			len = strlen(d->exten);
+			if (len < sizeof(d->exten) - 1) {
+				d->exten[len] = dgt;
+				d->exten[len + 1] = '\0';
+			} else {
+				ast_log(AST_LOG_WARNING, "Dropping digit with value %d because digit queue is full\n", dgt);
+			}
 		} else
 			res = handle_keypad_button_message(req, s);
 		}

Modified: branches/1.8-digiumphones/main/manager.c
URL: http://svnview.digium.com/svn/asterisk/branches/1.8-digiumphones/main/manager.c?view=diff&rev=363161&r1=363160&r2=363161
==============================================================================
--- branches/1.8-digiumphones/main/manager.c (original)
+++ branches/1.8-digiumphones/main/manager.c Mon Apr 23 10:17:20 2012
@@ -1180,6 +1180,19 @@
 	{ 0, "none" },
 };
 
+/*! \brief Checks to see if a string which can be used to evaluate functions should be rejected */
+static int function_capable_string_allowed_with_auths(const char *evaluating, int writepermlist)
+{
+	if (!(writepermlist & EVENT_FLAG_SYSTEM)
+		&& (
+			strstr(evaluating, "SHELL") ||       /* NoOp(${SHELL(rm -rf /)})  */
+			strstr(evaluating, "EVAL")           /* NoOp(${EVAL(${some_var_containing_SHELL})}) */
+		)) {
+		return 0;
+	}
+	return 1;
+}
+
 /*! \brief Convert authority code to a list of options */
 static const char *authority_to_str(int authority, struct ast_str **res)
 {
@@ -3178,6 +3191,12 @@
 		return 0;
 	}
 
+	/* We don't want users with insufficient permissions using certain functions. */
+	if (!(function_capable_string_allowed_with_auths(varname, s->session->writeperm))) {
+		astman_send_error(s, m, "GetVar Access Forbidden: Variable");
+		return 0;
+	}
+
 	if (!ast_strlen_zero(name)) {
 		if (!(c = ast_channel_get_by_name(name))) {
 			astman_send_error(s, m, "No such channel");
@@ -3236,6 +3255,11 @@
 		snprintf(idText, sizeof(idText), "ActionID: %s\r\n", id);
 	} else {
 		idText[0] = '\0';
+	}
+
+	if (!(function_capable_string_allowed_with_auths(variables, s->session->writeperm))) {
+		astman_send_error(s, m, "Status Access Forbidden: Variables");
+		return 0;
 	}
 
 	if (all) {
@@ -4029,6 +4053,7 @@
 		ast_parse_allow_disallow(NULL, &format, codecs, 1);
 	}
 	if (!ast_strlen_zero(app) && s->session) {
+		int bad_appdata = 0;
 		/* To run the System application (or anything else that goes to
 		 * shell), you must have the additional System privilege */
 		if (!(s->session->writeperm & EVENT_FLAG_SYSTEM)
@@ -4039,10 +4064,13 @@
 				                                     TryExec(System(rm -rf /)) */
 				strcasestr(app, "agi") ||         /* AGI(/bin/rm,-rf /)
 				                                     EAGI(/bin/rm,-rf /)       */
-				strstr(appdata, "SHELL") ||       /* NoOp(${SHELL(rm -rf /)})  */
-				strstr(appdata, "EVAL")           /* NoOp(${EVAL(${some_var_containing_SHELL})}) */
+				strcasestr(app, "mixmonitor") ||  /* MixMonitor(blah,,rm -rf)  */
+				(strstr(appdata, "SHELL") && (bad_appdata = 1)) ||       /* NoOp(${SHELL(rm -rf /)})  */
+				(strstr(appdata, "EVAL") && (bad_appdata = 1))           /* NoOp(${EVAL(${some_var_containing_SHELL})}) */
 				)) {
-			astman_send_error(s, m, "Originate with certain 'Application' arguments requires the additional System privilege, which you do not have.");
+			char error_buf[64];
+			snprintf(error_buf, sizeof(error_buf), "Originate Access Forbidden: %s", bad_appdata ? "Data" : "Application");
+			astman_send_error(s, m, error_buf);
 			return 0;
 		}
 	}

More information about the svn-commits mailing list