Fix vulnerabilities in channels/chan_ia2x.c

I have attached a debdiff for Hardy based on patches from upstream. I have tested as best I can with my limited knowledge of asterisk and IAX. I can connect and register with IAX clients and with VoixPhone, I can seem to connect to a channel. (the CLI for asterisk shows I am connected) However, while kiax will register, I am unable to call with it, but it could be due to my setup. (I've never configured asterisk before)

Any testing help would be appreciated as would anyone patient enough to tech me how to get a basic asterisk setup going.

Thanks for the debdiff Brian!

Since you're asking for some more help in testing it, I'll set this bug as "Incomplete" for now. Once you're satisfied that it's been tested adequately, please mark it as "In Progress" again so our notification scripts will pick it up and we'll build and release it.

Thanks.

Thanks to some help from Jamie, I am able to successfully register IAX clients and make calls with them. This patch should be ready for release.

Thanks for your debdiff Brian! :) Here are some comments:

1. You have supplied two patches for CVE-2008-1897 (debian/patches/CVE-2008-1897 and debian/patches/asterisk-CVE-2008-1897). Please remove asterisk-CVE-2008-1897
2. CVE-2008-1897 seems to be missing parts of upstream's http://downloads.digium.com/pub/security/AST-2008-006.html (http://downloads.digium.com/pub/security/AST-2008-006.html). Was the patch misapplied? If not, can you explain why it isn't applied?
3. The debian/changelog description does not conform to https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Update%20the%20packaging. These guidelines are in place for clarity, so someone knows quickly what patch goes with which CVE and upstream references. Can you adjust so each patch has its own stanza?
4. The package uses quilt, which supports comments at the top of the patch. Specifically, the added patches in debian/patches should use UbuntuDevelopment/PatchTaggingGuidelines (see https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Patch)
5. Our tracker (see http://people.ubuntu.com/~ubuntu-security/cve/universe.html#universe) shows that hardy asterisk is also vulnerable to CVE-2008-3903, CVE-2008-1923, CVE-2009-0871 and CVE-2008-1390. Were you planning to do updates for these as well?

I have marked the Hardy task back to 'Triaged' as per https://wiki.ubuntu.com/SecurityTeam/BugTriage#Status. Please mark back to 'In Progress' when resubmitting your patch. Thanks for your time in preparing these. Asterisk needs some love! :)

Thanks Jamie,

On Tue, Apr 28, 2009 at 5:29 PM, Jamie Strandboge <email address hidden> wrote:

> Thanks for your debdiff Brian! :) Here are some comments:
>
> 1. You have supplied two patches for CVE-2008-1897
> (debian/patches/CVE-2008-1897 and debian/patches/asterisk-CVE-2008-1897).
> Please remove asterisk-CVE-2008-1897

Bah! I didn't even see that, sorry. That was left over from some earlier
quilt tinkering. Will remove it straight away.

>
> 2. CVE-2008-1897 seems to be missing parts of upstream's
> http://downloads.digium.com/pub/security/AST-2008-006.html (
> http://downloads.digium.com/pub/security/AST-2008-006.html). Was the patch
> misapplied? If not, can you explain why it isn't applied?

It's been so long I'm not sure. I'll do this one from scratch again.

>
> 3. The debian/changelog description does not conform to
> https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Update%20the%20packaging.
> These guidelines are in place for clarity, so someone knows quickly what
> patch goes with which CVE and upstream references. Can you adjust so each
> patch has its own stanza?

OK

>
> 4. The package uses quilt, which supports comments at the top of the patch.
> Specifically, the added patches in debian/patches should use
> UbuntuDevelopment/PatchTaggingGuidelines (see
> https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Patch)

OK

>
> 5. Our tracker (see
> http://people.ubuntu.com/~ubuntu-security/cve/universe.html#universe<http://people.ubuntu.com/%7Eubuntu-security/cve/universe.html#universe>)
> shows that hardy asterisk is also vulnerable to CVE-2008-3903,
> CVE-2008-1923, CVE-2009-0871 and CVE-2008-1390. Were you planning to do
> updates for these as well?
>

Off the top of my head, one of these upstream hadn't fixed at the time, a
couple were basically duplicates, and I don't recall the other off the top
of my head. Before resubmitting the debdiff, I'll also look these up again
and comment in the bug. Yes, if they need attention, I fully plan on
handling them as well.

I'll also resubmit with the intrepid patch next time.

Thanks as always for your patience as I get accustomed to these processes
Jamie!

-Brian

Here is an updated debdiff for hardy. The missing section from the upstream patch in CVE-2008-1897 was irrelevant as it had been fixed for a different reason by a prior patch.

Hi Brian,

Thanks for the updated debdiff. Patch for CVE-2008-1897 looks good, as does the changelog and patch tagging.

Would it be possible to apply patched for the following two issues:

CVE-2008-1390 (http://downloads.asterisk.org/pub/security/AST-2008-005.html)
CVE-2008-3903 (http://downloads.asterisk.org/pub/security/AST-2009-003.html)

The other issues don't seem to apply to hardy.

Thanks!

Added fixes for:

CVE-2008-1390 (http://downloads.asterisk.org/pub/security/AST-2008-005.html)
CVE-2008-3903 (http://downloads.asterisk.org/pub/security/AST-2009-003.html)

I tested that it built properly but have not done any thorough testing yet. Any help in the way of testing would be greatly appreciated as the chan_sip.c file was modified.

This looks good. I would recommend using a SIP provider like Ekiga.net to test SIP functionality. Once you're satisfied that these changes are solid, we can publish them.

I tested this locally, calling up voicemail using SIP, and it worked fine. I don't really have a setup for making a call from softphone to softphone though. If anyone else would like to test this, please do, otherwise, I think it's good enough to hit proposed.

Actually, we don't go through -proposed for security updates. I will build this and test locally. Marking 'In Progress' per https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures#Preparing%20an%20update

Uploaded to security ppa. Will test/push to the archive when it finishes building. Thanks for the hard work Brian!

I tested this from a sip phone through asterisk to IAX provider in both directions and it works fine.

Thanks Jamie! I hadn't thought about that possibility.

-Brian

On Fri, Sep 25, 2009 at 4:34 PM, Jamie Strandboge <email address hidden> wrote:

> I tested this from a sip phone through asterisk to IAX provider in both
> directions and it works fine.
>
> --
> Fix vulnerabilities in channels/chan_ia2x.c
> https://bugs.launchpad.net/bugs/345217
> You received this bug notification because you are a direct subscriber
> of the bug.
>

asterisk (1:1.4.17~dfsg-2ubuntu1.1) hardy-security; urgency=low

  * SECURITY UPDATE: ACK response spoofing
    - added debian/patches/CVE-2008-1897: Adjust chan_iax2.c to use a special
      id to prevent ACK response spoofing. Based on upstream patch.
    - CVE-2008-1897
    - AST-2008-006
  * SECURITY UPDATE: POKE request flooding
    - added debian/patches/CVE-2008-3263: Adjust chan_iax2.c to prevent
      'POKE' request flooding. Based on upstream patch.
    - CVE-2008-3263
    - AST-2008-010
  * SECURITY UPDATE: firmware packet flooding
    - added debian/patches/CVE-2008-3264: Adjust chan_iax2.c to prevent
      firmware packet flooding. Based on upstream patch.
    - CVE-2008-3264
    - AST-2008-011
  * SECURITY UPDATE: information leak in IAX2 authentication
    - added debian/patches/CVE-2009-0041: Adjust chan_iax2.c to fix
      information leak in IAX2 authentication. Based on upstream patch.
    - CVE-2009-0041
    - AST-2009-001
  * SECURITY UPDATE: SIP responses expose valid usernames
    - added debian/patches/CVE-2008-3903: Adjust chan_sip.c to make
      it more difficult to scan for available usernames.
    - CVE-2008-3903
    - AST-2009-003
  * SECURITY UPDATE: An attacker could hijack a manager session
    - added debian/patches/CVE-2008-1390: Adjust manager.c to
      never assign an invalid id of 0
    - CVE-2008-1390
    - AST-2008-005

debdiff for Jaunty

Marking the Jaunty task back to 'In Progress' (per https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures#Preparing%20an%20update) since CVE-2009-0041 was not fixed.

Debdiff for Intrepid

Setting karmic status to invalid as none of these effect the version there.

Looks good. It sounds like you tested on Hardy -- did Intrepid and Jaunty get tested as well? I'll get these ready for uploading.

Any progress on testing these changes?

Hi Kees,

I tested it out today and am successfully able to make calls from different PC's (and different IAX clients) to the echo channel. I am unable to properly make two clients connect to one another. I had seemingly accomplished this on Hardy by running two copies of VoixPhone on the same machine running as different users, but the later versions of VoixPhone only support one running instance.

I tested on the unpatched asterisk from universe, and received the same behavior, so I doubt my ability to connect two clients has anything to do with my patch but rather with user error due to my ignorance of IAX.

It would be nice if someone else could give this a quick test before pushing it out into the wild.

asterisk (1:1.4.21.2~dfsg-1ubuntu3.1) intrepid-security; urgency=low

  * SECURITY UPDATE: information leak in IAX2 authentication
    - added debian/patches/CVE-2009-0041: Adjust chan_iax2.c to fix
      information leak in IAX2 authentication. Based on upstream patch.
    - CVE-2009-0041
    - AST-2009-001

asterisk (1:1.4.21.2~dfsg-3ubuntu2.1) jaunty-security; urgency=low

  * SECURITY UPDATE: information leak in IAX2 authentication
    - added debian/patches/CVE-2009-0041: Adjust chan_iax2.c to fix
      information leak in IAX2 authentication. Based on upstream patch.
    - CVE-2009-0041
    - AST-2009-001