Received: by mail.netbsd.org (Postfix, from userid 605) id CCDDD84DCB; Tue, 5 May 2020 17:59:11 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id 54B6384DCA for ; Tue, 5 May 2020 17:59:11 +0000 (UTC) X-Virus-Scanned: amavisd-new at netbsd.org Received: from mail.netbsd.org ([127.0.0.1]) by localhost (mail.netbsd.org [127.0.0.1]) (amavisd-new, port 10025) with ESMTP id gWdwDumQXkuf for ; Tue, 5 May 2020 17:59:10 +0000 (UTC) Received: from cvs.NetBSD.org (ivanova.NetBSD.org [IPv6:2001:470:a085:999:28c:faff:fe03:5984]) by mail.netbsd.org (Postfix) with ESMTP id 39D8B84D79 for ; Tue, 5 May 2020 17:59:10 +0000 (UTC) Received: by cvs.NetBSD.org (Postfix, from userid 500) id 33F49FB27; Tue, 5 May 2020 17:59:10 +0000 (UTC) Content-Transfer-Encoding: 7bit Content-Type: multipart/mixed; boundary="_----------=_1588701550232720" MIME-Version: 1.0 Date: Tue, 5 May 2020 17:59:10 +0000 From: "Adam Ciarcinski" Subject: CVS commit: pkgsrc/comms/asterisk14 To: pkgsrc-changes@NetBSD.org Reply-To: adam@netbsd.org X-Mailer: log_accum Message-Id: <20200505175910.33F49FB27@cvs.NetBSD.org> Sender: pkgsrc-changes-owner@NetBSD.org List-Id: pkgsrc-changes.NetBSD.org Precedence: bulk List-Unsubscribe: This is a multi-part message in MIME format. --_----------=_1588701550232720 Content-Disposition: inline Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset="US-ASCII" Module Name: pkgsrc Committed By: adam Date: Tue May 5 17:59:10 UTC 2020 Modified Files: pkgsrc/comms/asterisk14: Makefile distinfo Added Files: pkgsrc/comms/asterisk14/patches: patch-res_srtp_srtp__compat.h Log Message: asterisk14: updated to 14.7.8 asterisk 14.7.8: * AST-2018-009: Fix crash processing websocket HTTP Upgrade requests The HTTP request processing in res_http_websocket allocates additional space on the stack for various headers received during an Upgrade request. An attacker could send a specially crafted request that causes this code to overflow the stack, resulting in a crash. * No longer allocate memory from the stack in a loop to parse the header values. NOTE: There is a slight API change when using the passed in strings as is. We now require the passed in strings to no longer have leading or trailing whitespace. This isn't a problem as the only callers have already done this before passing the strings to the affected function. asterisk 14.7.7: * AST-2018-008: Fix enumeration of endpoints from ACL rejected addresses. When endpoint specific ACL rules block a SIP request they respond with a 403 forbidden. However, if an endpoint is not identified then a 401 unauthorized response is sent. This vulnerability just discloses which requests hit a defined endpoint. The ACL rules cannot be bypassed to gain access to the disclosed endpoints. * Made endpoint specific ACL rules now respond with a 401 unauthorized which is the same as if an endpoint were not identified. The fix is accomplished by replacing the found endpoint with the artificial endpoint which always fails authentication. asterisk 14.7.6: * AST-2018-003: Crash with an invalid SDP fmtp attribute pjproject's fmtp retrieval function failed to catch invalid fmtp attributes. Because of this Asterisk would crash if given an SDP with an invalid fmtp attribute. When retrieving the format this patch now makes sure the fmtp attribute is available. If not available it now returns an error status. * AST-2018-002: Crash with an invalid SDP media format description pjproject's media format parsing algorithm failed to catch invalid values. Because of this Asterisk would crash if given an SDP with a invalid media format description. When parsing the media format description this patch now properly parses the value and returns an error status if it can't successfully parse/convert the value. * AST-2018-005: res_pjsip_transport_management: Move to core Since res_pjsip_transport_management provides several attack mitigation features, its functionality moved to res_pjsip and this module has been removed. This way the features will always be available if res_pjsip is loaded. * AST-2018-005: Fix tdata leaks when calling pjsip_endpt_send_response(2) pjsip_distributor: authenticate() creates a tdata and uses it to send a challenge or failure response. When pjsip_endpt_send_response2() succeeds, it automatically decrements the tdata ref count but when it fails, it doesn't. Since we weren't checking for a return status, we weren't decrementing the count ourselves on error and were therefore leaking tdatas. res_pjsip_session: session_reinvite_on_rx_request wasn't decrementing the ref count if an error happened while sending a 491 response. pre_session_setup wasn't decrementing the ref count if while sending an error after a pjsip_inv_verify_request failure. res_pjsip: ast_sip_send_response wasn't decrementing the ref count on error. * AST-2018-005: Add a check for NULL tdata in ast_sip_failover_request It was discovered that there are some corner cases where a pjsip tsx might have no last_tx so calling ast_sip_failover_request with a NULL last_tx as its tdata would cause a crash. * AST-2018-004: Restrict the number of Accept headers in a SUBSCRIBE. When receiving a SUBSCRIBE request the Accept headers from it are stored locally. This operation has a fixed limit of 32 Accept headers but this limit was not enforced. As a result it was possible for memory outside of the allocated space to get written to resulting in a crash. This change enforces the limit so only 32 Accept headers are processed. To generate a diff of this commit: cvs rdiff -u -r1.43 -r1.44 pkgsrc/comms/asterisk14/Makefile cvs rdiff -u -r1.8 -r1.9 pkgsrc/comms/asterisk14/distinfo cvs rdiff -u -r0 -r1.1 \ pkgsrc/comms/asterisk14/patches/patch-res_srtp_srtp__compat.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. --_----------=_1588701550232720 Content-Disposition: inline Content-Length: 5924 Content-Transfer-Encoding: binary Content-Type: text/x-diff; charset=us-ascii Modified files: Index: pkgsrc/comms/asterisk14/Makefile diff -u pkgsrc/comms/asterisk14/Makefile:1.43 pkgsrc/comms/asterisk14/Makefile:1.44 --- pkgsrc/comms/asterisk14/Makefile:1.43 Sun Apr 12 08:28:22 2020 +++ pkgsrc/comms/asterisk14/Makefile Tue May 5 17:59:09 2020 @@ -1,11 +1,10 @@ -# $NetBSD: Makefile,v 1.43 2020/04/12 08:28:22 adam Exp $ +# $NetBSD: Makefile,v 1.44 2020/05/05 17:59:09 adam Exp $ # # NOTE: when updating this package, there are two places that sound # tarballs need to be checked; look in ${WRKSRC}/sounds/Makefile # to find out the current sound file versions -DISTNAME= asterisk-14.7.5 -PKGREVISION= 22 +DISTNAME= asterisk-14.7.8 CATEGORIES= comms net audio MASTER_SITES= http://downloads.asterisk.org/pub/telephony/asterisk/ MASTER_SITES+= http://downloads.asterisk.org/pub/telephony/asterisk/old-releases/ @@ -20,7 +19,7 @@ EXTRACT_ONLY= ${DISTNAME}.tar.gz OWNER= jnemeth@NetBSD.org HOMEPAGE= https://www.asterisk.org/ -MAKE_JOBS_SAFE= NO +MAKE_JOBS_SAFE= no # known to have issues on i386, block the package until the bug is fixed BROKEN_ON_PLATFORM= NetBSD-*-i386 @@ -283,7 +282,7 @@ post-install: ${INSTALL_DATA} ${WRKSRC}/doc/api-1.6.2-changes.txt ${DESTDIR}${PREFIX}/share/doc/${PKGBASE} cp -r ${WRKSRC}/doc/Asterisk-Admin-Guide ${DESTDIR}${PREFIX}/share/doc/${PKGBASE}/Asterisk-Admin-Guide -.if ${OPSYS} != "Darwin" && ${PKGSRC_COMPILER} == "clang" +.if ${OPSYS} != "Darwin" && ${PKGSRC_COMPILER:Mclang} .include "../../lang/libBlocksRuntime/buildlink3.mk" LDFLAGS+= -L${PREFIX}/lib .endif Index: pkgsrc/comms/asterisk14/distinfo diff -u pkgsrc/comms/asterisk14/distinfo:1.8 pkgsrc/comms/asterisk14/distinfo:1.9 --- pkgsrc/comms/asterisk14/distinfo:1.8 Sat Dec 21 23:29:04 2019 +++ pkgsrc/comms/asterisk14/distinfo Tue May 5 17:59:09 2020 @@ -1,13 +1,13 @@ -$NetBSD: distinfo,v 1.8 2019/12/21 23:29:04 joerg Exp $ +$NetBSD: distinfo,v 1.9 2020/05/05 17:59:09 adam Exp $ -SHA1 (asterisk-14.7.5/asterisk-14.7.5.tar.gz) = b378be5598e76f2385298bab346bf489796cefa7 -RMD160 (asterisk-14.7.5/asterisk-14.7.5.tar.gz) = 1cd1ac72c758bebe54d7fdefe2a7fd59640d7863 -SHA512 (asterisk-14.7.5/asterisk-14.7.5.tar.gz) = e6ac50d116528aeb2d2f0ac05ce2d3f5c037b87926fffa0d958d34f02957f13c8a01894c40d7a20ad52d3f3b929f3521a7969e19f485f19bef1d53e8d5390c81 -Size (asterisk-14.7.5/asterisk-14.7.5.tar.gz) = 40819648 bytes -SHA1 (asterisk-14.7.5/asterisk-extra-sounds-en-gsm-1.5.1.tar.gz) = 8bd05d42d45454b642f1d2e598e00e2189747846 -RMD160 (asterisk-14.7.5/asterisk-extra-sounds-en-gsm-1.5.1.tar.gz) = 2320f0c9b884c1d7e80003668fbae03cf4495842 -SHA512 (asterisk-14.7.5/asterisk-extra-sounds-en-gsm-1.5.1.tar.gz) = 6da96ecf9fb2051fd7efc1c5f9b346f6ec7b31d06b7008e0612c869984a3212141ec981132ddd55215339e04c6c27b48d8b3737bd1fa974bffd628a0505212b4 -Size (asterisk-14.7.5/asterisk-extra-sounds-en-gsm-1.5.1.tar.gz) = 4254022 bytes +SHA1 (asterisk-14.7.8/asterisk-14.7.8.tar.gz) = 7a6cf40a52b6a895bcb9f97c1308fb074dc4020a +RMD160 (asterisk-14.7.8/asterisk-14.7.8.tar.gz) = c9bd6eba681cbcf058fd38a31d360d7114bde0a1 +SHA512 (asterisk-14.7.8/asterisk-14.7.8.tar.gz) = 4c140abd1bf17456e13d81c8343f3d1635603cf8de0ad9dd687d3dc714644a4d49bbc98a650df5b1a2b70596050b328de54edf3482f716f90a703642a1d82d2e +Size (asterisk-14.7.8/asterisk-14.7.8.tar.gz) = 40819741 bytes +SHA1 (asterisk-14.7.8/asterisk-extra-sounds-en-gsm-1.5.1.tar.gz) = 8bd05d42d45454b642f1d2e598e00e2189747846 +RMD160 (asterisk-14.7.8/asterisk-extra-sounds-en-gsm-1.5.1.tar.gz) = 2320f0c9b884c1d7e80003668fbae03cf4495842 +SHA512 (asterisk-14.7.8/asterisk-extra-sounds-en-gsm-1.5.1.tar.gz) = 6da96ecf9fb2051fd7efc1c5f9b346f6ec7b31d06b7008e0612c869984a3212141ec981132ddd55215339e04c6c27b48d8b3737bd1fa974bffd628a0505212b4 +Size (asterisk-14.7.8/asterisk-extra-sounds-en-gsm-1.5.1.tar.gz) = 4254022 bytes SHA1 (patch-Makefile) = 8e6c47cabfc2dffcfd8c5a5d2eb0c76e864a5519 SHA1 (patch-addons_chan__ooh323.c) = 9cba619ced6a4449604faebeac33d91a23519c48 SHA1 (patch-apps_app__dumpchan.c) = 127ac02bdc180ad2334cd095aa6e646feb6fba10 @@ -49,6 +49,7 @@ SHA1 (patch-pbx_pbx__dundi.c) = 1bc28ff2 SHA1 (patch-res_res__calendar.c) = 45211a3baf8fbd8b201ba0167f8c56fb35728c4a SHA1 (patch-res_res__calendar__caldav.c) = afe2f4806dd57148dde11baeefaa7897fce4d485 SHA1 (patch-res_res__calendar__icalendar.c) = ed34b7147d8834ebadac9b1b8488a4c645f90a5b +SHA1 (patch-res_srtp_srtp__compat.h) = f80f2043d3ad15d0a490392cd77cf9a00bf4905f SHA1 (patch-sounds_Makefile) = 57cff080350c828526a276f44665ce11e2b93865 SHA1 (patch-tests_test__locale.c) = f3f1edc86356f2a7b4d3493433c772e164c77f66 SHA1 (patch-tests_test__voicemail__api.c) = c600f726136581e47cf34da2c0bb485b8a5912eb Added files: Index: pkgsrc/comms/asterisk14/patches/patch-res_srtp_srtp__compat.h diff -u /dev/null pkgsrc/comms/asterisk14/patches/patch-res_srtp_srtp__compat.h:1.1 --- /dev/null Tue May 5 17:59:10 2020 +++ pkgsrc/comms/asterisk14/patches/patch-res_srtp_srtp__compat.h Tue May 5 17:59:10 2020 @@ -0,0 +1,25 @@ +$NetBSD: patch-res_srtp_srtp__compat.h,v 1.1 2020/05/05 17:59:10 adam Exp $ + +Fix for newer comms/srtp (from asterisk15). + +--- res/srtp/srtp_compat.h.orig 2018-09-20 18:48:30.000000000 +0000 ++++ res/srtp/srtp_compat.h +@@ -16,6 +16,18 @@ + #define crypto_policy_set_aes_gcm_128_8_auth srtp_crypto_policy_set_aes_gcm_128_8_auth + #define crypto_policy_set_aes_gcm_256_8_auth srtp_crypto_policy_set_aes_gcm_256_8_auth + ++#if defined(SRTP_AES_GCM_128_KEY_LEN_WSALT) ++#define AES_128_GCM_KEYSIZE_WSALT SRTP_AES_GCM_128_KEY_LEN_WSALT ++#else ++#define AES_128_GCM_KEYSIZE_WSALT SRTP_AES_128_GCM_KEYSIZE_WSALT ++#endif ++ ++#if defined(SRTP_AES_GCM_256_KEY_LEN_WSALT) ++#define AES_256_GCM_KEYSIZE_WSALT SRTP_AES_GCM_256_KEY_LEN_WSALT ++#else ++#define AES_256_GCM_KEYSIZE_WSALT SRTP_AES_256_GCM_KEYSIZE_WSALT ++#endif ++ + #define err_status_t srtp_err_status_t + #define err_status_ok srtp_err_status_ok + #define err_status_fail srtp_err_status_fail --_----------=_1588701550232720--