Bug#850084: jessie-pu: package asterisk/1:11.13.1~dfsg-2+deb8u2

Bernhard Schmidt Tue, 03 Jan 2017 15:09:48 -0800

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian....@packages.debian.org
Usertags: pu


Hi,

I would like to fix CVE-2016-9938 (Bug #847668) with the upcoming point 
release. 
The issue has been categorized no-dsa by the security team before.

debdiff to +deb8u1 attached.

Bernhard

diff -Nru asterisk-11.13.1~dfsg/debian/changelog 
asterisk-11.13.1~dfsg/debian/changelog
--- asterisk-11.13.1~dfsg/debian/changelog      2016-10-23 21:28:38.000000000 
+0200
+++ asterisk-11.13.1~dfsg/debian/changelog      2017-01-03 23:54:39.000000000 
+0100
@@ -1,3 +1,10 @@
+asterisk (1:11.13.1~dfsg-2+deb8u2) jessie; urgency=medium
+
+  * AST-2016-009: non-printable ASCII chars treated as whitespace 
(CVE-2016-9938)
+    (Closes: #847668)
+
+ -- Bernhard Schmidt <be...@debian.org>  Tue, 03 Jan 2017 23:54:39 +0100
+
 asterisk (1:11.13.1~dfsg-2+deb8u1) jessie-security; urgency=high
 
   [ Tzafrir Cohen ]
diff -Nru asterisk-11.13.1~dfsg/debian/patches/AST-2016-009-11.diff 
asterisk-11.13.1~dfsg/debian/patches/AST-2016-009-11.diff
--- asterisk-11.13.1~dfsg/debian/patches/AST-2016-009-11.diff   1970-01-01 
01:00:00.000000000 +0100
+++ asterisk-11.13.1~dfsg/debian/patches/AST-2016-009-11.diff   2017-01-03 
23:54:39.000000000 +0100
@@ -0,0 +1,27 @@
+diff --git a/channels/chan_sip.c b/channels/chan_sip.c
+index 556db57..9c74acb 100644
+--- a/channels/chan_sip.c
++++ b/channels/chan_sip.c
+@@ -8132,8 +8132,6 @@ static const char *__get_header(const struct sip_request 
*req, const char *name,
+        * one afterwards.  If you shouldn't do it, what absolute idiot decided 
it was
+        * a good idea to say you can do it, and if you can do it, why in the 
hell would.
+        * you say you shouldn't.
+-       * Anyways, pedanticsipchecking controls whether we allow spaces before 
':',
+-       * and we always allow spaces after that for compatibility.
+        */
+       const char *sname = find_alias(name, NULL);
+       int x, len = strlen(name), slen = (sname ? 1 : 0);
+@@ -8146,10 +8144,10 @@ static const char *__get_header(const struct 
sip_request *req, const char *name,
+               if (match || smatch) {
+                       /* skip name */
+                       const char *r = header + (match ? len : slen );
+-                      if (sip_cfg.pedanticsipchecking) {
+-                              r = ast_skip_blanks(r);
++                      /* HCOLON has optional SP/HTAB; skip past those */
++                      while (*r == ' ' || *r == '\t') {
++                              ++r;
+                       }
+-
+                       if (*r == ':') {
+                               *start = x+1;
+                               return ast_skip_blanks(r+1);
diff -Nru asterisk-11.13.1~dfsg/debian/patches/series 
asterisk-11.13.1~dfsg/debian/patches/series
--- asterisk-11.13.1~dfsg/debian/patches/series 2016-10-23 21:28:38.000000000 
+0200
+++ asterisk-11.13.1~dfsg/debian/patches/series 2017-01-03 23:54:39.000000000 
+0100
@@ -44,3 +44,4 @@
 AST-2016-002-11.diff
 AST-2016-003-11.diff
 AST-2016-007.patch
+AST-2016-009-11.diff

Bug#850084: jessie-pu: package asterisk/1:11.13.1~dfsg-2+deb8u2

Reply via email to