Enough stalling. Here's a debdiff for a sarge security update. I have tested that the warning message is certainly triggered by the bogus length values Adam found. I *think* the bug may only be exploitable on 64-bit systems, as read() calls seem to fail immediately where the length would result in wrapping around the virtual address space. I don't have a 64-bit system to test on.
I removed the letohl() calls because the function doesn't exist in
Asterisk 1.0.7 and it wouldn't fix the whole problem (and I don't know
quite what would need to be changed to do so). If any of the so-called
"maintainers" actually care about this package they could perhaps
arrange to disable chan_skinny on big-endian platforms in this security
update, since it can't work properly and the endian bugs might pose
other security problems.
Ben.
diff -u asterisk-1.0.7.dfsg.1/debian/patches/00list
asterisk-1.0.7.dfsg.1/debian/patches/00list
--- asterisk-1.0.7.dfsg.1/debian/patches/00list
+++ asterisk-1.0.7.dfsg.1/debian/patches/00list
@@ -18,0 +19,1 @@
+99_CVE-2006-5444.dpatch
diff -u asterisk-1.0.7.dfsg.1/debian/changelog
asterisk-1.0.7.dfsg.1/debian/changelog
--- asterisk-1.0.7.dfsg.1/debian/changelog
+++ asterisk-1.0.7.dfsg.1/debian/changelog
@@ -1,3 +1,12 @@
+asterisk (1:1.0.7.dfsg.1-2sarge4) stable-security; urgency=high
+
+ * Non-maintainer upload
+ * Backported fix for buffer overflow in chan_skinny driver
+ induced by an undetected integer underflow
+ [debian/patches/99_CVE-2006-5444.dpatch] (Closes: #394025)
+
+ -- Ben Hutchings <[EMAIL PROTECTED]> Sat, 25 Nov 2006 16:12:26 +0000
+
asterisk (1:1.0.7.dfsg.1-2sarge3) stable-security; urgency=high
* Non-maintainer upload by the Security Team
only in patch2:
unchanged:
--- asterisk-1.0.7.dfsg.1.orig/debian/patches/99_CVE-2006-5444.dpatch
+++ asterisk-1.0.7.dfsg.1/debian/patches/99_CVE-2006-5444.dpatch
@@ -0,0 +1,27 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 99_CVE-2006-5444.dpatch by <[EMAIL PROTECTED]>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Fix buffer overflow in chan_skinny driver induced by an undetected
+## DP: integer underflow (CVE-2006-5444).
+## DP: Remove bogus mutex unlock in case it can cause denial of service.
+
[EMAIL PROTECTED]@
+--- asterisk-1.0.7.dfsg.1/channels/chan_skinny.c.orig 2006-10-20
00:10:49.000000000 +0000
++++ asterisk-1.0.7.dfsg.1/channels/chan_skinny.c 2006-10-20
00:16:37.000000000 +0000
+@@ -2305,10 +2305,14 @@
+ return -1;
+ }
+ dlen = *(int *)s->inbuf;
++ if (dlen < 0) {
++ ast_log(LOG_WARNING, "Skinny Client sent invalid
data.\n");
++ return -1;
++ }
+ if (dlen+8 > sizeof(s->inbuf))
+ dlen = sizeof(s->inbuf) - 8;
++ *(int *)s->inbuf = dlen;
+ res = read(s->fd, s->inbuf+4, dlen+4);
+- ast_mutex_unlock(&s->lock);
+ if (res != (dlen+4)) {
+ ast_log(LOG_WARNING, "Skinny Client sent less data than
expected.\n");
+ return -1;
-- END --
--
Ben Hutchings
Tomorrow will be cancelled due to lack of interest.
signature.asc
Description: This is a digitally signed message part
