commit: 458b342d0d2bbb84666f320612f6a6fc9c061903
Author: Tony Vroon <chainsaw <AT> gentoo <DOT> org>
AuthorDate: Fri Mar 9 16:04:25 2018 +0000
Commit: Tony Vroon <chainsaw <AT> gentoo <DOT> org>
CommitDate: Fri Mar 9 16:04:46 2018 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=458b342d
net-misc/asterisk: 13.19.2 for CVE-2018-7284 & CVE-2018-7286
Both vulnerabilities are in res_pjsip and allow a remote DoS. One through
sending
a lot of SIP INVITE messages on SIP TCP or SIP-TLS channels and then tearing
them
down. The other involves a SUBSCRIBE request containing more than 32 Accept
headers,
which overflows the statically allocated buffer.
If you prevent res_pjsip from loading and use the classic chan_sip driver, you
may
not be vulnerable. However, this upgrade is being pushed out to all.
Package-Manager: Portage-2.3.19, Repoman-2.3.6
net-misc/asterisk/Manifest | 1 +
net-misc/asterisk/asterisk-13.19.2.ebuild | 327 ++++++++++++++++++++++++++++++
2 files changed, 328 insertions(+)
diff --git a/net-misc/asterisk/Manifest b/net-misc/asterisk/Manifest
index 5a561c24d8c..3a92933e1e4 100644
--- a/net-misc/asterisk/Manifest
+++ b/net-misc/asterisk/Manifest
@@ -2,6 +2,7 @@ DIST asterisk-11.25.1.tar.gz 35125897 BLAKE2B
42f79202c3e69dc0ff1ddad909c87bc0a0
DIST asterisk-11.25.3.tar.gz 35134682 BLAKE2B
9da24d5d6a674ab660edb103e5fc56ddfbcc58cd86166cc08cceb0598a63b51eae36133565e09a30ad11ff6623ba8945437dfb561d2916f68341d398540dabce
SHA512
9c0521d55e5b69663ea40066d52e397ba6c165a4b20cd0a1e5e375b9c0e5a6e4f37908e50b0b580e288dec9be252af9a8bce7bceb03ba029f902fb757e6311ed
DIST asterisk-13.17.2.tar.gz 32899368 BLAKE2B
539155dc4b9db3cd736fa8ca4e4b1f09330be2d7bc994ee89dc73645f411bf6d012d85f322c07146bac2b5b258802232960d6e102d840d6b48b796a7d8923513
SHA512
008354cb0cba679444bfbfd4be34d919ea0a0a0cbd60541b7528d254ab0fa92efee118d5b006e8dc7b709f9c44fd391026df9b8705d17515494a23ad36dedd4b
DIST asterisk-13.19.0.tar.gz 33027887 BLAKE2B
f799f51dc4b45d6db2261abfae33f41416616650702ff0cf6c253a80cf2f554f180df9e90bd107ac6a29eeeeef16e3bfadba087f6485fa93978899590b417443
SHA512
5404080a42e2d6d76b8fa8629c9570ae55c943676c51901a34552dc69c35f82001a1738e2da3adedf1de254bc8d1821ea7708f844685462ecdd1fd4e979e0e7f
+DIST asterisk-13.19.2.tar.gz 32991960 BLAKE2B
3b1f731fb68e2d455bfc76e863a8abbd8903ac2f7e89f5bc4b97db0072b0999679a79e6ebbb55c886847fb1db639b6ad84d1f7de1fc3414968ab6b48c5eed72f
SHA512
3ee3d57d359ce3049480303b9662a33a905d08491e84d898fd6ee170ee9d34b8bdfcd082b80120dab606929a03572141fe219da75bb87770ed206aeb0249f1e4
DIST gentoo-asterisk-patchset-3.17.tar.bz2 5074 BLAKE2B
3c945e77b54b2449253acb9fcea8d289a7a3184729190622c14aff5557d36c93556efa83320fe4e7ae84021960c09f35ae9f997e8015706eef933aae2948309e
SHA512
37f86f3c699b2643afd8080391e817a282571694bb56e00efd0734918dbc33d6c12a2463dbc24667597420863b4f506870140fbb8ef3f1700124ef790ae7252d
DIST gentoo-asterisk-patchset-4.05.tar.bz2 2889 BLAKE2B
788b923300324241d0272b2533cbad5b18189fa46f0ed620256aadb2a840880dccb66f839edc323e90c46bb3748127caeb59b84b017722491c52e6f5f6dcd8f0
SHA512
6fdb245e37074f124f4725c25a1547c872f6216eb1d37faeda8ed7c5e4dc87424e9c1ba20bb34722165027692916bde4c8bfc816ac5c89710972bb3f51bd1b75
DIST gentoo-asterisk-patchset-4.07.tar.bz2 2471 BLAKE2B
d9026e7e8c12431496c24f204d117ed715741623195af10c838ec3ac5ce6a26fbb2d76d4c45c538881b532084e2ce74d2de83a27a0abaa5f65791be91416ef6d
SHA512
73a9f92e6a737687c311941100c45bbc573f54fa79d0284318996c0d70274a4d2218693406d71b371496d27123d4d99bbc159974388e6547a682c06084d3b4c5
diff --git a/net-misc/asterisk/asterisk-13.19.2.ebuild
b/net-misc/asterisk/asterisk-13.19.2.ebuild
new file mode 100644
index 00000000000..e0b88a37696
--- /dev/null
+++ b/net-misc/asterisk/asterisk-13.19.2.ebuild
@@ -0,0 +1,327 @@
+# Copyright 1999-2018 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=6
+inherit autotools eutils linux-info multilib user systemd
+
+MY_P="${PN}-${PV/_/-}"
+
+DESCRIPTION="Asterisk: A Modular Open Source PBX System"
+HOMEPAGE="http://www.asterisk.org/";
+SRC_URI="http://downloads.asterisk.org/pub/telephony/asterisk/releases/${MY_P}.tar.gz
+ mirror://gentoo/gentoo-asterisk-patchset-4.07.tar.bz2"
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="~amd64 ~x86"
+
+IUSE_VOICEMAIL_STORAGE="
+ +voicemail_storage_file
+ voicemail_storage_odbc
+ voicemail_storage_imap
+"
+IUSE="${IUSE_VOICEMAIL_STORAGE} alsa bluetooth calendar +caps cluster curl
dahdi debug doc freetds gtalk http iconv ilbc xmpp ldap libedit libressl lua
mysql newt +samples odbc osplookup oss pjproject portaudio postgres radius
selinux snmp span speex srtp static syslog vorbis"
+IUSE_EXPAND="VOICEMAIL_STORAGE"
+REQUIRED_USE="gtalk? ( xmpp )
+ ^^ ( ${IUSE_VOICEMAIL_STORAGE/+/} )
+ voicemail_storage_odbc? ( odbc )
+"
+
+EPATCH_SUFFIX="patch"
+PATCHES=( "${WORKDIR}/asterisk-patchset" )
+
+CDEPEND="dev-db/sqlite:3
+ dev-libs/popt
+ dev-libs/jansson
+ dev-libs/libxml2
+ !libressl? ( dev-libs/openssl:0 )
+ libressl? ( dev-libs/libressl )
+ sys-libs/ncurses:*
+ sys-libs/zlib
+ alsa? ( media-libs/alsa-lib )
+ bluetooth? ( net-wireless/bluez )
+ calendar? ( net-libs/neon
+ dev-libs/libical
+ dev-libs/iksemel )
+ caps? ( sys-libs/libcap )
+ cluster? ( sys-cluster/corosync )
+ curl? ( net-misc/curl )
+ dahdi? ( >=net-libs/libpri-1.4.12_beta2
+ net-misc/dahdi-tools )
+ freetds? ( dev-db/freetds )
+ gtalk? ( dev-libs/iksemel )
+ http? ( dev-libs/gmime:2.6 )
+ iconv? ( virtual/libiconv )
+ ilbc? ( dev-libs/ilbc-rfc3951 )
+ xmpp? ( dev-libs/iksemel )
+ ldap? ( net-nds/openldap )
+ libedit? ( dev-libs/libedit )
+ lua? ( dev-lang/lua:* )
+ mysql? ( virtual/mysql )
+ newt? ( dev-libs/newt )
+ odbc? ( dev-db/unixODBC )
+ osplookup? ( net-libs/osptoolkit )
+ portaudio? ( media-libs/portaudio )
+ postgres? ( dev-db/postgresql:* )
+ radius? ( net-dialup/freeradius-client )
+ snmp? ( net-analyzer/net-snmp )
+ span? ( media-libs/spandsp )
+ speex? ( media-libs/speex )
+ srtp? ( net-libs/libsrtp:0 )
+ vorbis? ( media-libs/libvorbis )"
+
+DEPEND="${CDEPEND}
+ !net-libs/openh323
+ !net-libs/pjsip
+ voicemail_storage_imap? ( virtual/imap-c-client )
+ virtual/pkgconfig
+ pjproject? ( >=net-libs/pjproject-2.6 )
+"
+
+RDEPEND="${CDEPEND}
+ selinux? ( sec-policy/selinux-asterisk )
+ syslog? ( virtual/logger )"
+
+PDEPEND="net-misc/asterisk-core-sounds
+ net-misc/asterisk-extra-sounds
+ net-misc/asterisk-moh-opsound"
+
+S="${WORKDIR}/${MY_P}"
+
+pkg_setup() {
+ CONFIG_CHECK="~!NF_CONNTRACK_SIP"
+ local WARNING_NF_CONNTRACK_SIP="SIP (NAT) connection tracking is
enabled. Some users
+ have reported that this module dropped critical SIP packets in their
deployments. You
+ may want to disable it if you see such problems."
+ check_extra_config
+
+ enewgroup asterisk
+ enewgroup dialout 20
+ enewuser asterisk -1 -1 /var/lib/asterisk "asterisk,dialout"
+}
+
+src_prepare() {
+ default
+ AT_M4DIR="autoconf third-party third-party/pjproject" eautoreconf
+}
+
+src_configure() {
+ local vmst
+
+ econf \
+ --libdir="/usr/$(get_libdir)" \
+ --localstatedir="/var" \
+ --with-crypto \
+ --with-gsm=internal \
+ --with-popt \
+ --with-ssl \
+ --with-z \
+ --without-pwlib \
+ $(use_with caps cap) \
+ $(use_with http gmime) \
+ $(use_with newt) \
+ $(use_with portaudio) \
+ $(use_with pjproject)
+
+ # Blank out sounds/sounds.xml file to prevent
+ # asterisk from installing sounds files (we pull them in via
+ # asterisk-{core,extra}-sounds and asterisk-moh-opsound.
+ >"${S}"/sounds/sounds.xml
+
+ # That NATIVE_ARCH chatter really is quite bothersome
+ sed -i 's/NATIVE_ARCH=/NATIVE_ARCH=0/' build_tools/menuselect-deps ||
die "Unable to squelch noisy build system"
+
+ # Compile menuselect binary for optional components
+ emake menuselect.makeopts
+
+ # Broken functionality is forcibly disabled (bug #360143)
+ menuselect/menuselect --disable chan_misdn menuselect.makeopts
+ menuselect/menuselect --disable chan_ooh323 menuselect.makeopts
+
+ # Utility set is forcibly enabled (bug #358001)
+ menuselect/menuselect --enable smsq menuselect.makeopts
+ menuselect/menuselect --enable streamplayer menuselect.makeopts
+ menuselect/menuselect --enable aelparse menuselect.makeopts
+ menuselect/menuselect --enable astman menuselect.makeopts
+
+ # this is connected, otherwise it would not find
+ # ast_pktccops_gate_alloc symbol
+ menuselect/menuselect --enable chan_mgcp menuselect.makeopts
+ menuselect/menuselect --enable res_pktccops menuselect.makeopts
+
+ # SSL is forcibly enabled, IAX2 & DUNDI are expected to be available
+ menuselect/menuselect --enable pbx_dundi menuselect.makeopts
+ menuselect/menuselect --enable func_aes menuselect.makeopts
+ menuselect/menuselect --enable chan_iax2 menuselect.makeopts
+
+ # SQlite3 is now the main database backend, enable related features
+ menuselect/menuselect --enable cdr_sqlite3_custom menuselect.makeopts
+ menuselect/menuselect --enable cel_sqlite3_custom menuselect.makeopts
+
+ # The others are based on USE-flag settings
+ use_select() {
+ local state=$(use "$1" && echo enable || echo disable)
+ shift # remove use from parameters
+
+ while [[ -n $1 ]]; do
+ menuselect/menuselect --${state} "$1"
menuselect.makeopts
+ shift
+ done
+ }
+
+ use_select alsa chan_alsa
+ use_select bluetooth chan_mobile
+ use_select calendar res_calendar
res_calendar_{caldav,ews,exchange,icalendar}
+ use_select cluster res_corosync
+ use_select curl func_curl res_config_curl res_curl
+ use_select dahdi app_dahdiras app_meetme chan_dahdi
codec_dahdi res_timing_dahdi
+ use_select freetds {cdr,cel}_tds
+ use_select gtalk chan_motif
+ use_select http res_http_post
+ use_select iconv func_iconv
+ use_select xmpp res_xmpp
+ use_select ilbc codec_ilbc format_ilbc
+ use_select ldap res_config_ldap
+ use_select lua pbx_lua
+ use_select mysql app_mysql cdr_mysql res_config_mysql
+ use_select odbc cdr_adaptive_odbc res_config_odbc
{cdr,cel,res,func}_odbc
+ use_select osplookup app_osplookup
+ use_select oss chan_oss
+ use_select postgres {cdr,cel}_pgsql res_config_pgsql
+ use_select radius {cdr,cel}_radius
+ use_select snmp res_snmp
+ use_select span res_fax_spandsp
+ use_select speex {codec,func}_speex
+ use_select srtp res_srtp
+ use_select syslog cdr_syslog
+ use_select vorbis format_ogg_vorbis
+
+ # Voicemail storage ...
+ for vmst in ${IUSE_VOICEMAIL_STORAGE/+/}; do
+ if use ${vmst}; then
+ menuselect/menuselect --enable $(echo ${vmst##*_} | tr
'[:lower:]' '[:upper:]')_STORAGE menuselect.makeopts
+ fi
+ done
+
+ if use debug; then
+ for o in DONT_OPTIMIZE DEBUG_THREADS BETTER_BACKTRACES; do
+ menuselect/menuselect --enable $o menuselect.makeopts
+ done
+ fi
+}
+
+src_compile() {
+ ASTLDFLAGS="${LDFLAGS}" emake
+}
+
+src_install() {
+ mkdir -p "${D}"usr/$(get_libdir)/pkgconfig || die
+ emake DESTDIR="${D}" installdirs
+ emake DESTDIR="${D}" install
+
+ if use radius; then
+ insinto /etc/radiusclient/
+ doins contrib/dictionary.digium
+ fi
+ diropts -m 0750 -o root -g asterisk
+ keepdir /etc/asterisk
+ if use samples; then
+ emake DESTDIR="${D}" samples
+ for conffile in "${D}"etc/asterisk/*.*
+ do
+ chown root:root $conffile
+ chmod 0644 $conffile
+ done
+ einfo "Sample files have been installed"
+ else
+ einfo "Skipping installation of sample files..."
+ rm -f "${D}"var/lib/asterisk/mohmp3/* || die
+ rm -f "${D}"var/lib/asterisk/sounds/demo-* || die
+ rm -f "${D}"var/lib/asterisk/agi-bin/* || die
+ rm -f "${D}"etc/asterisk/* || die
+ fi
+ rm -rf "${D}"var/spool/asterisk/voicemail/default || die
+
+ # keep directories
+ diropts -m 0770 -o asterisk asterisk
+ keepdir /var/lib/asterisk
+ keepdir /var/spool/asterisk
+ keepdir
/var/spool/asterisk/{system,tmp,meetme,monitor,dictate,voicemail}
+ diropts -m 0750 -o asterisk -g asterisk
+ keepdir /var/log/asterisk/{cdr-csv,cdr-custom}
+
+ newinitd "${FILESDIR}"/1.8.0/asterisk.initd8 asterisk
+ newconfd "${FILESDIR}"/1.8.0/asterisk.confd asterisk
+
+ systemd_dounit "${FILESDIR}"/asterisk.service
+ systemd_newtmpfilesd "${FILESDIR}"/asterisk.tmpfiles.conf asterisk.conf
+ systemd_install_serviced "${FILESDIR}"/asterisk.service.conf
+
+ # install the upgrade documentation
+ #
+ dodoc UPGRADE* BUGS CREDITS
+
+ # install extra documentation
+ #
+ if use doc
+ then
+ dodoc doc/*.txt
+ dodoc doc/*.pdf
+ fi
+
+ # install SIP scripts; bug #300832
+ #
+ dodoc "${FILESDIR}/1.6.2/sip_calc_auth"
+ dodoc "${FILESDIR}/1.8.0/find_call_sip_trace.sh"
+ dodoc "${FILESDIR}/1.8.0/find_call_ids.sh"
+ dodoc "${FILESDIR}/1.6.2/call_data.txt"
+
+ # install logrotate snippet; bug #329281
+ #
+ insinto /etc/logrotate.d
+ newins "${FILESDIR}/1.6.2/asterisk.logrotate4" asterisk
+}
+
+pkg_postinst() {
+ #
+ # Announcements, warnings, reminders...
+ #
+ einfo "Asterisk has been installed"
+ echo
+ elog "If you want to know more about asterisk, visit these sites:"
+ elog "http://www.asteriskdocs.org/";
+ elog "http://www.voip-info.org/wiki-Asterisk";
+ echo
+ elog "http://www.automated.it/guidetoasterisk.htm";
+ echo
+ elog "Gentoo VoIP IRC Channel:"
+ elog "#gentoo-voip @ irc.freenode.net"
+ echo
+ echo
+ elog "Please read the Asterisk 13 upgrade document:"
+ elog
"https://wiki.asterisk.org/wiki/display/AST/Upgrading+to+Asterisk+13";
+}
+
+pkg_config() {
+ einfo "Do you want to reset file permissions and ownerships (y/N)?"
+
+ read tmp
+ tmp="$(echo $tmp | tr '[:upper:]' '[:lower:]')"
+
+ if [[ "$tmp" = "y" ]] ||\
+ [[ "$tmp" = "yes" ]]
+ then
+ einfo "Resetting permissions to defaults..."
+
+ for x in spool run lib log; do
+ chown -R asterisk:asterisk "${ROOT}"var/${x}/asterisk
+ chmod -R u=rwX,g=rwX,o= "${ROOT}"var/${x}/asterisk
+ done
+
+ chown -R root:asterisk "${ROOT}"etc/asterisk
+ chmod -R u=rwX,g=rwX,o= "${ROOT}"etc/asterisk
+
+ einfo "done"
+ else
+ einfo "skipping"
+ fi
+}
