commit: 8979cd86bc10fb98bb70fc9a710d17912af73982 Author: Tony Vroon <chainsaw <AT> gentoo <DOT> org> AuthorDate: Wed Oct 17 08:26:36 2018 +0000 Commit: Tony Vroon <chainsaw <AT> gentoo <DOT> org> CommitDate: Wed Oct 17 08:29:28 2018 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8979cd86
net-misc/asterisk: CVE-2018-12227, CVE-2018-17281 Version bump to 13.23.1 to address 2 security vulnerabilities. CVE-2018-12227: PJSIP information disclosure SIP requests blocked by ACL respond 403 for an endpoint that exists and 401 for an endpoint that does not, allowing an attacker to identify valid accounts. CVE-2018-17281: HTTP websocket stack overflow An attacker can exhaust available stack space and crash the running Asterisk instance by sending a specially crafted HTTP request to res_http_websocket.so Bug: https://bugs.gentoo.org/668848 Signed-Off-By: Tony Vroon <chainsaw <AT> gentoo.org> Package-Manager: Portage-2.3.49, Repoman-2.3.11 net-misc/asterisk/Manifest | 1 + net-misc/asterisk/asterisk-13.23.1.ebuild | 327 ++++++++++++++++++++++++++++++ 2 files changed, 328 insertions(+) diff --git a/net-misc/asterisk/Manifest b/net-misc/asterisk/Manifest index cbfd28fd353..b5607f685a2 100644 --- a/net-misc/asterisk/Manifest +++ b/net-misc/asterisk/Manifest @@ -5,5 +5,6 @@ DIST asterisk-13.19.2.tar.gz 32991960 BLAKE2B 3b1f731fb68e2d455bfc76e863a8abbd89 DIST asterisk-13.20.0.tar.gz 32986236 BLAKE2B bc634d93ce4d0a6b524554fa35845a2f289035aea9e7da3098517cdd6d2c85c94482d393276937ea0bc7064260835757e5ffc048f10ea73ba9c0525fd1cf0457 SHA512 de3e740b0dc5bc90806282cbe16f5ec6d151c4a7520b965e6ed30e3cd88d3dc8aca1994c7ae929c039ad755688af6f09a825b665665aacb10cf2566eaa270ca5 DIST asterisk-13.21.0.tar.gz 32998111 BLAKE2B 7119c541efe80435db6b39571e25e24159b3929f075bd7fd8b1e3260a309bf1ab03599a79aea7d47c429af7e1553d1d89f348c55022e359a43b3fb98ee94882d SHA512 05b10017429a5c339bd50f7576e3198ffd6a71d698f7ad3f604d3e87b76f86da59841bad583c3d979e6e1b7a9fe9fba432c2a9c5faaa1e4dc48003228c637110 DIST asterisk-13.22.0.tar.gz 33036487 BLAKE2B 09febd1d9ca875b532dffb7e2be5bda0aa9b2aac22d39a28ee3270d5bcb46f56946549aa5d7c8159c00fdb5a7f36e6f5466d6ebfc93f39cb65276efe0bee52b9 SHA512 eb5416d6911aac474c4a1532b1452b0d05359e4150b2e03ba8ac7d5f5f8bfc837a1640fcf26dfa8452b3a738af37e5659f5db6680c16d3ff1ee6c785864c5d5c +DIST asterisk-13.23.1.tar.gz 33064056 BLAKE2B 7f531766df5f2db29b562e7c7d4e265d5cf610f192188691279c0294195b835bb62beef19d7e9554862e6b44764064b21d50a3e307bbf85dd12b67a2df8be459 SHA512 227bfc80b2e6382019d608296c4e1c8e992ba867636fa2c8ee578d0aa406b8828bf7962b24035d9b581c433afd18be7cbe98eb954112661b9759b6296ee686dd DIST gentoo-asterisk-patchset-3.17.tar.bz2 5074 BLAKE2B 3c945e77b54b2449253acb9fcea8d289a7a3184729190622c14aff5557d36c93556efa83320fe4e7ae84021960c09f35ae9f997e8015706eef933aae2948309e SHA512 37f86f3c699b2643afd8080391e817a282571694bb56e00efd0734918dbc33d6c12a2463dbc24667597420863b4f506870140fbb8ef3f1700124ef790ae7252d DIST gentoo-asterisk-patchset-4.07.tar.bz2 2471 BLAKE2B d9026e7e8c12431496c24f204d117ed715741623195af10c838ec3ac5ce6a26fbb2d76d4c45c538881b532084e2ce74d2de83a27a0abaa5f65791be91416ef6d SHA512 73a9f92e6a737687c311941100c45bbc573f54fa79d0284318996c0d70274a4d2218693406d71b371496d27123d4d99bbc159974388e6547a682c06084d3b4c5 diff --git a/net-misc/asterisk/asterisk-13.23.1.ebuild b/net-misc/asterisk/asterisk-13.23.1.ebuild new file mode 100644 index 00000000000..99d5134312a --- /dev/null +++ b/net-misc/asterisk/asterisk-13.23.1.ebuild @@ -0,0 +1,327 @@ +# Copyright 1999-2018 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=6 +inherit autotools eutils linux-info multilib user systemd + +MY_P="${PN}-${PV/_/-}" + +DESCRIPTION="Asterisk: A Modular Open Source PBX System" +HOMEPAGE="http://www.asterisk.org/"; +SRC_URI="http://downloads.asterisk.org/pub/telephony/asterisk/releases/${MY_P}.tar.gz + mirror://gentoo/gentoo-asterisk-patchset-4.07.tar.bz2" +LICENSE="GPL-2" +SLOT="0" +KEYWORDS="~amd64 ~ppc ~x86" + +IUSE_VOICEMAIL_STORAGE=" + +voicemail_storage_file + voicemail_storage_odbc + voicemail_storage_imap +" +IUSE="${IUSE_VOICEMAIL_STORAGE} alsa bluetooth calendar +caps cluster curl dahdi debug doc freetds gtalk http iconv ilbc xmpp ldap libedit libressl lua mysql newt +samples odbc osplookup oss pjproject portaudio postgres radius selinux snmp span speex srtp static syslog vorbis" +IUSE_EXPAND="VOICEMAIL_STORAGE" +REQUIRED_USE="gtalk? ( xmpp ) + ^^ ( ${IUSE_VOICEMAIL_STORAGE/+/} ) + voicemail_storage_odbc? ( odbc ) +" + +EPATCH_SUFFIX="patch" +PATCHES=( "${WORKDIR}/asterisk-patchset" ) + +CDEPEND="dev-db/sqlite:3 + dev-libs/popt + dev-libs/jansson + dev-libs/libxml2 + !libressl? ( dev-libs/openssl:0 ) + libressl? ( dev-libs/libressl ) + sys-libs/ncurses:* + sys-libs/zlib + alsa? ( media-libs/alsa-lib ) + bluetooth? ( net-wireless/bluez ) + calendar? ( net-libs/neon + dev-libs/libical + dev-libs/iksemel ) + caps? ( sys-libs/libcap ) + cluster? ( sys-cluster/corosync ) + curl? ( net-misc/curl ) + dahdi? ( >=net-libs/libpri-1.4.12_beta2 + net-misc/dahdi-tools ) + freetds? ( dev-db/freetds ) + gtalk? ( dev-libs/iksemel ) + http? ( dev-libs/gmime:2.6 ) + iconv? ( virtual/libiconv ) + ilbc? ( dev-libs/ilbc-rfc3951 ) + xmpp? ( dev-libs/iksemel ) + ldap? ( net-nds/openldap ) + libedit? ( dev-libs/libedit ) + lua? ( dev-lang/lua:* ) + mysql? ( virtual/mysql ) + newt? ( dev-libs/newt ) + odbc? ( dev-db/unixODBC ) + osplookup? ( net-libs/osptoolkit ) + portaudio? ( media-libs/portaudio ) + postgres? ( dev-db/postgresql:* ) + radius? ( net-dialup/freeradius-client ) + snmp? ( net-analyzer/net-snmp ) + span? ( media-libs/spandsp ) + speex? ( media-libs/speex ) + srtp? ( net-libs/libsrtp:0 ) + vorbis? ( media-libs/libvorbis )" + +DEPEND="${CDEPEND} + !net-libs/openh323 + !net-libs/pjsip + voicemail_storage_imap? ( virtual/imap-c-client ) + virtual/pkgconfig + pjproject? ( >=net-libs/pjproject-2.6 ) +" + +RDEPEND="${CDEPEND} + selinux? ( sec-policy/selinux-asterisk ) + syslog? ( virtual/logger )" + +PDEPEND="net-misc/asterisk-core-sounds + net-misc/asterisk-extra-sounds + net-misc/asterisk-moh-opsound" + +S="${WORKDIR}/${MY_P}" + +pkg_setup() { + CONFIG_CHECK="~!NF_CONNTRACK_SIP" + local WARNING_NF_CONNTRACK_SIP="SIP (NAT) connection tracking is enabled. Some users + have reported that this module dropped critical SIP packets in their deployments. You + may want to disable it if you see such problems." + check_extra_config + + enewgroup asterisk + enewgroup dialout 20 + enewuser asterisk -1 -1 /var/lib/asterisk "asterisk,dialout" +} + +src_prepare() { + default + AT_M4DIR="autoconf third-party third-party/pjproject" eautoreconf +} + +src_configure() { + local vmst + + econf \ + --libdir="/usr/$(get_libdir)" \ + --localstatedir="/var" \ + --with-crypto \ + --with-gsm=internal \ + --with-popt \ + --with-ssl \ + --with-z \ + --without-pwlib \ + $(use_with caps cap) \ + $(use_with http gmime) \ + $(use_with newt) \ + $(use_with portaudio) \ + $(use_with pjproject) + + # Blank out sounds/sounds.xml file to prevent + # asterisk from installing sounds files (we pull them in via + # asterisk-{core,extra}-sounds and asterisk-moh-opsound. + >"${S}"/sounds/sounds.xml + + # That NATIVE_ARCH chatter really is quite bothersome + sed -i 's/NATIVE_ARCH=/NATIVE_ARCH=0/' build_tools/menuselect-deps || die "Unable to squelch noisy build system" + + # Compile menuselect binary for optional components + emake menuselect.makeopts + + # Broken functionality is forcibly disabled (bug #360143) + menuselect/menuselect --disable chan_misdn menuselect.makeopts + menuselect/menuselect --disable chan_ooh323 menuselect.makeopts + + # Utility set is forcibly enabled (bug #358001) + menuselect/menuselect --enable smsq menuselect.makeopts + menuselect/menuselect --enable streamplayer menuselect.makeopts + menuselect/menuselect --enable aelparse menuselect.makeopts + menuselect/menuselect --enable astman menuselect.makeopts + + # this is connected, otherwise it would not find + # ast_pktccops_gate_alloc symbol + menuselect/menuselect --enable chan_mgcp menuselect.makeopts + menuselect/menuselect --enable res_pktccops menuselect.makeopts + + # SSL is forcibly enabled, IAX2 & DUNDI are expected to be available + menuselect/menuselect --enable pbx_dundi menuselect.makeopts + menuselect/menuselect --enable func_aes menuselect.makeopts + menuselect/menuselect --enable chan_iax2 menuselect.makeopts + + # SQlite3 is now the main database backend, enable related features + menuselect/menuselect --enable cdr_sqlite3_custom menuselect.makeopts + menuselect/menuselect --enable cel_sqlite3_custom menuselect.makeopts + + # The others are based on USE-flag settings + use_select() { + local state=$(use "$1" && echo enable || echo disable) + shift # remove use from parameters + + while [[ -n $1 ]]; do + menuselect/menuselect --${state} "$1" menuselect.makeopts + shift + done + } + + use_select alsa chan_alsa + use_select bluetooth chan_mobile + use_select calendar res_calendar res_calendar_{caldav,ews,exchange,icalendar} + use_select cluster res_corosync + use_select curl func_curl res_config_curl res_curl + use_select dahdi app_dahdiras app_meetme chan_dahdi codec_dahdi res_timing_dahdi + use_select freetds {cdr,cel}_tds + use_select gtalk chan_motif + use_select http res_http_post + use_select iconv func_iconv + use_select xmpp res_xmpp + use_select ilbc codec_ilbc format_ilbc + use_select ldap res_config_ldap + use_select lua pbx_lua + use_select mysql app_mysql cdr_mysql res_config_mysql + use_select odbc cdr_adaptive_odbc res_config_odbc {cdr,cel,res,func}_odbc + use_select osplookup app_osplookup + use_select oss chan_oss + use_select postgres {cdr,cel}_pgsql res_config_pgsql + use_select radius {cdr,cel}_radius + use_select snmp res_snmp + use_select span res_fax_spandsp + use_select speex {codec,func}_speex + use_select srtp res_srtp + use_select syslog cdr_syslog + use_select vorbis format_ogg_vorbis + + # Voicemail storage ... + for vmst in ${IUSE_VOICEMAIL_STORAGE/+/}; do + if use ${vmst}; then + menuselect/menuselect --enable $(echo ${vmst##*_} | tr '[:lower:]' '[:upper:]')_STORAGE menuselect.makeopts + fi + done + + if use debug; then + for o in DONT_OPTIMIZE DEBUG_THREADS BETTER_BACKTRACES; do + menuselect/menuselect --enable $o menuselect.makeopts + done + fi +} + +src_compile() { + ASTLDFLAGS="${LDFLAGS}" emake +} + +src_install() { + mkdir -p "${D}"usr/$(get_libdir)/pkgconfig || die + emake DESTDIR="${D}" installdirs + emake DESTDIR="${D}" install + + if use radius; then + insinto /etc/radiusclient/ + doins contrib/dictionary.digium + fi + diropts -m 0750 -o root -g asterisk + keepdir /etc/asterisk + if use samples; then + emake DESTDIR="${D}" samples + for conffile in "${D}"etc/asterisk/*.* + do + chown root:root $conffile + chmod 0644 $conffile + done + einfo "Sample files have been installed" + else + einfo "Skipping installation of sample files..." + rm -f "${D}"var/lib/asterisk/mohmp3/* || die + rm -f "${D}"var/lib/asterisk/sounds/demo-* || die + rm -f "${D}"var/lib/asterisk/agi-bin/* || die + rm -f "${D}"etc/asterisk/* || die + fi + rm -rf "${D}"var/spool/asterisk/voicemail/default || die + + # keep directories + diropts -m 0770 -o asterisk asterisk + keepdir /var/lib/asterisk + keepdir /var/spool/asterisk + keepdir /var/spool/asterisk/{system,tmp,meetme,monitor,dictate,voicemail} + diropts -m 0750 -o asterisk -g asterisk + keepdir /var/log/asterisk/{cdr-csv,cdr-custom} + + newinitd "${FILESDIR}"/1.8.0/asterisk.initd8 asterisk + newconfd "${FILESDIR}"/1.8.0/asterisk.confd asterisk + + systemd_dounit "${FILESDIR}"/asterisk.service + systemd_newtmpfilesd "${FILESDIR}"/asterisk.tmpfiles.conf asterisk.conf + systemd_install_serviced "${FILESDIR}"/asterisk.service.conf + + # install the upgrade documentation + # + dodoc UPGRADE* BUGS CREDITS + + # install extra documentation + # + if use doc + then + dodoc doc/*.txt + dodoc doc/*.pdf + fi + + # install SIP scripts; bug #300832 + # + dodoc "${FILESDIR}/1.6.2/sip_calc_auth" + dodoc "${FILESDIR}/1.8.0/find_call_sip_trace.sh" + dodoc "${FILESDIR}/1.8.0/find_call_ids.sh" + dodoc "${FILESDIR}/1.6.2/call_data.txt" + + # install logrotate snippet; bug #329281 + # + insinto /etc/logrotate.d + newins "${FILESDIR}/1.6.2/asterisk.logrotate4" asterisk +} + +pkg_postinst() { + # + # Announcements, warnings, reminders... + # + einfo "Asterisk has been installed" + echo + elog "If you want to know more about asterisk, visit these sites:" + elog "http://www.asteriskdocs.org/"; + elog "http://www.voip-info.org/wiki-Asterisk"; + echo + elog "http://www.automated.it/guidetoasterisk.htm"; + echo + elog "Gentoo VoIP IRC Channel:" + elog "#gentoo-voip @ irc.freenode.net" + echo + echo + elog "Please read the Asterisk 13 upgrade document:" + elog "https://wiki.asterisk.org/wiki/display/AST/Upgrading+to+Asterisk+13"; +} + +pkg_config() { + einfo "Do you want to reset file permissions and ownerships (y/N)?" + + read tmp + tmp="$(echo $tmp | tr '[:upper:]' '[:lower:]')" + + if [[ "$tmp" = "y" ]] ||\ + [[ "$tmp" = "yes" ]] + then + einfo "Resetting permissions to defaults..." + + for x in spool run lib log; do + chown -R asterisk:asterisk "${ROOT}"var/${x}/asterisk + chmod -R u=rwX,g=rwX,o= "${ROOT}"var/${x}/asterisk + done + + chown -R root:asterisk "${ROOT}"etc/asterisk + chmod -R u=rwX,g=rwX,o= "${ROOT}"etc/asterisk + + einfo "done" + else + einfo "skipping" + fi +}
