Add upstream fix for AST-2018-009: Remote crash vulnerability in HTTP
websocket upgrade
The vulnerability affects the res_http_websocket.so module.
Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
In Kamailio before 5.0.7 and 5.1.x before 5.1.4, a crafted SIP message with
an invalid Via header causes a segmentation fault and crashes Kamailio. The
reason is missing input validation in the crcitt_string_array core function
for calculating a CRC hash for To tags. (An additional error is present in
the check_via_address core function: this function also misses input
validation.) This could result in denial of service and potentially the
execution of arbitrary code.
Patch from upstream. File paths amended for 4.x release.
Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
CVE-2018-14767: "In Kamailio before 5.0.7 and 5.1.x before 5.1.4, a
crafted SIP message with a double "To" header and an empty "To" tag
causes a segmentation fault and crash. The reason is missing input
validation in the "build_res_buf_from_sip_req" core function. This could
result in denial of service and potentially the execution of arbitrary
code."
Patch from upstream. Path to msg_translator.c amended.
Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
Switch to use procd for init, with support for jails. Clean up code and
restructure callback processing to be more robust and understandable. This
also fixes a bug processing multiple siproxd config sections, as reported
by Michael Kuron.
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
(cherry picked from master commit b65b20f6)
When there is no sounds cache declared the build system will not attempt to
download any sound packs or their SHA1 checksums.
This is to be preferred because:
a) the build may occur offline, causing it to fail
b) plain http is used by the build system for downloading
There is no drawback here because the standard sound packs are included in
the Asterisk source tarball already.
Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
- changed source URL to https
- refreshed patches
- removed upstreamed patch
- upstream says that between 4.4.0 and 4.4.7 the "configuration file and
database schema compatibility is preserved"
- includes bug fixes, also for security issues in tmx (CVE-2018-8828)
and lcr, details:
https://www.kamailio.org/w/2018/03/kamailio-security-announcement-tmx-lcr/
Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
Use explicit ident string ("siproxd") instead of NULL, as the latter is
not guaranteed to prepend the program name (e.g. unspecified in POSIX),
and may result in syslog messages identified only by PID.
Use consistent facility (LOG_DAEMON) across openlog() and syslog() calls.
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
Explain default configuration options and potential firewall settings.
Provide examples of using documented siproxd configuration directives.
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
Switch to using callback functions for UCI config processing, and remove
the unnecessary scan_interfaces() call together with related code.
Instead of explicitly handling every possible siproxd config option, use
callbacks to deal with those defined in the UCI config file, and directly
handle only selected options with desired default values. This shrinks
the init code by ~3.5 KB and simplifies updating to future siproxd
versions with new options.
(Note: this change exposed some long-standing, broken aspects of UCI
callback handling, fixed in https://github.com/openwrt/openwrt/pull/805.)
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
Use $(INSTALL_BIN) as the modules are installed by siproxd as
executables. Remove the wildcards from this line as they're not needed.
Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
Remove LIBLTDL from the Makefile as well as a patch related to LTDL.
Both have in common that they accomplish absolutely nothing.
Also explicitly disable the use of the internal libltdl.
Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
Use lists for the config entries outbound_domain_{name,host,port}.
This permits multiple outbound proxies and fixes:
https://github.com/openwrt/telephony/issues/127
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
An upstream siproxd update was released after ~5 years, with bugfixes
and new features. This package supports the new plugins and their config
options, and updates required patches.
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
Use more conventional, clearer naming for config and registration files.
This includes having distinct directories and specific file suffixes.
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
Using the append_conf_if_set() function removes much repetitive and
error-prone code, reduces the source size by ~30%, and fixes a typo
previously uncaught.
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
The previous default logging level is completely silent, making normal
monitoring or troubleshooting impossible. Use the sane upstream default
for logging which captures basic startup, shutdown and error messages.
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
Support using standard interface names and make "lan"/"wan" the defaults
for inbound/outbound SIP traffic. This change makes siproxd more portable
but preserves backwards compatibility for upgrades.
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
No new features in this release. This is a bugfix release.
- Fixes:
AST-2018-004
AST-2018-005
- Remove res_pjsip_transport_management.so as it got moved into
res_pjsip's core as per AST-2018-003.
- Change to PKG_HASH.
- Remove 003-disable-ast-xml-docs.patch, it doesn't apply anymore.
Instead change --enable-xmldoc into --disable-xmldoc in the Makefile.
- Refreshed patches.
Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
Includes security fixes:
2094: Crash when receiving SDP with invalid fmtp attribute
2095: Crash when parsing SDP with an invalid media format description
No further changes.
Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
Currently the package fails to build with this error:
Package dahdi-tools-libtonezone is missing dependencies for the following libraries:
libpthread.so.1
Makefile:97: recipe for target '/build/lede-17.01/slaves/phase2/arc_arc700/build/sdk/bin/packages/arc_arc700/telephony/dahdi-tools-libtonezone_2.11.1-2_arc_arc700.ipk' failed
make[3]: *** [/build/lede-17.01/slaves/phase2/arc_arc700/build/sdk/bin/packages/arc_arc700/telephony/dahdi-tools-libtonezone_2.11.1-2_arc_arc700.ipk] Error 1
Add the dependecy accordingly.
Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
The variant builing is not working properly because PKG_BUILD_DIR is
unset. This fixes that.
Also the Makefile is cleaned up. LOW_MEMORY is not explicitly defined
anymore because chan-sccp-b is getting the define from the Asterisk
headers.
Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
Currently variant building isn't working properly because PKG_BUILD_DIR
is not set. This commit fixes that.
It also cleans up the Makefile, making it much simpler. The cleanups are
already in master.
Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
This commit adds VARIANT support. This is so that the module will also
be available for Asterisk 13.
The current version does not support Asterisk 13. So this commit also
updates the package to use the (more recent) source from wdoekes on
github, which is also used in master.
Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
This commit:
- adds some missing descriptions
- updates some module files (e.g. new sub modules)
- adds/updates some module dependencies
- adds some missing CONFIGURE_ARGS that are depending on module selections
- enables fax support (spandsp)
- adds res-xmpp (which seems it was just missed as CONFIGURE_ARGS for it exist)
Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
- LOW_MEMORY is known to cause sporadic crashes, disable it by default.
- Prevent Asterisk from adding -march=native to CFLAGS.
Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
