diff options
author | Tony Vroon <chainsaw@gentoo.org> | 2018-03-09 16:04:25 +0000 |
---|---|---|
committer | Tony Vroon <chainsaw@gentoo.org> | 2018-03-09 16:04:46 +0000 |
commit | 458b342d0d2bbb84666f320612f6a6fc9c061903 (patch) | |
tree | 1aa10e8ae4284e1d662516e2c65b190a31a5ff2f /net-misc | |
parent | sys-devel/clang-runtime: Dekeyword ~arm* due to deps (diff) | |
download | gentoo-458b342d0d2bbb84666f320612f6a6fc9c061903.tar.gz gentoo-458b342d0d2bbb84666f320612f6a6fc9c061903.tar.bz2 gentoo-458b342d0d2bbb84666f320612f6a6fc9c061903.zip |
net-misc/asterisk: 13.19.2 for CVE-2018-7284 & CVE-2018-7286
Both vulnerabilities are in res_pjsip and allow a remote DoS. One through sending
a lot of SIP INVITE messages on SIP TCP or SIP-TLS channels and then tearing them
down. The other involves a SUBSCRIBE request containing more than 32 Accept headers,
which overflows the statically allocated buffer.
If you prevent res_pjsip from loading and use the classic chan_sip driver, you may
not be vulnerable. However, this upgrade is being pushed out to all.
Package-Manager: Portage-2.3.19, Repoman-2.3.6
Diffstat (limited to 'net-misc')
-rw-r--r-- | net-misc/asterisk/Manifest | 1 | ||||
-rw-r--r-- | net-misc/asterisk/asterisk-13.19.2.ebuild | 327 |
2 files changed, 328 insertions, 0 deletions
diff --git a/net-misc/asterisk/Manifest b/net-misc/asterisk/Manifest index 5a561c24d8c4..3a92933e1e4e 100644 --- a/net-misc/asterisk/Manifest +++ b/net-misc/asterisk/Manifest @@ -2,6 +2,7 @@ DIST asterisk-11.25.1.tar.gz 35125897 BLAKE2B 42f79202c3e69dc0ff1ddad909c87bc0a0 DIST asterisk-11.25.3.tar.gz 35134682 BLAKE2B 9da24d5d6a674ab660edb103e5fc56ddfbcc58cd86166cc08cceb0598a63b51eae36133565e09a30ad11ff6623ba8945437dfb561d2916f68341d398540dabce SHA512 9c0521d55e5b69663ea40066d52e397ba6c165a4b20cd0a1e5e375b9c0e5a6e4f37908e50b0b580e288dec9be252af9a8bce7bceb03ba029f902fb757e6311ed DIST asterisk-13.17.2.tar.gz 32899368 BLAKE2B 539155dc4b9db3cd736fa8ca4e4b1f09330be2d7bc994ee89dc73645f411bf6d012d85f322c07146bac2b5b258802232960d6e102d840d6b48b796a7d8923513 SHA512 008354cb0cba679444bfbfd4be34d919ea0a0a0cbd60541b7528d254ab0fa92efee118d5b006e8dc7b709f9c44fd391026df9b8705d17515494a23ad36dedd4b DIST asterisk-13.19.0.tar.gz 33027887 BLAKE2B f799f51dc4b45d6db2261abfae33f41416616650702ff0cf6c253a80cf2f554f180df9e90bd107ac6a29eeeeef16e3bfadba087f6485fa93978899590b417443 SHA512 5404080a42e2d6d76b8fa8629c9570ae55c943676c51901a34552dc69c35f82001a1738e2da3adedf1de254bc8d1821ea7708f844685462ecdd1fd4e979e0e7f +DIST asterisk-13.19.2.tar.gz 32991960 BLAKE2B 3b1f731fb68e2d455bfc76e863a8abbd8903ac2f7e89f5bc4b97db0072b0999679a79e6ebbb55c886847fb1db639b6ad84d1f7de1fc3414968ab6b48c5eed72f SHA512 3ee3d57d359ce3049480303b9662a33a905d08491e84d898fd6ee170ee9d34b8bdfcd082b80120dab606929a03572141fe219da75bb87770ed206aeb0249f1e4 DIST gentoo-asterisk-patchset-3.17.tar.bz2 5074 BLAKE2B 3c945e77b54b2449253acb9fcea8d289a7a3184729190622c14aff5557d36c93556efa83320fe4e7ae84021960c09f35ae9f997e8015706eef933aae2948309e SHA512 37f86f3c699b2643afd8080391e817a282571694bb56e00efd0734918dbc33d6c12a2463dbc24667597420863b4f506870140fbb8ef3f1700124ef790ae7252d DIST gentoo-asterisk-patchset-4.05.tar.bz2 2889 BLAKE2B 788b923300324241d0272b2533cbad5b18189fa46f0ed620256aadb2a840880dccb66f839edc323e90c46bb3748127caeb59b84b017722491c52e6f5f6dcd8f0 SHA512 6fdb245e37074f124f4725c25a1547c872f6216eb1d37faeda8ed7c5e4dc87424e9c1ba20bb34722165027692916bde4c8bfc816ac5c89710972bb3f51bd1b75 DIST gentoo-asterisk-patchset-4.07.tar.bz2 2471 BLAKE2B d9026e7e8c12431496c24f204d117ed715741623195af10c838ec3ac5ce6a26fbb2d76d4c45c538881b532084e2ce74d2de83a27a0abaa5f65791be91416ef6d SHA512 73a9f92e6a737687c311941100c45bbc573f54fa79d0284318996c0d70274a4d2218693406d71b371496d27123d4d99bbc159974388e6547a682c06084d3b4c5 diff --git a/net-misc/asterisk/asterisk-13.19.2.ebuild b/net-misc/asterisk/asterisk-13.19.2.ebuild new file mode 100644 index 000000000000..e0b88a37696c --- /dev/null +++ b/net-misc/asterisk/asterisk-13.19.2.ebuild @@ -0,0 +1,327 @@ +# Copyright 1999-2018 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +EAPI=6 +inherit autotools eutils linux-info multilib user systemd + +MY_P="${PN}-${PV/_/-}" + +DESCRIPTION="Asterisk: A Modular Open Source PBX System" +HOMEPAGE="http://www.asterisk.org/" +SRC_URI="http://downloads.asterisk.org/pub/telephony/asterisk/releases/${MY_P}.tar.gz + mirror://gentoo/gentoo-asterisk-patchset-4.07.tar.bz2" +LICENSE="GPL-2" +SLOT="0" +KEYWORDS="~amd64 ~x86" + +IUSE_VOICEMAIL_STORAGE=" + +voicemail_storage_file + voicemail_storage_odbc + voicemail_storage_imap +" +IUSE="${IUSE_VOICEMAIL_STORAGE} alsa bluetooth calendar +caps cluster curl dahdi debug doc freetds gtalk http iconv ilbc xmpp ldap libedit libressl lua mysql newt +samples odbc osplookup oss pjproject portaudio postgres radius selinux snmp span speex srtp static syslog vorbis" +IUSE_EXPAND="VOICEMAIL_STORAGE" +REQUIRED_USE="gtalk? ( xmpp ) + ^^ ( ${IUSE_VOICEMAIL_STORAGE/+/} ) + voicemail_storage_odbc? ( odbc ) +" + +EPATCH_SUFFIX="patch" +PATCHES=( "${WORKDIR}/asterisk-patchset" ) + +CDEPEND="dev-db/sqlite:3 + dev-libs/popt + dev-libs/jansson + dev-libs/libxml2 + !libressl? ( dev-libs/openssl:0 ) + libressl? ( dev-libs/libressl ) + sys-libs/ncurses:* + sys-libs/zlib + alsa? ( media-libs/alsa-lib ) + bluetooth? ( net-wireless/bluez ) + calendar? ( net-libs/neon + dev-libs/libical + dev-libs/iksemel ) + caps? ( sys-libs/libcap ) + cluster? ( sys-cluster/corosync ) + curl? ( net-misc/curl ) + dahdi? ( >=net-libs/libpri-1.4.12_beta2 + net-misc/dahdi-tools ) + freetds? ( dev-db/freetds ) + gtalk? ( dev-libs/iksemel ) + http? ( dev-libs/gmime:2.6 ) + iconv? ( virtual/libiconv ) + ilbc? ( dev-libs/ilbc-rfc3951 ) + xmpp? ( dev-libs/iksemel ) + ldap? ( net-nds/openldap ) + libedit? ( dev-libs/libedit ) + lua? ( dev-lang/lua:* ) + mysql? ( virtual/mysql ) + newt? ( dev-libs/newt ) + odbc? ( dev-db/unixODBC ) + osplookup? ( net-libs/osptoolkit ) + portaudio? ( media-libs/portaudio ) + postgres? ( dev-db/postgresql:* ) + radius? ( net-dialup/freeradius-client ) + snmp? ( net-analyzer/net-snmp ) + span? ( media-libs/spandsp ) + speex? ( media-libs/speex ) + srtp? ( net-libs/libsrtp:0 ) + vorbis? ( media-libs/libvorbis )" + +DEPEND="${CDEPEND} + !net-libs/openh323 + !net-libs/pjsip + voicemail_storage_imap? ( virtual/imap-c-client ) + virtual/pkgconfig + pjproject? ( >=net-libs/pjproject-2.6 ) +" + +RDEPEND="${CDEPEND} + selinux? ( sec-policy/selinux-asterisk ) + syslog? ( virtual/logger )" + +PDEPEND="net-misc/asterisk-core-sounds + net-misc/asterisk-extra-sounds + net-misc/asterisk-moh-opsound" + +S="${WORKDIR}/${MY_P}" + +pkg_setup() { + CONFIG_CHECK="~!NF_CONNTRACK_SIP" + local WARNING_NF_CONNTRACK_SIP="SIP (NAT) connection tracking is enabled. Some users + have reported that this module dropped critical SIP packets in their deployments. You + may want to disable it if you see such problems." + check_extra_config + + enewgroup asterisk + enewgroup dialout 20 + enewuser asterisk -1 -1 /var/lib/asterisk "asterisk,dialout" +} + +src_prepare() { + default + AT_M4DIR="autoconf third-party third-party/pjproject" eautoreconf +} + +src_configure() { + local vmst + + econf \ + --libdir="/usr/$(get_libdir)" \ + --localstatedir="/var" \ + --with-crypto \ + --with-gsm=internal \ + --with-popt \ + --with-ssl \ + --with-z \ + --without-pwlib \ + $(use_with caps cap) \ + $(use_with http gmime) \ + $(use_with newt) \ + $(use_with portaudio) \ + $(use_with pjproject) + + # Blank out sounds/sounds.xml file to prevent + # asterisk from installing sounds files (we pull them in via + # asterisk-{core,extra}-sounds and asterisk-moh-opsound. + >"${S}"/sounds/sounds.xml + + # That NATIVE_ARCH chatter really is quite bothersome + sed -i 's/NATIVE_ARCH=/NATIVE_ARCH=0/' build_tools/menuselect-deps || die "Unable to squelch noisy build system" + + # Compile menuselect binary for optional components + emake menuselect.makeopts + + # Broken functionality is forcibly disabled (bug #360143) + menuselect/menuselect --disable chan_misdn menuselect.makeopts + menuselect/menuselect --disable chan_ooh323 menuselect.makeopts + + # Utility set is forcibly enabled (bug #358001) + menuselect/menuselect --enable smsq menuselect.makeopts + menuselect/menuselect --enable streamplayer menuselect.makeopts + menuselect/menuselect --enable aelparse menuselect.makeopts + menuselect/menuselect --enable astman menuselect.makeopts + + # this is connected, otherwise it would not find + # ast_pktccops_gate_alloc symbol + menuselect/menuselect --enable chan_mgcp menuselect.makeopts + menuselect/menuselect --enable res_pktccops menuselect.makeopts + + # SSL is forcibly enabled, IAX2 & DUNDI are expected to be available + menuselect/menuselect --enable pbx_dundi menuselect.makeopts + menuselect/menuselect --enable func_aes menuselect.makeopts + menuselect/menuselect --enable chan_iax2 menuselect.makeopts + + # SQlite3 is now the main database backend, enable related features + menuselect/menuselect --enable cdr_sqlite3_custom menuselect.makeopts + menuselect/menuselect --enable cel_sqlite3_custom menuselect.makeopts + + # The others are based on USE-flag settings + use_select() { + local state=$(use "$1" && echo enable || echo disable) + shift # remove use from parameters + + while [[ -n $1 ]]; do + menuselect/menuselect --${state} "$1" menuselect.makeopts + shift + done + } + + use_select alsa chan_alsa + use_select bluetooth chan_mobile + use_select calendar res_calendar res_calendar_{caldav,ews,exchange,icalendar} + use_select cluster res_corosync + use_select curl func_curl res_config_curl res_curl + use_select dahdi app_dahdiras app_meetme chan_dahdi codec_dahdi res_timing_dahdi + use_select freetds {cdr,cel}_tds + use_select gtalk chan_motif + use_select http res_http_post + use_select iconv func_iconv + use_select xmpp res_xmpp + use_select ilbc codec_ilbc format_ilbc + use_select ldap res_config_ldap + use_select lua pbx_lua + use_select mysql app_mysql cdr_mysql res_config_mysql + use_select odbc cdr_adaptive_odbc res_config_odbc {cdr,cel,res,func}_odbc + use_select osplookup app_osplookup + use_select oss chan_oss + use_select postgres {cdr,cel}_pgsql res_config_pgsql + use_select radius {cdr,cel}_radius + use_select snmp res_snmp + use_select span res_fax_spandsp + use_select speex {codec,func}_speex + use_select srtp res_srtp + use_select syslog cdr_syslog + use_select vorbis format_ogg_vorbis + + # Voicemail storage ... + for vmst in ${IUSE_VOICEMAIL_STORAGE/+/}; do + if use ${vmst}; then + menuselect/menuselect --enable $(echo ${vmst##*_} | tr '[:lower:]' '[:upper:]')_STORAGE menuselect.makeopts + fi + done + + if use debug; then + for o in DONT_OPTIMIZE DEBUG_THREADS BETTER_BACKTRACES; do + menuselect/menuselect --enable $o menuselect.makeopts + done + fi +} + +src_compile() { + ASTLDFLAGS="${LDFLAGS}" emake +} + +src_install() { + mkdir -p "${D}"usr/$(get_libdir)/pkgconfig || die + emake DESTDIR="${D}" installdirs + emake DESTDIR="${D}" install + + if use radius; then + insinto /etc/radiusclient/ + doins contrib/dictionary.digium + fi + diropts -m 0750 -o root -g asterisk + keepdir /etc/asterisk + if use samples; then + emake DESTDIR="${D}" samples + for conffile in "${D}"etc/asterisk/*.* + do + chown root:root $conffile + chmod 0644 $conffile + done + einfo "Sample files have been installed" + else + einfo "Skipping installation of sample files..." + rm -f "${D}"var/lib/asterisk/mohmp3/* || die + rm -f "${D}"var/lib/asterisk/sounds/demo-* || die + rm -f "${D}"var/lib/asterisk/agi-bin/* || die + rm -f "${D}"etc/asterisk/* || die + fi + rm -rf "${D}"var/spool/asterisk/voicemail/default || die + + # keep directories + diropts -m 0770 -o asterisk asterisk + keepdir /var/lib/asterisk + keepdir /var/spool/asterisk + keepdir /var/spool/asterisk/{system,tmp,meetme,monitor,dictate,voicemail} + diropts -m 0750 -o asterisk -g asterisk + keepdir /var/log/asterisk/{cdr-csv,cdr-custom} + + newinitd "${FILESDIR}"/1.8.0/asterisk.initd8 asterisk + newconfd "${FILESDIR}"/1.8.0/asterisk.confd asterisk + + systemd_dounit "${FILESDIR}"/asterisk.service + systemd_newtmpfilesd "${FILESDIR}"/asterisk.tmpfiles.conf asterisk.conf + systemd_install_serviced "${FILESDIR}"/asterisk.service.conf + + # install the upgrade documentation + # + dodoc UPGRADE* BUGS CREDITS + + # install extra documentation + # + if use doc + then + dodoc doc/*.txt + dodoc doc/*.pdf + fi + + # install SIP scripts; bug #300832 + # + dodoc "${FILESDIR}/1.6.2/sip_calc_auth" + dodoc "${FILESDIR}/1.8.0/find_call_sip_trace.sh" + dodoc "${FILESDIR}/1.8.0/find_call_ids.sh" + dodoc "${FILESDIR}/1.6.2/call_data.txt" + + # install logrotate snippet; bug #329281 + # + insinto /etc/logrotate.d + newins "${FILESDIR}/1.6.2/asterisk.logrotate4" asterisk +} + +pkg_postinst() { + # + # Announcements, warnings, reminders... + # + einfo "Asterisk has been installed" + echo + elog "If you want to know more about asterisk, visit these sites:" + elog "http://www.asteriskdocs.org/" + elog "http://www.voip-info.org/wiki-Asterisk" + echo + elog "http://www.automated.it/guidetoasterisk.htm" + echo + elog "Gentoo VoIP IRC Channel:" + elog "#gentoo-voip @ irc.freenode.net" + echo + echo + elog "Please read the Asterisk 13 upgrade document:" + elog "https://wiki.asterisk.org/wiki/display/AST/Upgrading+to+Asterisk+13" +} + +pkg_config() { + einfo "Do you want to reset file permissions and ownerships (y/N)?" + + read tmp + tmp="$(echo $tmp | tr '[:upper:]' '[:lower:]')" + + if [[ "$tmp" = "y" ]] ||\ + [[ "$tmp" = "yes" ]] + then + einfo "Resetting permissions to defaults..." + + for x in spool run lib log; do + chown -R asterisk:asterisk "${ROOT}"var/${x}/asterisk + chmod -R u=rwX,g=rwX,o= "${ROOT}"var/${x}/asterisk + done + + chown -R root:asterisk "${ROOT}"etc/asterisk + chmod -R u=rwX,g=rwX,o= "${ROOT}"etc/asterisk + + einfo "done" + else + einfo "skipping" + fi +} |