[Buildroot] [PATCH] package/asterisk: security bump to version 16.30.1

[Buildroot] [PATCH] package/asterisk: security bump to version 16.30.1

[Peter Korsgaard]

Fixes the following security vulnerabilities:

CVE-2022-23537: Heap buffer overflow when decoding STUN message in pjproject

Possible buffer overread when parsing a specially crafted STUN message with
unknown attribute.  The vulnerability affects Asterisk users using ICE
and/or WebRTC.

https://github.com/asterisk/asterisk/security/advisories/GHSA-4xjp-22g4-9fxm

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
 package/asterisk/asterisk.hash | 2 +-
 package/asterisk/asterisk.mk   | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/package/asterisk/asterisk.hash b/package/asterisk/asterisk.hash
index 98ee3bdc71..41e1da2962 100644
--- a/package/asterisk/asterisk.hash
+++ b/package/asterisk/asterisk.hash
@@ -1,5 +1,5 @@
 # Locally computed
-sha256  9b93006a87be9c29492299118200e4f66c8369851c66a50fdef5b15dfc4eb2c2  asterisk-16.29.1.tar.gz
+sha256  ef1ddc07dc02bb0c5f5ba58a5e42e42bcb63e55ac94199be8e3b5d3910f43736  asterisk-16.30.1.tar.gz
 
 # sha1 from: http://downloads.asterisk.org/pub/telephony/sounds/releases
 # sha256 locally computed
diff --git a/package/asterisk/asterisk.mk b/package/asterisk/asterisk.mk
index 22ac0334fd..4f1a80ba8b 100644
--- a/package/asterisk/asterisk.mk
+++ b/package/asterisk/asterisk.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-ASTERISK_VERSION = 16.29.1
+ASTERISK_VERSION = 16.30.1
 # Use the github mirror: it's an official mirror maintained by Digium, and
 # provides tarballs, which the main Asterisk git tree (behind Gerrit) does not.
 ASTERISK_SITE = $(call github,asterisk,asterisk,$(ASTERISK_VERSION))
-- 
2.30.2

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH] package/asterisk: security bump to version 16.30.1

[Yann E. MORIN]

Peter, All,

On 2023-09-17 11:02 +0200, Peter Korsgaard spake thusly:
> Fixes the following security vulnerabilities:
> 
> CVE-2022-23537: Heap buffer overflow when decoding STUN message in pjproject

When I read "pjproject", I thnk "libpjsip". Is it realated? If so, is it
impacted? If so, should we get a fix for it too?

Applied to master, thanks.

Regards,
Yann E. MORIN.

> Possible buffer overread when parsing a specially crafted STUN message with
> unknown attribute.  The vulnerability affects Asterisk users using ICE
> and/or WebRTC.
> 
> https://github.com/asterisk/asterisk/security/advisories/GHSA-4xjp-22g4-9fxm
> 
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
> ---
>  package/asterisk/asterisk.hash | 2 +-
>  package/asterisk/asterisk.mk   | 2 +-
>  2 files changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/package/asterisk/asterisk.hash b/package/asterisk/asterisk.hash
> index 98ee3bdc71..41e1da2962 100644
> --- a/package/asterisk/asterisk.hash
> +++ b/package/asterisk/asterisk.hash
> @@ -1,5 +1,5 @@
>  # Locally computed
> -sha256  9b93006a87be9c29492299118200e4f66c8369851c66a50fdef5b15dfc4eb2c2  asterisk-16.29.1.tar.gz
> +sha256  ef1ddc07dc02bb0c5f5ba58a5e42e42bcb63e55ac94199be8e3b5d3910f43736  asterisk-16.30.1.tar.gz
>  
>  # sha1 from: http://downloads.asterisk.org/pub/telephony/sounds/releases
>  # sha256 locally computed
> diff --git a/package/asterisk/asterisk.mk b/package/asterisk/asterisk.mk
> index 22ac0334fd..4f1a80ba8b 100644
> --- a/package/asterisk/asterisk.mk
> +++ b/package/asterisk/asterisk.mk
> @@ -4,7 +4,7 @@
>  #
>  ################################################################################
>  
> -ASTERISK_VERSION = 16.29.1
> +ASTERISK_VERSION = 16.30.1
>  # Use the github mirror: it's an official mirror maintained by Digium, and
>  # provides tarballs, which the main Asterisk git tree (behind Gerrit) does not.
>  ASTERISK_SITE = $(call github,asterisk,asterisk,$(ASTERISK_VERSION))
> -- 
> 2.30.2
> 
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH] package/asterisk: security bump to version 16.30.1

[Peter Korsgaard]

>>>>> "Yann" == Yann E MORIN <yann.morin.1998@free.fr> writes:

 > Peter, All,
 > On 2023-09-17 11:02 +0200, Peter Korsgaard spake thusly:
 >> Fixes the following security vulnerabilities:
 >> 
 >> CVE-2022-23537: Heap buffer overflow when decoding STUN message in pjproject

 > When I read "pjproject", I thnk "libpjsip". Is it realated? If so, is it
 > impacted? If so, should we get a fix for it too?

Yes, good point - I'll send a patch:

https://github.com/pjsip/pjproject/releases/tag/2.13.1

-- 
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot