diff options
| author |   Jaco Kroon <jaco@uls.co.za> | 2024-10-25 20:29:03 +0200 |
|---|---|---|
| committer |   Matt Jolly <kangie@gentoo.org> | 2024-10-26 08:55:34 +1000 |
| commit | fba2d244ffcd0fd7f50a6d210c94bd71fde84885 (patch) | |
| tree | 56c11fecb47813b1e02a87ff5605f20849c93549 /net-misc/asterisk | |
| parent | media-libs/libaom: add 3.10.0 (diff) | |
| download | gentoo-fba2d244ffcd0fd7f50a6d210c94bd71fde84885.tar.gz gentoo-fba2d244ffcd0fd7f50a6d210c94bd71fde84885.tar.bz2 gentoo-fba2d244ffcd0fd7f50a6d210c94bd71fde84885.zip | |
net-misc/asterisk: drop 16.30.1-r3
Signed-off-by: Jaco Kroon <jaco@uls.co.za>
Signed-off-by: Matt Jolly <kangie@gentoo.org>
Diffstat (limited to 'net-misc/asterisk')
5 files changed, 0 insertions, 671 deletions
diff --git a/net-misc/asterisk/Manifest b/net-misc/asterisk/Manifest index ae37af526aba..75be453010f8 100644 --- a/net-misc/asterisk/Manifest +++ b/net-misc/asterisk/Manifest @@ -1,4 +1,3 @@ -DIST asterisk-16.30.1.tar.gz 28234979 BLAKE2B a9cd732feb00408876f90328d7f14dbfe426829e607f9b8e812ff25823c8dc1facab1ecd423e1d4f33c1623f3769197fa3b1fe3181efad0b231c96c0afb1dd16 SHA512 1624d207e80351f976c084344d09d67fe37b526a42970da007f5407be006d107e951093209415a68c891e2bd9cb142421e7acd1ac9fba2c1b1c064aee2224cb6 DIST asterisk-18.24.3.tar.gz 28531091 BLAKE2B 002210daa4091bed3ebc0ccd14eb3cd2f2648ef7440276ef0d7b74d493a41034358a034ddda8faad4ca0df4a944ef32efd6c820c161b619b3a6a7a5936e72524 SHA512 a1223965b2375c25e736b84d99ac5ce96d27c5bfc9c14e936429643f595e04caff4e159e091b26ff2452249875cd3a37a760e6a23c74269e401805e406492742 DIST asterisk-18.25.0.tar.gz 28546882 BLAKE2B 5cef5db83063387f4786d94be442164a8fb2b9ec3292af453dadd8ed094622142762bfdfadd8d0ba14fe8734a7f822c559ed47ea4e017c2cba4e970dc4a80528 SHA512 8646f65cac366a674674558d4ca59166956bdc5258c16454aaeff28e445b256fe16c144d6e1dedcd401c7577bff1aac69aae735557ea0082c93ff5322f978f56 DIST asterisk-20.10.0.tar.gz 28309321 BLAKE2B 4efcf72c378b31a722643c6b92863354d8e07f2d700a5fccfec14f842cf912c626181e8f73482858a7bd0c74802ed3fd359ee046aeec4af21a92e6c23d05a741 SHA512 b05a65423f6a203f3fca712fc8ee2c008deabfdaf05f1cd56b8bd0ffc1d1805c4dea58e4267d224f47777fbc1bcdc8aabe71cbe1e86e6e98fa597f08ac087cce diff --git a/net-misc/asterisk/asterisk-16.30.1-r3.ebuild b/net-misc/asterisk/asterisk-16.30.1-r3.ebuild deleted file mode 100644 index 5ff80f57d6f9..000000000000 --- a/net-misc/asterisk/asterisk-16.30.1-r3.ebuild +++ /dev/null @@ -1,361 +0,0 @@ -# Copyright 1999-2024 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI=8 - -LUA_COMPAT=( lua5-{1..4} ) - -inherit autotools linux-info lua-single toolchain-funcs - -DESCRIPTION="Asterisk: A Modular Open Source PBX System" -HOMEPAGE="https://www.asterisk.org/" -SRC_URI="https://downloads.asterisk.org/pub/telephony/asterisk/releases/${P}.tar.gz" -LICENSE="GPL-2" -SLOT="0/${PV%%.*}" -KEYWORDS="amd64 ~arm ~arm64 ~ppc ~ppc64 x86" - -IUSE_VOICEMAIL_STORAGE=( - +voicemail_storage_file - voicemail_storage_odbc - voicemail_storage_imap -) -IUSE="${IUSE_VOICEMAIL_STORAGE[*]} alsa blocks bluetooth calendar +caps cluster codec2 curl debug deprecated doc freetds gtalk http iconv ilbc ldap lua mysql newt odbc oss pjproject portaudio postgres radius selinux snmp span speex srtp +ssl static statsd syslog systemd unbound vorbis xmpp" -IUSE_EXPAND="VOICEMAIL_STORAGE" -REQUIRED_USE="gtalk? ( xmpp ) - lua? ( ${LUA_REQUIRED_USE} ) - ^^ ( ${IUSE_VOICEMAIL_STORAGE[*]//+/} ) - voicemail_storage_odbc? ( odbc ) -" - -PATCHES=( - "${FILESDIR}/asterisk-16.16.2-no-var-run-install.patch" - "${FILESDIR}/asterisk-16.29.1_18.15.1_20.0.1-noexec_stack.patch" - "${FILESDIR}/asterisk-16.30.1-r1-iax2_jitterbuffer.patch" - "${FILESDIR}/asterisk-16.30.1-r3-manager.c-Add-entries-to-Originate-blacklist.patch" -) - -DEPEND="acct-user/asterisk - acct-group/asterisk - dev-db/sqlite:3 - dev-libs/popt - >=dev-libs/jansson-2.11:= - dev-libs/libedit - dev-libs/libxml2:2 - dev-libs/libxslt - sys-apps/util-linux - sys-libs/zlib - virtual/libcrypt:= - alsa? ( media-libs/alsa-lib ) - bluetooth? ( net-wireless/bluez:= ) - calendar? ( - net-libs/neon:= - dev-libs/libical:= - dev-libs/iksemel - ) - caps? ( sys-libs/libcap ) - blocks? ( sys-libs/blocksruntime ) - cluster? ( sys-cluster/corosync ) - codec2? ( media-libs/codec2:= ) - curl? ( net-misc/curl ) - freetds? ( dev-db/freetds ) - gtalk? ( dev-libs/iksemel ) - http? ( dev-libs/gmime:2.6 ) - iconv? ( virtual/libiconv ) - ilbc? ( media-libs/libilbc ) - ldap? ( net-nds/openldap:= ) - lua? ( ${LUA_DEPS} ) - mysql? ( dev-db/mysql-connector-c:= ) - newt? ( dev-libs/newt ) - odbc? ( dev-db/unixODBC ) - pjproject? ( >=net-libs/pjproject-2.9:= ) - portaudio? ( media-libs/portaudio ) - postgres? ( dev-db/postgresql:* ) - radius? ( net-dialup/freeradius-client ) - snmp? ( net-analyzer/net-snmp:= ) - span? ( media-libs/spandsp ) - speex? ( - media-libs/libogg - media-libs/speex - media-libs/speexdsp - ) - srtp? ( net-libs/libsrtp:0 ) - ssl? ( - dev-libs/openssl:0= - ) - systemd? ( sys-apps/systemd ) - !systemd? ( !sys-apps/systemd ) - unbound? ( net-dns/unbound ) - vorbis? ( - media-libs/libogg - media-libs/libvorbis - ) - voicemail_storage_imap? ( net-libs/c-client[ssl=] ) - xmpp? ( dev-libs/iksemel ) -" - -RDEPEND="${DEPEND} - net-misc/asterisk-core-sounds - net-misc/asterisk-extra-sounds - net-misc/asterisk-moh-opsound - selinux? ( sec-policy/selinux-asterisk ) - syslog? ( virtual/logger )" -PDEPEND="net-misc/asterisk-base" - -BDEPEND="dev-libs/libxml2:2 - virtual/pkgconfig" - -QA_DT_NEEDED="/usr/lib.*/libasteriskssl[.]so[.][0-9]\+" - -_make_args=( - "NOISY_BUILD=yes" - "ASTDBDIR=\$(ASTDATADIR)/astdb" - "ASTVARRUNDIR=/run/asterisk" - "ASTCACHEDIR=/var/cache/asterisk" - "OPTIMIZE=" - "DEBUG=" - "DESTDIR=${D}" - "CONFIG_SRC=configs/samples" - "CONFIG_EXTEN=.sample" -) - -pkg_pretend() { - CONFIG_CHECK="~!NF_CONNTRACK_SIP" - local WARNING_NF_CONNTRACK_SIP="SIP (NAT) connection tracking is enabled. Some users - have reported that this module dropped critical SIP packets in their deployments. You - may want to disable it if you see such problems." - check_extra_config - - [[ "${MERGE_TYPE}" == binary ]] && return - - if tc-is-clang; then - use blocks || die "CC=clang requires USE=blocks" - else - use blocks && die "USE=blocks can only be used with CC=clang" - fi -} - -pkg_setup() { - use lua && lua-single_pkg_setup -} - -src_prepare() { - default - AT_M4DIR="autoconf third-party third-party/pjproject third-party/jansson" \ - AC_CONFIG_SUBDIRS=menuselect eautoreconf -} - -src_configure() { - local vmst - local copt cstate - - econf \ - SED=sed \ - LUA_VERSION="${ELUA#lua}" \ - --libdir="/usr/$(get_libdir)" \ - --localstatedir="/var" \ - --with-crypto \ - --with-gsm=internal \ - --with-popt \ - --with-z \ - --with-libedit \ - --without-jansson-bundled \ - --without-pjproject-bundled \ - $(use_with caps cap) \ - $(use_with codec2) \ - $(use_with lua lua) \ - $(use_with http gmime) \ - $(use_with newt) \ - $(use_with pjproject) \ - $(use_with portaudio) \ - $(use_with ssl) \ - $(use_with unbound) - - _menuselect() { - menuselect/menuselect "$@" || die "menuselect $* failed." - } - - _use_select() { - local state=$(use "$1" && echo enable || echo disable) - shift # remove use from parameters - - while [[ -n $1 ]]; do - _menuselect --${state} "$1" menuselect.makeopts - shift - done - } - - # Blank out sounds/sounds.xml file to prevent - # asterisk from installing sounds files (we pull them in via - # asterisk-{core,extra}-sounds and asterisk-moh-opsound. - >"${S}"/sounds/sounds.xml - - # That NATIVE_ARCH chatter really is quite bothersome - sed -i 's/NATIVE_ARCH=/NATIVE_ARCH=0/' build_tools/menuselect-deps || die "Unable to squelch noisy build system" - - # Compile menuselect binary for optional components - emake "${_make_args[@]}" menuselect.makeopts - - # Disable astdb2* tools. We've been on sqlite long enough - # that this should really no longer be a problem (bug #https://bugs.gentoo.org/872194) - _menuselect --disable astdb2sqlite3 menuselect.makeopts - _menuselect --disable astdb2bdb menuselect.makeopts - - # Disable BUILD_NATIVE (bug #667498) - _menuselect --disable build_native menuselect.makeopts - - # Broken functionality is forcibly disabled (bug #360143) - _menuselect --disable chan_misdn menuselect.makeopts - _menuselect --disable chan_ooh323 menuselect.makeopts - - # Utility set is forcibly enabled (bug #358001) - _menuselect --enable smsq menuselect.makeopts - _menuselect --enable streamplayer menuselect.makeopts - _menuselect --enable aelparse menuselect.makeopts - _menuselect --enable astman menuselect.makeopts - - # this is connected, otherwise it would not find - # ast_pktccops_gate_alloc symbol - _menuselect --enable chan_mgcp menuselect.makeopts - _menuselect --enable res_pktccops menuselect.makeopts - - # SSL is forcibly enabled, IAX2 & DUNDI are expected to be available - _menuselect --enable pbx_dundi menuselect.makeopts - _menuselect --enable func_aes menuselect.makeopts - _menuselect --enable chan_iax2 menuselect.makeopts - - # SQlite3 is now the main database backend, enable related features - _menuselect --enable cdr_sqlite3_custom menuselect.makeopts - _menuselect --enable cel_sqlite3_custom menuselect.makeopts - - # Disable conversion tools (which fails to compile in some cases). - _menuselect --disable astdb2bdb menuselect.makeopts - - # The others are based on USE-flag settings - _use_select alsa chan_alsa - _use_select bluetooth chan_mobile - _use_select calendar res_calendar res_calendar_{caldav,ews,exchange,icalendar} - _use_select cluster res_corosync - _use_select codec2 codec_codec2 - _use_select curl func_curl res_config_curl res_curl - _use_select deprecated app_macro - _use_select freetds {cdr,cel}_tds - _use_select gtalk chan_motif - _use_select http res_http_post - _use_select iconv func_iconv - _use_select ilbc codec_ilbc format_ilbc - _use_select ldap res_config_ldap - _use_select lua pbx_lua - _use_select mysql app_mysql cdr_mysql res_config_mysql - _use_select odbc cdr_adaptive_odbc res_config_odbc {cdr,cel,res,func}_odbc - _use_select oss chan_oss - _use_select postgres {cdr,cel}_pgsql res_config_pgsql - _use_select radius {cdr,cel}_radius - _use_select snmp res_snmp - _use_select span res_fax_spandsp - _use_select speex {codec,func}_speex - _use_select speex format_ogg_speex - _use_select srtp res_srtp - _use_select statsd res_statsd res_{endpoint,chan}_stats - _use_select syslog cdr_syslog - _use_select vorbis format_ogg_vorbis - _use_select xmpp res_xmpp - - # Voicemail storage ... - for vmst in "${IUSE_VOICEMAIL_STORAGE[@]}"; do - if use "${vmst#+}"; then - _menuselect --enable "$(echo "${vmst##*_}" | tr '[:lower:]' '[:upper:]')_STORAGE" menuselect.makeopts - fi - done - - if use debug; then - for o in DONT_OPTIMIZE DEBUG_FD_LEAKS MALLOC_DEBUG BETTER_BACKTRACES; do - _menuselect --enable "${o}" menuselect.makeopts - done - fi - - if [[ -n "${GENTOO_ASTERISK_CUSTOM_MENUSELECT:+yes}" ]]; then - for copt in ${GENTOO_ASTERISK_CUSTOM_MENUSELECT}; do - cstate=--enable - [[ "${copt}" == -* ]] && cstate=--disable - ebegin "Custom option ${copt#[-+]} ${cstate:2}d" - _menuselect ${cstate} "${copt#[-+]}" - eend $? - done - fi -} - -src_compile() { - emake "${_make_args[@]}" -} - -src_install() { - local d - - dodir "/usr/$(get_libdir)/pkgconfig" - - diropts -m 0750 -o root -g asterisk - dodir /etc/asterisk - - emake "${_make_args[@]}" install install-configs - - fowners asterisk: /var/lib/asterisk/astdb - - if use radius; then - insinto /etc/radiusclient/ - doins contrib/dictionary.digium - fi - - # keep directories - diropts -m 0750 -o asterisk -g root - keepdir /var/spool/asterisk/{system,tmp,meetme,monitor,dictate,voicemail,recording,outgoing} - diropts -m 0750 -o asterisk -g asterisk - keepdir /var/log/asterisk/{cdr-csv,cdr-custom} - - # Reset diropts else dodoc uses it for doc installations. - diropts -m0755 - - # install the upgrade documentation - dodoc UPGRADE* BUGS CREDITS - - # install extra documentation - use doc && dodoc doc/*.{txt,pdf} - - # Asterisk installs a few folders that's empty by design, - # but still required. This finds them, and marks them for - # portage. - while read d <&3; do - keepdir "${d#${ED}}" - done 3< <(find "${ED}"/var -type d -empty || die "Find failed.") -} - -pkg_postinst() { - if [ -z "${REPLACING_VERSIONS}" ]; then - elog "Asterisk Wiki: https://wiki.asterisk.org/wiki/" - elog "Gentoo VoIP IRC Channel: #gentoo-voip @ irc.libera.chat" - elif [ "$(ver_cut 1 "${REPLACING_VERSIONS}")" != "$(ver_cut 1)" ]; then - elog "You are updating from Asterisk $(ver_cut 1 "${REPLACING_VERSIONS}") upgrade document:" - elog "https://wiki.asterisk.org/wiki/display/AST/Upgrading+to+Asterisk+$(ver_cut 1)" - elog "Gentoo VoIP IRC Channel: #gentoo-voip @ irc.libera.chat" - fi - - if use deprecated; then - ewarn "You really aught to port whatever code you have that depends on this since these are going to go away." - ewarn "Refer: https://wiki.asterisk.org/wiki/display/AST/Module+Deprecation" - fi - - if [[ -n "${GENTOO_ASTERISK_CUSTOM_MENUSELECT:+yes}" ]]; then - ewarn "You are using GENTOO_ASTERISK_CUSTOM_MENUSELECT, this should only be used" - ewarn "for debugging, for anything else, please file a bug on https://bugs.gentoo.org" - fi - - if [[ -f /var/lib/asterisk/astdb.sqlite3 ]]; then - ewarn "Default astdb location has changed from /var/lib/asterisk to /var/lib/asterisk/astdb" - ewarn "You still have a /var/lib/asterisk/astdb.sqlite file. You need to either set" - ewarn "astdbdir in /etc/asterisk/asterisk.conf to /var/lib/asterisk or follow these" - ewarn "steps to migrate:" - ewarn "1. /etc/init.d/asterisk stop" - ewarn "2. mv /var/lib/asterisk/astdb.sqlite /var/lib/asterisk/astdb/" - ewarn "3. /etc/init.d/asterisk start" - ewarn "This update was done partly for security reasons so that /var/lib/asterisk can be root owned." - fi -} diff --git a/net-misc/asterisk/files/asterisk-16.29.1_18.15.1_20.0.1-noexec_stack.patch b/net-misc/asterisk/files/asterisk-16.29.1_18.15.1_20.0.1-noexec_stack.patch deleted file mode 100644 index ed1fafa8aa5b..000000000000 --- a/net-misc/asterisk/files/asterisk-16.29.1_18.15.1_20.0.1-noexec_stack.patch +++ /dev/null @@ -1,39 +0,0 @@ -From e4d33a4e488fb7abfa41b5ff947d048d22d000f4 Mon Sep 17 00:00:00 2001 -From: Jaco Kroon <jaco@uls.co.za> -Date: Mon, 7 Nov 2022 17:30:00 +0200 -Subject: [PATCH] Build system: Avoid executable stack. - -Found in res_geolocation, but I believe others may have similar issues, -thus not linking to a specific issue. - -Essentially gcc doesn't mark the stack for being non-executable unless -it's compiling the source, this informs ld via gcc to mark the object as -not requiring an executable stack (which a binary blob obviously -doesn't). - -Change-Id: I71bcc2fd1fe0c82a28b3257405d6f2b566fd9bfc -Signed-off-by: Jaco Kroon <jaco@uls.co.za> ---- - Makefile.rules | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/Makefile.rules b/Makefile.rules -index e6b6589cc7..7b508e6ab2 100644 ---- a/Makefile.rules -+++ b/Makefile.rules -@@ -213,10 +213,10 @@ endif - # extern const size_t _binary_abc_def_xml_size; - %.o: %.xml - $(ECHO_PREFIX) echo " [LD] $^ -> $@" -- $(CMD_PREFIX) $(CC) -g -nostartfiles -nodefaultlibs -nostdlib -r -Wl,-b,binary -o $@ $^ -+ $(CMD_PREFIX) $(CC) -g -Wl,-znoexecstack -nostartfiles -nodefaultlibs -nostdlib -r -Wl,-b,binary -o $@ $^ - - %.o: %.xslt - $(ECHO_PREFIX) echo " [LD] $^ -> $@" -- $(CMD_PREFIX) $(CC) -g -nostartfiles -nodefaultlibs -nostdlib -r -Wl,-b,binary -o $@ $^ -+ $(CMD_PREFIX) $(CC) -g -Wl,-znoexecstack -nostartfiles -nodefaultlibs -nostdlib -r -Wl,-b,binary -o $@ $^ - - dist-clean:: clean --- -2.37.4 - diff --git a/net-misc/asterisk/files/asterisk-16.30.1-r1-iax2_jitterbuffer.patch b/net-misc/asterisk/files/asterisk-16.30.1-r1-iax2_jitterbuffer.patch deleted file mode 100644 index 67fb68b3cf42..000000000000 --- a/net-misc/asterisk/files/asterisk-16.30.1-r1-iax2_jitterbuffer.patch +++ /dev/null @@ -1,65 +0,0 @@ -From 73103bdcd5b342ce5dfa32039333ffadad551151 Mon Sep 17 00:00:00 2001 -From: Naveen Albert <asterisk@phreaknet.org> -Date: Wed, 14 Dec 2022 16:00:51 +0000 -Subject: [PATCH] chan_iax2: Fix jitterbuffer regression prior to receiving - audio. - -ASTERISK_29392 (a security fix) introduced a regression by -not processing frames when we don't have an audio format. - -Currently, chan_iax2 only calls jb_get to read frames from -the jitterbuffer when the voiceformat has been set on the pvt. -However, this only happens when we receive a voice frame, which -means that prior to receiving voice frames, other types of frames -get stalled completely in the jitterbuffer. - -To fix this, we now fallback to using the format negotiated during -call setup until we've actually received a voice frame with a format. -This ensures we're always able to read from the jitterbuffer. - -ASTERISK-30354 #close -ASTERISK-30162 #close - -Change-Id: Ie4fd1e8e088a145ad89e0427c2100a530e964fe9 ---- - channels/chan_iax2.c | 17 ++++++++++++++--- - 1 file changed, 14 insertions(+), 3 deletions(-) - -diff --git a/channels/chan_iax2.c b/channels/chan_iax2.c -index ab6bd61638..5b3caf03b5 100644 ---- a/channels/chan_iax2.c -+++ b/channels/chan_iax2.c -@@ -4158,9 +4158,19 @@ static void __get_from_jb(const void *p) - now.tv_usec += 1000; - - ms = ast_tvdiff_ms(now, pvt->rxcore); -- -- voicefmt = ast_format_compatibility_bitfield2format(pvt->voiceformat); -- if (voicefmt && ms >= (next = jb_next(pvt->jb))) { -+ if (ms >= (next = jb_next(pvt->jb))) { -+ voicefmt = ast_format_compatibility_bitfield2format(pvt->voiceformat); -+ if (!voicefmt) { -+ /* pvt->voiceformat won't be set if we haven't received any voice frames yet. -+ * In this case, fall back to using the format negotiated during call setup, -+ * so we don't stall the jitterbuffer completely. */ -+ voicefmt = ast_format_compatibility_bitfield2format(pvt->peerformat); -+ } -+ if (!voicefmt) { -+ /* Really shouldn't happen, but if it does, should be looked into */ -+ ast_log(LOG_WARNING, "No voice format and no peer format available on %s, backlogging frame\n", ast_channel_name(pvt->owner)); -+ goto cleanup; /* Don't crash if there's no voice format */ -+ } - ret = jb_get(pvt->jb, &frame, ms, ast_format_get_default_ms(voicefmt)); - switch(ret) { - case JB_OK: -@@ -4202,6 +4212,7 @@ static void __get_from_jb(const void *p) - break; - } - } -+cleanup: - if (pvt) - update_jbsched(pvt); - ast_mutex_unlock(&iaxsl[callno]); --- -2.41.0 - diff --git a/net-misc/asterisk/files/asterisk-16.30.1-r3-manager.c-Add-entries-to-Originate-blacklist.patch b/net-misc/asterisk/files/asterisk-16.30.1-r3-manager.c-Add-entries-to-Originate-blacklist.patch deleted file mode 100644 index f33e73037979..000000000000 --- a/net-misc/asterisk/files/asterisk-16.30.1-r3-manager.c-Add-entries-to-Originate-blacklist.patch +++ /dev/null @@ -1,205 +0,0 @@ -From faddd99f2b9408b524e5eb8a01589fe1fa282df2 Mon Sep 17 00:00:00 2001 -From: George Joseph <gjoseph@sangoma.com> -Date: Mon, 22 Jul 2024 08:05:03 -0600 -Subject: [PATCH 1/2] manager.c: Add entries to Originate blacklist - -Added Reload and DBdeltree to the list of dialplan application that -can't be executed via the Originate manager action without also -having write SYSTEM permissions. - -Added CURL, DB*, FILE, ODBC and REALTIME* to the list of dialplan -functions that can't be executed via the Originate manager action -without also having write SYSTEM permissions. - -If the Queue application is attempted to be run by the Originate -manager action and an AGI parameter is specified in the app data, -it'll be rejected unless the manager user has either the AGI or -SYSTEM permissions. - -Resolves: #GHSA-c4cg-9275-6w44 ---- - main/manager.c | 161 +++++++++++++++++++++++++++++++++++++++++++------ - 1 file changed, 141 insertions(+), 20 deletions(-) - -diff --git a/main/manager.c b/main/manager.c -index cb64a234e5..2ce88a3ab8 100644 ---- a/main/manager.c -+++ b/main/manager.c -@@ -6325,6 +6325,145 @@ aocmessage_cleanup: - return 0; - } - -+struct originate_permissions_entry { -+ const char *search; -+ int permission; -+ int (*searchfn)(const char *app, const char *data, const char *search); -+}; -+ -+/*! -+ * \internal -+ * \brief Check if the application is allowed for Originate -+ * -+ * \param app The "app" parameter -+ * \param data The "appdata" parameter (ignored) -+ * \param search The search string -+ * \retval 1 Match -+ * \retval 0 No match -+ */ -+static int app_match(const char *app, const char *data, const char *search) -+{ -+ /* -+ * We use strcasestr so we don't have to trim any blanks -+ * from the front or back of the string. -+ */ -+ return !!(strcasestr(app, search)); -+} -+ -+/*! -+ * \internal -+ * \brief Check if the appdata is allowed for Originate -+ * -+ * \param app The "app" parameter (ignored) -+ * \param data The "appdata" parameter -+ * \param search The search string -+ * \retval 1 Match -+ * \retval 0 No match -+ */ -+static int appdata_match(const char *app, const char *data, const char *search) -+{ -+ return !!(strstr(data, search)); -+} -+ -+/*! -+ * \internal -+ * \brief Check if the Queue application is allowed for Originate -+ * -+ * It's only allowed if there's no AGI parameter set -+ * -+ * \param app The "app" parameter -+ * \param data The "appdata" parameter -+ * \param search The search string -+ * \retval 1 Match -+ * \retval 0 No match -+ */ -+static int queue_match(const char *app, const char *data, const char *search) -+{ -+ char *parse; -+ AST_DECLARE_APP_ARGS(args, -+ AST_APP_ARG(queuename); -+ AST_APP_ARG(options); -+ AST_APP_ARG(url); -+ AST_APP_ARG(announceoverride); -+ AST_APP_ARG(queuetimeoutstr); -+ AST_APP_ARG(agi); -+ AST_APP_ARG(gosub); -+ AST_APP_ARG(rule); -+ AST_APP_ARG(position); -+ ); -+ -+ if (!strcasestr(app, "queue")) { -+ return 0; -+ } -+ -+ parse = ast_strdupa(data); -+ AST_STANDARD_APP_ARGS(args, parse); -+ -+ /* -+ * The Queue application is fine unless the AGI parameter is set. -+ * If it is, we need to check the user's permissions. -+ */ -+ return !ast_strlen_zero(args.agi); -+} -+ -+/* -+ * The Originate application and application data are passed -+ * to each searchfn in the list. If a searchfn returns true -+ * and the user's permissions don't include the permissions specified -+ * in the list entry, the Originate action will be denied. -+ * -+ * If no searchfn returns true, the Originate action is allowed. -+ */ -+static struct originate_permissions_entry originate_app_permissions[] = { -+ /* -+ * The app_match function checks if the search string is -+ * anywhere in the app parameter. The check is case-insensitive. -+ */ -+ { "agi", EVENT_FLAG_SYSTEM, app_match }, -+ { "dbdeltree", EVENT_FLAG_SYSTEM, app_match }, -+ { "exec", EVENT_FLAG_SYSTEM, app_match }, -+ { "externalivr", EVENT_FLAG_SYSTEM, app_match }, -+ { "mixmonitor", EVENT_FLAG_SYSTEM, app_match }, -+ { "originate", EVENT_FLAG_SYSTEM, app_match }, -+ { "reload", EVENT_FLAG_SYSTEM, app_match }, -+ { "system", EVENT_FLAG_SYSTEM, app_match }, -+ /* -+ * Since the queue_match function specifically checks -+ * for the presence of the AGI parameter, we'll allow -+ * the call if the user has either the AGI or SYSTEM -+ * permission. -+ */ -+ { "queue", EVENT_FLAG_AGI | EVENT_FLAG_SYSTEM, queue_match }, -+ /* -+ * The appdata_match function checks if the search string is -+ * anywhere in the appdata parameter. Unlike app_match, -+ * the check is case-sensitive. These are generally -+ * dialplan functions. -+ */ -+ { "CURL", EVENT_FLAG_SYSTEM, appdata_match }, -+ { "DB", EVENT_FLAG_SYSTEM, appdata_match }, -+ { "EVAL", EVENT_FLAG_SYSTEM, appdata_match }, -+ { "FILE", EVENT_FLAG_SYSTEM, appdata_match }, -+ { "ODBC", EVENT_FLAG_SYSTEM, appdata_match }, -+ { "REALTIME", EVENT_FLAG_SYSTEM, appdata_match }, -+ { "SHELL", EVENT_FLAG_SYSTEM, appdata_match }, -+ { NULL, 0 }, -+}; -+ -+static int is_originate_app_permitted(const char *app, const char *data, -+ int permission) -+{ -+ int i; -+ -+ for (i = 0; originate_app_permissions[i].search; i++) { -+ if (originate_app_permissions[i].searchfn(app, data, originate_app_permissions[i].search)) { -+ return !!(permission & originate_app_permissions[i].permission); -+ } -+ } -+ -+ return 1; -+} -+ - static int action_originate(struct mansession *s, const struct message *m) - { - const char *name = astman_get_header(m, "Channel"); -@@ -6418,26 +6557,8 @@ static int action_originate(struct mansession *s, const struct message *m) - } - - if (!ast_strlen_zero(app) && s->session) { -- int bad_appdata = 0; -- /* To run the System application (or anything else that goes to -- * shell), you must have the additional System privilege */ -- if (!(s->session->writeperm & EVENT_FLAG_SYSTEM) -- && ( -- strcasestr(app, "system") || /* System(rm -rf /) -- TrySystem(rm -rf /) */ -- strcasestr(app, "exec") || /* Exec(System(rm -rf /)) -- TryExec(System(rm -rf /)) */ -- strcasestr(app, "agi") || /* AGI(/bin/rm,-rf /) -- EAGI(/bin/rm,-rf /) */ -- strcasestr(app, "mixmonitor") || /* MixMonitor(blah,,rm -rf) */ -- strcasestr(app, "externalivr") || /* ExternalIVR(rm -rf) */ -- strcasestr(app, "originate") || /* Originate(Local/1234,app,System,rm -rf) */ -- (strstr(appdata, "SHELL") && (bad_appdata = 1)) || /* NoOp(${SHELL(rm -rf /)}) */ -- (strstr(appdata, "EVAL") && (bad_appdata = 1)) /* NoOp(${EVAL(${some_var_containing_SHELL})}) */ -- )) { -- char error_buf[64]; -- snprintf(error_buf, sizeof(error_buf), "Originate Access Forbidden: %s", bad_appdata ? "Data" : "Application"); -- astman_send_error(s, m, error_buf); -+ if (!is_originate_app_permitted(app, appdata, s->session->writeperm)) { -+ astman_send_error(s, m, "Originate Access Forbidden: app or data blacklisted"); - res = 0; - goto fast_orig_cleanup; - } --- -2.44.2 - |