package/asterisk: new package
Asterisk: the flagship of telephony on Linux. These are the lines of
code whose continuous mission is to power small and large enterprises
telephony systems, to boldly provide IP PBX where no one has done so
before.
But it is a hell to get compiled... :-(
For starters, it needs a host tool, menuselect, to prepare its build
configuration. Unfortunately, the way it handles menuselect does not
apply very well for cross-compilation: the main ./configure calls out to
menuselect's own ./configure, and of course that runs with the same
environement, which is wrong for cross-compilation (because of variables
like CC, CFLAGS and the likes).
Furthermore, the paths to menuselect are imbricated about everywhere in
the main Makefile, so making it find menuselect in PATH is a lost cause.
Instead, we just patch-out the handling of menuselect, build it as the
host variant and copy it in place.
Now, asterisk wants to install a default set of sound files (for
answering machine stuff, I guess). They come come pre-bundled in the
official archive [0], but the buildsystem will want to download (at
install time) the sha1 files for each sound archive, to validate that
said archive is correct. However, the download is done via plain http,
so it still risks an MITM attack. And for Buildroot, it is not always
possible to download at install time, so we patch-out the sha1 check.
[0] http://downloads.asterisk.org/pub/telephony/asterisk/releases/
The official archive contains the sound archives plus a full set of
documentation. This makes it very big. Unfortunately, the hosting site
is rather slow, topping at about ~204kbps. So we get the archive from
the official mirror on Github. But that archive is missing the sound
archives, so we download them separately.
Some tests, like the crypt() one, are broken and could not have ever
possibly worked at all. Worse, the FFmpeg test is looking for headers
that FFmpeg removed more than 10 years ago and are virtually no longer
available in any distro. So, FFmpeg support is definitely not tested
by upstream and can't possibly work at all. Finally, trying to run
test-code does not work in cross-compilation.
As a final stroke of genius, asterisk checks for the re-entrant variant
of res_ninit(), and concludes that all such functions are available,
including res_nsearch(). Uclibc-ng has the former but not the latter, so
the build fails. Since there is no cache variable for that check, we
can't pre-feed that result to configure, and fixing it is a bigger
endeavour. So we make asterisk depend on glibc for now, until someone
is brave enough to fix it.
Almost all features are disabled for now. Support for additional
features will be added in subsequent patches now that we have a working
base.
Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Cc: Romain Naour <romain.naour@openwide.fr>
Cc: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
[Arnout:
- make libilbc a mandatory dependency instead of using the bundled one;
- add license, license files, and license file hashes;
- minor spelling corrections;
- remove redundant trailing backslash reported by check-package;
- rewrap help text to 72 columns instead of 68]
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
fixup
2017-09-09 23:39:07 +02:00
|
|
|
# Locally computed
|
package/asterisk: security bump to version 16.25.2
Fixes the following security issues:
16.24.1:
CVE-2021-37706 / AST-2022-004: pjproject: integer underflow on STUN message
The header length on incoming STUN messages that contain an ERROR-CODE
attribute is not properly checked. This can result in an integer underflow.
Note, this requires ICE or WebRTC support to be in use with a malicious
remote party.
https://seclists.org/fulldisclosure/2022/Mar/0
CVE-2022-23608 / AST-2022-005: pjproject: undefined behavior after freeing a
dialog set
When acting as a UAC, and when placing an outgoing call to a target that then
forks Asterisk may experience undefined behavior (crashes, hangs, etc…)
after a dialog set is prematurely freed.
https://seclists.org/fulldisclosure/2022/Mar/1
CVE-2022-21723 / AST-2022-006: pjproject: unconstrained malformed multipart
SIP message
If an incoming SIP message contains a malformed multi-part body an out of
bounds read access may occur, which can result in undefined behavior. Note,
it’s currently uncertain if there is any externally exploitable vector
within Asterisk for this issue, but providing this as a security issue out
of caution.
https://seclists.org/fulldisclosure/2022/Mar/2
16.25.2:
CVE-2022-26498 / AST-2022-001: res_stir_shaken: resource exhaustion with
large files
When using STIR/SHAKEN, it’s possible to download files that are not
certificates. These files could be much larger than what you would expect to
download.
https://seclists.org/fulldisclosure/2022/Apr/17
CVE-2022-26499 / AST-2022-002: res_stir_shaken: SSRF vulnerability with
Identity header
When using STIR/SHAKEN, it’s possible to send arbitrary requests like GET to
interfaces such as localhost using the Identity header.
https://seclists.org/fulldisclosure/2022/Apr/18
CVE-2022-26651 / AST-2022-003: func_odbc: Possible SQL Injection
Some databases can use backslashes to escape certain characters, such as
backticks. If input is provided to func_odbc which includes backslashes it
is possible for func_odbc to construct a broken SQL query and the SQL query
to fail.
https://seclists.org/fulldisclosure/2022/Apr/19
Update hash of sha1.c after a doxygen comment update:
https://github.com/asterisk/asterisk/commit/37c29b6a281d7f69e891117269dbf8c20bacc904
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2022-04-16 00:26:15 +02:00
|
|
|
sha256 0fb817943a276f5e540c2a9432e8841cd3393e7c1bd1250055c620902f6eafc8 asterisk-16.25.2.tar.gz
|
package/asterisk: new package
Asterisk: the flagship of telephony on Linux. These are the lines of
code whose continuous mission is to power small and large enterprises
telephony systems, to boldly provide IP PBX where no one has done so
before.
But it is a hell to get compiled... :-(
For starters, it needs a host tool, menuselect, to prepare its build
configuration. Unfortunately, the way it handles menuselect does not
apply very well for cross-compilation: the main ./configure calls out to
menuselect's own ./configure, and of course that runs with the same
environement, which is wrong for cross-compilation (because of variables
like CC, CFLAGS and the likes).
Furthermore, the paths to menuselect are imbricated about everywhere in
the main Makefile, so making it find menuselect in PATH is a lost cause.
Instead, we just patch-out the handling of menuselect, build it as the
host variant and copy it in place.
Now, asterisk wants to install a default set of sound files (for
answering machine stuff, I guess). They come come pre-bundled in the
official archive [0], but the buildsystem will want to download (at
install time) the sha1 files for each sound archive, to validate that
said archive is correct. However, the download is done via plain http,
so it still risks an MITM attack. And for Buildroot, it is not always
possible to download at install time, so we patch-out the sha1 check.
[0] http://downloads.asterisk.org/pub/telephony/asterisk/releases/
The official archive contains the sound archives plus a full set of
documentation. This makes it very big. Unfortunately, the hosting site
is rather slow, topping at about ~204kbps. So we get the archive from
the official mirror on Github. But that archive is missing the sound
archives, so we download them separately.
Some tests, like the crypt() one, are broken and could not have ever
possibly worked at all. Worse, the FFmpeg test is looking for headers
that FFmpeg removed more than 10 years ago and are virtually no longer
available in any distro. So, FFmpeg support is definitely not tested
by upstream and can't possibly work at all. Finally, trying to run
test-code does not work in cross-compilation.
As a final stroke of genius, asterisk checks for the re-entrant variant
of res_ninit(), and concludes that all such functions are available,
including res_nsearch(). Uclibc-ng has the former but not the latter, so
the build fails. Since there is no cache variable for that check, we
can't pre-feed that result to configure, and fixing it is a bigger
endeavour. So we make asterisk depend on glibc for now, until someone
is brave enough to fix it.
Almost all features are disabled for now. Support for additional
features will be added in subsequent patches now that we have a working
base.
Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Cc: Romain Naour <romain.naour@openwide.fr>
Cc: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
[Arnout:
- make libilbc a mandatory dependency instead of using the bundled one;
- add license, license files, and license file hashes;
- minor spelling corrections;
- remove redundant trailing backslash reported by check-package;
- rewrap help text to 72 columns instead of 68]
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
fixup
2017-09-09 23:39:07 +02:00
|
|
|
|
|
|
|
|
# sha1 from: http://downloads.asterisk.org/pub/telephony/sounds/releases
|
|
|
|
|
# sha256 locally computed
|
2022-07-28 10:07:32 +02:00
|
|
|
sha1 721c512feaea102700d5bdce952fdc0bb29dc640 asterisk-core-sounds-en-gsm-1.6.1.tar.gz
|
2018-10-14 11:01:55 +02:00
|
|
|
sha256 d79c3d2044d41da8f363c447dfccc140be86b4fcc41b1ca5a60a80da52f24f2d asterisk-core-sounds-en-gsm-1.6.1.tar.gz
|
2022-07-28 10:07:32 +02:00
|
|
|
sha1 f40fd6ea03dfe8d72ada2540b2288bfdc006381d asterisk-moh-opsound-wav-2.03.tar.gz
|
package/asterisk: new package
Asterisk: the flagship of telephony on Linux. These are the lines of
code whose continuous mission is to power small and large enterprises
telephony systems, to boldly provide IP PBX where no one has done so
before.
But it is a hell to get compiled... :-(
For starters, it needs a host tool, menuselect, to prepare its build
configuration. Unfortunately, the way it handles menuselect does not
apply very well for cross-compilation: the main ./configure calls out to
menuselect's own ./configure, and of course that runs with the same
environement, which is wrong for cross-compilation (because of variables
like CC, CFLAGS and the likes).
Furthermore, the paths to menuselect are imbricated about everywhere in
the main Makefile, so making it find menuselect in PATH is a lost cause.
Instead, we just patch-out the handling of menuselect, build it as the
host variant and copy it in place.
Now, asterisk wants to install a default set of sound files (for
answering machine stuff, I guess). They come come pre-bundled in the
official archive [0], but the buildsystem will want to download (at
install time) the sha1 files for each sound archive, to validate that
said archive is correct. However, the download is done via plain http,
so it still risks an MITM attack. And for Buildroot, it is not always
possible to download at install time, so we patch-out the sha1 check.
[0] http://downloads.asterisk.org/pub/telephony/asterisk/releases/
The official archive contains the sound archives plus a full set of
documentation. This makes it very big. Unfortunately, the hosting site
is rather slow, topping at about ~204kbps. So we get the archive from
the official mirror on Github. But that archive is missing the sound
archives, so we download them separately.
Some tests, like the crypt() one, are broken and could not have ever
possibly worked at all. Worse, the FFmpeg test is looking for headers
that FFmpeg removed more than 10 years ago and are virtually no longer
available in any distro. So, FFmpeg support is definitely not tested
by upstream and can't possibly work at all. Finally, trying to run
test-code does not work in cross-compilation.
As a final stroke of genius, asterisk checks for the re-entrant variant
of res_ninit(), and concludes that all such functions are available,
including res_nsearch(). Uclibc-ng has the former but not the latter, so
the build fails. Since there is no cache variable for that check, we
can't pre-feed that result to configure, and fixing it is a bigger
endeavour. So we make asterisk depend on glibc for now, until someone
is brave enough to fix it.
Almost all features are disabled for now. Support for additional
features will be added in subsequent patches now that we have a working
base.
Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Cc: Romain Naour <romain.naour@openwide.fr>
Cc: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
[Arnout:
- make libilbc a mandatory dependency instead of using the bundled one;
- add license, license files, and license file hashes;
- minor spelling corrections;
- remove redundant trailing backslash reported by check-package;
- rewrap help text to 72 columns instead of 68]
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
fixup
2017-09-09 23:39:07 +02:00
|
|
|
sha256 449fb810d16502c3052fedf02f7e77b36206ac5a145f3dacf4177843a2fcb538 asterisk-moh-opsound-wav-2.03.tar.gz
|
|
|
|
|
|
|
|
|
|
# License files, locally computed
|
|
|
|
|
sha256 82af40ed7f49c08685360811993d9396320842f021df828801d733e8fdc0312f COPYING
|
package/asterisk: security bump to version 16.25.2
Fixes the following security issues:
16.24.1:
CVE-2021-37706 / AST-2022-004: pjproject: integer underflow on STUN message
The header length on incoming STUN messages that contain an ERROR-CODE
attribute is not properly checked. This can result in an integer underflow.
Note, this requires ICE or WebRTC support to be in use with a malicious
remote party.
https://seclists.org/fulldisclosure/2022/Mar/0
CVE-2022-23608 / AST-2022-005: pjproject: undefined behavior after freeing a
dialog set
When acting as a UAC, and when placing an outgoing call to a target that then
forks Asterisk may experience undefined behavior (crashes, hangs, etc…)
after a dialog set is prematurely freed.
https://seclists.org/fulldisclosure/2022/Mar/1
CVE-2022-21723 / AST-2022-006: pjproject: unconstrained malformed multipart
SIP message
If an incoming SIP message contains a malformed multi-part body an out of
bounds read access may occur, which can result in undefined behavior. Note,
it’s currently uncertain if there is any externally exploitable vector
within Asterisk for this issue, but providing this as a security issue out
of caution.
https://seclists.org/fulldisclosure/2022/Mar/2
16.25.2:
CVE-2022-26498 / AST-2022-001: res_stir_shaken: resource exhaustion with
large files
When using STIR/SHAKEN, it’s possible to download files that are not
certificates. These files could be much larger than what you would expect to
download.
https://seclists.org/fulldisclosure/2022/Apr/17
CVE-2022-26499 / AST-2022-002: res_stir_shaken: SSRF vulnerability with
Identity header
When using STIR/SHAKEN, it’s possible to send arbitrary requests like GET to
interfaces such as localhost using the Identity header.
https://seclists.org/fulldisclosure/2022/Apr/18
CVE-2022-26651 / AST-2022-003: func_odbc: Possible SQL Injection
Some databases can use backslashes to escape certain characters, such as
backticks. If input is provided to func_odbc which includes backslashes it
is possible for func_odbc to construct a broken SQL query and the SQL query
to fail.
https://seclists.org/fulldisclosure/2022/Apr/19
Update hash of sha1.c after a doxygen comment update:
https://github.com/asterisk/asterisk/commit/37c29b6a281d7f69e891117269dbf8c20bacc904
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2022-04-16 00:26:15 +02:00
|
|
|
sha256 3ce4755b8da872a0de93ecdbbe2f940763cc95c9027bbf3c4a2e914fcd8bf4c6 main/sha1.c
|
2019-10-21 20:07:21 +02:00
|
|
|
sha256 6215e3ed73c3982a5c6701127d681ec0b9f1121ac78a28805bd93f93c3eb84c0 codecs/speex/speex_resampler.h
|
2020-09-23 20:57:32 +02:00
|
|
|
sha256 ea69cc96ab8a779c180a362377caeada71926897d1b55b980f04d74ba5aaa388 utils/db1-ast/include/db.h
|
