| Summary: | ASTERISK-22469: crash when res_jabber receives an XMPP IQ stanza with no 'from' | ||||
| Reporter: | abelbeck (abelbeck) | Labels: | |||
| Date Opened: | 2013-09-05 14:25:44 | Date Closed: | 2017-10-11 13:32:25 | ||
| Priority: | Critical | Regression? | |||
| Status: | Closed/Complete | Components: | Resources/res_jabber | ||
| Versions: | 1.8.23.1 11.5.1 12.0.0-alpha1 | Frequency of Occurrence | |||
| Related Issues: |
| ||||
| Environment: | res_jabber on Asterisk 1.8.23 | Attachments: | ( 0) asterisk-1.8.23-jabber.conf-example.txt ( 1) prosody-0.8.2-cfg.lua.example.txt ( 2) res_jabber-prosody-0.8.2-vs-0.9.0.txt | ||
| Description: | Reported as an aside on ASTERISK-22410. Moving to separate issue, as this seems to be a security vulnerability.
{quote} The good news, Prosody 0.9.0 now works with Asterisk 1.8 which requires the 'from' attribute in the XMPP: iq id='disco' type='get' ... , or else Asterisk 1.8 segfaults. {quote} and from the comments: {quote} Rusty, to further elaborate on the segfault issue… With res_xmpp, both Prosody 0.8.2 and 0.9.0 work fine. With res_jabber, Prosody 0.8.2 causes it to segfault, prosody 0.9.0 works fine. Since Matthew was not clear why 0.9.0 fixed res_jabber, I disabled TLS to see what is going on, attached is a brief synopsis. Attached file: res_jabber-prosody-0.8.2-vs-0.9.0.txt {quote} {quote} I can't be any help with the backtrace since we cross-compile an embedded image with stripped symbols. My only help is the clue that the missing from= may trigger the crash. {quote} | ||||
| Comments: | By: Rusty Newton (rnewton) 2013-09-05 14:28:28.365-0500 Example of XMPP packet potentially causing the crash is in attachment https://issues.asterisk.org/jira/secure/attachment/48207/res_jabber-prosody-0.8.2-vs-0.9.0.txt By: Rusty Newton (rnewton) 2013-09-05 14:46:13.483-0500 @abelbeck Reproducing the issue appears to be straightforward, but just in case, can you attach your res_jabber configuration, as well as Prosody 0.8.2 configuration. (If that is possible, I haven't used Prosody before). Since this is a security vulnerability, I've changed the security setting on this issue to only allow viewing by the reporter, bug marshals and Digium. You'll still want to sanitize your configuration of passwords or other credentials. By: Rusty Newton (rnewton) 2013-09-05 15:54:46.444-0500 I spoke with Joshua Colp. Apparently this isn't a security issue. res_jabber is only going to freak out over the packet when engaged in an active connection to a server. The scope of impact is currently only when Asterisk/res_jabber is reaching out to a Prosody 0.8.2 server (or possibly older) or any other XMPP server that may send the invalid IQ. XMPP servers will automatically add a from if the request comes from a client, which won't crash Asterisk. It is only if the server *itself* sends the request without a from that the crash can occur. By: abelbeck (abelbeck) 2013-09-05 16:07:08.634-0500 Attach: Example Prosody 0.8.2 "/etc/prosody/prosody.cfg.lua" config file By: abelbeck (abelbeck) 2013-09-05 16:14:30.331-0500 It sounds like Joshua has his finger on the problem. "It is only if the server itself sends the request without a from that the crash can occur." I attached my Prosody 0.8.2 sample config, quite simple as you can see. Also added my jabber.conf . Possibly the solution is "Don't use Prosody 0.8.2 (or earlier)", unless this is a very easy fix in res_jabber. By: abelbeck (abelbeck) 2013-09-05 16:32:25.228-0500 Attach: Example jabber.conf By: Rusty Newton (rnewton) 2013-09-09 14:25:26.188-0500 Thanks for attaching the configs. They'll surely be helpful to whoever works on this. By: Corey Farrell (coreyfarrell) 2017-10-11 13:32:25.281-0500 res_jabber no longer exists in any currently supported version of Asterisk. If you haven't already you should switch to res_xmpp / chan_motif. Closing this since the description says res_xmpp does not have this issue. | ||||