Summary: | ASTERISK-29872: res_stir_shaken: Resource exhaustion with large files | ||
Reporter: | Benjamin Keith Ford (bford) | Labels: | security |
Date Opened: | 2022-01-21 11:57:45.000-0600 | Date Closed: | 2022-04-14 13:30:15 |
Priority: | Blocker | Regression? | |
Status: | Closed/Complete | Components: | Resources/res_stir_shaken |
Versions: | 16.23.0 18.9.0 19.1.0 | Frequency of Occurrence | |
Related Issues: | |||
Environment: | Attachments: | ||
Description: | When we receive a SIP INVITE that has an Identity header, we attempt to download the certificate if stir_shaken is enabled. However, we don't have any checks in place to ensure that the file is not too large and that the file is actually a certificate. | ||
Comments: | By: Asterisk Team (asteriskteam) 2022-01-21 11:57:46.122-0600 This issue has been automatically restricted and set to a blocker due to being a security type issue. If this is not a security vulnerability issue it will be moved to the appropriate issue type when triaged. Please DO NOT put a code review up for this change at this time. Attach any applicable patches to this issue. By: Friendly Automation (friendly-automation) 2022-04-14 13:30:16.421-0500 Change 18379 merged by Friendly Automation: AST-2022-001 - res_stir_shaken/curl: Limit file size and check start. [https://gerrit.asterisk.org/c/asterisk/+/18379|https://gerrit.asterisk.org/c/asterisk/+/18379] By: Friendly Automation (friendly-automation) 2022-04-14 14:29:14.116-0500 Change 18393 merged by Michael Bradeen: AST-2022-001 - res_stir_shaken/curl: Limit file size and check start. [https://gerrit.asterisk.org/c/asterisk/+/18393|https://gerrit.asterisk.org/c/asterisk/+/18393] By: Friendly Automation (friendly-automation) 2022-04-14 14:35:26.324-0500 Change 18392 merged by Michael Bradeen: AST-2022-001 - res_stir_shaken/curl: Limit file size and check start. [https://gerrit.asterisk.org/c/asterisk/+/18392|https://gerrit.asterisk.org/c/asterisk/+/18392] By: Friendly Automation (friendly-automation) 2022-04-14 14:35:44.057-0500 Change 18391 merged by Michael Bradeen: AST-2022-001 - res_stir_shaken/curl: Limit file size and check start. [https://gerrit.asterisk.org/c/asterisk/+/18391|https://gerrit.asterisk.org/c/asterisk/+/18391] By: Friendly Automation (friendly-automation) 2022-04-14 14:54:57.707-0500 Change 18401 merged by Friendly Automation: AST-2022-001 - res_stir_shaken/curl: Limit file size and check start. [https://gerrit.asterisk.org/c/asterisk/+/18401|https://gerrit.asterisk.org/c/asterisk/+/18401] By: Friendly Automation (friendly-automation) 2022-04-14 15:13:38.041-0500 Change 18402 merged by Friendly Automation: AST-2022-001 - res_stir_shaken/curl: Limit file size and check start. [https://gerrit.asterisk.org/c/asterisk/+/18402|https://gerrit.asterisk.org/c/asterisk/+/18402] By: Friendly Automation (friendly-automation) 2022-04-14 16:56:57.492-0500 Change 18378 merged by Joshua Colp: AST-2022-001 - res_stir_shaken/curl: Limit file size and check start. [https://gerrit.asterisk.org/c/asterisk/+/18378|https://gerrit.asterisk.org/c/asterisk/+/18378] By: Friendly Automation (friendly-automation) 2022-04-14 16:57:10.696-0500 Change 18400 merged by Joshua Colp: AST-2022-001 - res_stir_shaken/curl: Limit file size and check start. [https://gerrit.asterisk.org/c/asterisk/+/18400|https://gerrit.asterisk.org/c/asterisk/+/18400] |