Bug 10743 - freeswitch new security issue CVE-2013-2238
: freeswitch new security issue CVE-2013-2238
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 3
: i586 Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/567504/
: has_procedure MGA3-64-OK MGA3-32-OK
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2013-07-09 21:22 CEST by David Walser
Modified: 2013-09-19 21:19 CEST (History)
4 users (show)

See Also:
Source RPM: freeswitch-1.2.8-1.mga3.src.rpm
CVE:


Attachments

Description David Walser 2013-07-09 21:22:24 CEST
Some buffer overflow issues were found in freeswitch:
http://openwall.com/lists/oss-security/2013/07/04/4

An upstream bug report and possibly a patch to fix it are linked there.

Reproducible: 

Steps to Reproduce:
Comment 1 Daniel Lucio 2013-08-17 21:08:33 CEST
Freeswitch 1.2.12 pushed in testing
Comment 2 David Walser 2013-08-17 21:47:07 CEST
Thanks Daniel!

Advisory:
========================

Updated freeswitch packages fix security vulnerability:

In FreeSWITCH before 1.2.12, if the routing configuration includes regular
expressions that don't constrain the length of the input, buffer overflows are
possible.  Since these regular expressions are matched against untrusted input,
remote code execution may be possible (CVE-2013-2238).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2238
http://openwall.com/lists/oss-security/2013/07/01/11
http://jira.freeswitch.org/browse/FS-5566
========================

Updated packages in core/updates_testing:
========================
freeswitch-1.2.12-1.mga3
libfreeswitch1-1.2.12-1.mga3
libfreeswitch-devel-1.2.12-1.mga3
freeswitch-application-abstraction-1.2.12-1.mga3
freeswitch-application-avmd-1.2.12-1.mga3
freeswitch-application-blacklist-1.2.12-1.mga3
freeswitch-application-callcenter-1.2.12-1.mga3
freeswitch-application-cidlookup-1.2.12-1.mga3
freeswitch-application-conference-1.2.12-1.mga3
freeswitch-application-curl-1.2.12-1.mga3
freeswitch-application-db-1.2.12-1.mga3
freeswitch-application-directory-1.2.12-1.mga3
freeswitch-application-distributor-1.2.12-1.mga3
freeswitch-application-easyroute-1.2.12-1.mga3
freeswitch-application-enum-1.2.12-1.mga3
freeswitch-application-esf-1.2.12-1.mga3
freeswitch-application-expr-1.2.12-1.mga3
freeswitch-application-fifo-1.2.12-1.mga3
freeswitch-application-fsk-1.2.12-1.mga3
freeswitch-application-fsv-1.2.12-1.mga3
freeswitch-application-hash-1.2.12-1.mga3
freeswitch-application-httapi-1.2.12-1.mga3
freeswitch-application-http-cache-1.2.12-1.mga3
freeswitch-application-lcr-1.2.12-1.mga3
freeswitch-application-limit-1.2.12-1.mga3
freeswitch-application-memcache-1.2.12-1.mga3
freeswitch-application-nibblebill-1.2.12-1.mga3
freeswitch-application-redis-1.2.12-1.mga3
freeswitch-application-rss-1.2.12-1.mga3
freeswitch-application-ha_cluster-1.2.12-1.mga3
freeswitch-application-sms-1.2.12-1.mga3
freeswitch-application-snapshot-1.2.12-1.mga3
freeswitch-application-snom-1.2.12-1.mga3
freeswitch-application-soundtouch-1.2.12-1.mga3
freeswitch-application-spy-1.2.12-1.mga3
freeswitch-application-stress-1.2.12-1.mga3
freeswitch-application-valet_parking-1.2.12-1.mga3
freeswitch-application-voicemail-1.2.12-1.mga3
freeswitch-application-voicemail-ivr-1.2.12-1.mga3
freeswitch-asrtts-flite-1.2.12-1.mga3
freeswitch-asrtts-pocketsphinx-1.2.12-1.mga3
freeswitch-asrtts-tts-commandline-1.2.12-1.mga3
freeswitch-asrtts-unimrcp-1.2.12-1.mga3
freeswitch-codec-passthru-amr-1.2.12-1.mga3
freeswitch-codec-passthru-amrwb-1.2.12-1.mga3
freeswitch-codec-bv-1.2.12-1.mga3
freeswitch-codec-celt-1.2.12-1.mga3
freeswitch-codec-codec2-1.2.12-1.mga3
freeswitch-codec-passthru-g723_1-1.2.12-1.mga3
freeswitch-codec-passthru-g729-1.2.12-1.mga3
freeswitch-codec-h26x-1.2.12-1.mga3
freeswitch-codec-ilbc-1.2.12-1.mga3
freeswitch-codec-isac-1.2.12-1.mga3
freeswitch-codec-mp4v-1.2.12-1.mga3
freeswitch-codec-opus-1.2.12-1.mga3
freeswitch-codec-silk-1.2.12-1.mga3
freeswitch-codec-speex-1.2.12-1.mga3
freeswitch-codec-theora-1.2.12-1.mga3
freeswitch-directory-ldap-1.2.12-1.mga3
freeswitch-endpoint-dingaling-1.2.12-1.mga3
freeswitch-endpoint-portaudio-1.2.12-1.mga3
freeswitch-endpoint-rtmp-1.2.12-1.mga3
freeswitch-endpoint-skinny-1.2.12-1.mga3
freeswitch-freetdm-1.2.12-1.mga3
freeswitch-endpoint-skypopen-1.2.12-1.mga3
dkms-skypopen-1.2.12-1.mga3
freeswitch-event-cdr-mongodb-1.2.12-1.mga3
freeswitch-event-cdr-pg-csv-1.2.12-1.mga3
freeswitch-event-cdr-sqlite-1.2.12-1.mga3
freeswitch-event-erlang-event-1.2.12-1.mga3
freeswitch-event-multicast-1.2.12-1.mga3
freeswitch-event-json-cdr-1.2.12-1.mga3
freeswitch-event-snmp-1.2.12-1.mga3
freeswitch-format-local-stream-1.2.12-1.mga3
freeswitch-format-native-file-1.2.12-1.mga3
freeswitch-format-portaudio-stream-1.2.12-1.mga3
freeswitch-format-shell-stream-1.2.12-1.mga3
freeswitch-format-mod-shout-1.2.12-1.mga3
freeswitch-format-tone-stream-1.2.12-1.mga3
freeswitch-lua-1.2.12-1.mga3
freeswitch-perl-1.2.12-1.mga3
freeswitch-python-1.2.12-1.mga3
freeswitch-lang-en-1.2.12-1.mga3
freeswitch-lang-es-1.2.12-1.mga3
freeswitch-lang-pt-1.2.12-1.mga3
freeswitch-lang-ru-1.2.12-1.mga3
freeswitch-lang-fr-1.2.12-1.mga3
freeswitch-lang-de-1.2.12-1.mga3
freeswitch-lang-he-1.2.12-1.mga3
freeswitch-timer-posix-1.2.12-1.mga3
freeswitch-xml-cdr-1.2.12-1.mga3
freeswitch-xml-curl-1.2.12-1.mga3
freeswitch-config-vanilla-1.2.12-1.mga3
freeswitch-sounds-en-1.2.12-1.mga3
freeswitch-sounds-moh-1.2.12-1.mga3
freeswitch-sounds-ru-1.2.12-1.mga3
freeswitch-sounds-es-1.2.12-1.mga3
freeswitch-sounds-fr-1.2.12-1.mga3
freeswitch-sounds-sv-1.2.12-1.mga3
nagios-check_freeswitch-1.2.12-1.mga3

from freeswitch-1.2.12-1.mga3.src.rpm
Comment 3 claire robinson 2013-08-20 16:48:38 CEST
Some info for testing:

http://wiki.freeswitch.org/wiki/Linux_Quick_Install_Guide#Test_a_SIP_Phone
Comment 4 claire robinson 2013-08-20 16:55:58 CEST
SIP client software include ekiga, linphone, qutecom
Comment 5 claire robinson 2013-08-20 17:25:16 CEST
Testing mga3 64 - freeswitch service fails to start. Not sure what the issue is.

# service freeswitch status
Redirecting to /bin/systemctl status freeswitch.service
freeswitch.service - The FREESwitch  Server
          Loaded: loaded (/usr/lib/systemd/system/freeswitch.service; enabled)
          Active: failed (Result: exit-code) since Tue, 2013-08-20 16:16:55 BST; 4s ago
         Process: 1663 ExecStop=/usr/bin/freeswitch -stop (code=exited, status=0/SUCCESS)
         Process: 1653 ExecStart=/usr/bin/freeswitch -nc $FREESWITCH_PARAMS (code=exited, status=0/SUCCESS)
        Main PID: 1655 (code=exited, status=255)
          CGroup: name=systemd:/system/freeswitch.service
freeswitch[1653]: 1655 Backgrounding.
systemd[1]: Started The FREESwitch  Server.
systemd[1]: freeswitch.service: main process exited, code=exited, status=255/n/a
freeswitch[1663]: Killing: 1655
systemd[1]: Unit freeswitch.service entered failed state


It leaves a pid file behind owned by root which seems wrong, given that the directory is owned by freeswitch:daemon


# ll /run/freeswitch/
total 4
-rw------- 1 root root 4 Aug 20 16:18 freeswitch.pid

# ll -d /run/freeswitch/
drwxr-x--- 2 freeswitch daemon 60 Aug 20 16:18 /run/freeswitch//

Starting manually gives an error but may be missing some options..

# freeswitch
2013-08-20 16:21:50.947592 [INFO] switch_event.c:596 Activate Eventing Engine.
2013-08-20 16:21:50.948042 [WARNING] switch_event.c:570 Create additional event dispatch thread 0
2013-08-20 16:21:50.948134 [ERR] switch_xml.c:1385 Couldnt open /etc/freeswitch/freeswitch.xml (No such file or directory)
Cannot Initialize [Cannot Open log directory or XML Root!]


# ll /etc/freeswitch/
total 24
-rwxr-x--- 1 freeswitch daemon 18814 Aug 17 19:26 autoload_configs*
-rw------- 1 root       daemon    13 Aug 20 15:52 freeswitch.serial
Comment 6 David Walser 2013-08-20 17:32:27 CEST
The PID file is fine, just means the process that created it was running as root, but that won't cause any problems.

It looks like it's missing a default configuration file (freeswitch.xml), and I was under the impression from the description of the security issue that there is supposed to be a default configuration file.  Daniel, any advice?
Comment 7 claire robinson 2013-08-20 17:36:23 CEST
There must be a missing conflict there somewhere as it does start after uninstalling all freeswitch packages and just installing a minimal set with 'urpmi freeswitch'

# urpmi freeswitch
To satisfy dependencies, the following packages are going to be installed:
  Package                        Version      Release       Arch    
(medium "Core Release")
  gdbm                           1.10         3.mga3        x86_64  
(medium "Core Updates Testing")
  freeswitch                     1.2.12       1.mga3        x86_64  
  freeswitch-lang-en             1.2.12       1.mga3        x86_64  (suggested)
  lib64freeswitch1               1.2.12       1.mga3        x86_64
Comment 8 claire robinson 2013-08-20 17:45:46 CEST
Still something wrong though..

systemd[1]: Started The FREESwitch  Server.
systemd[1]: freeswitch.service: main process exited, code=exited, status=255/n/a

Confirmed it isn't running with ps and netstat
Comment 9 claire robinson 2013-08-20 17:49:00 CEST
Again it's leaving the pid, so something not right. The pid prevents it from starting again, and stopping the failed service doesn't remove it.

Once removed manually the service claims to be active again but is actually failing as above.
Comment 10 claire robinson 2013-08-20 17:51:46 CEST
Also, when installed, it selects the correct language (freeswitch-lang-en) but doesn't install the relevant sounds package (freeswitch-sounds-en)
Comment 11 David Walser 2013-08-23 18:41:19 CEST
Daniel tells me that the default config file freeswitch.xml is in the freeswitch-config-vanilla subpackage.  Possibly that package could be suggested (although it would make more sense to Suggests: freeswitch-config and have freeswitch-config-vanilla Provides: freeswitch-config so organizations could make their own package providing it), or just documented in a README.install.urpmi or something like that.
Comment 12 Daniel Lucio 2013-08-23 19:20:58 CEST
Submited with next changes

- new provides to config-vanilla in order to let 3th party packages to providle their own configuration
- new sugest in lang package to let user installs sounds
Comment 13 David Walser 2013-08-23 19:27:07 CEST
Thanks Daniel.  freeswitch-1.2.12-2.mga3 is building now.
Comment 14 David Walser 2013-08-23 23:18:48 CEST
freeswitch-1.2.12-3.mga3 is built now, with another minor change to the config package.
Comment 15 claire robinson 2013-08-27 16:10:00 CEST
It now installs 52 packages with 'urpmi freeswitch' including the correct lang and sounds but it still fails to start, sorry. An interesting new error message though which returns no results from google :\

systemd[1]: Starting The FREESwitch  Server...
freeswitch[10670]: /usr/bin/freeswitch: symbol lookup error: /usr/bin/freeswitch: undefined symbol: SWITCH_GLOBAL_filenames
systemd[1]: Failed to start The FREESwitch  Server.
systemd[1]: Unit freeswitch.service entered failed state
Comment 16 Daniel Lucio 2013-08-29 18:20:55 CEST
please paste me output from command line, with not options
Comment 17 claire robinson 2013-08-29 22:03:20 CEST
# freeswitch
2013-08-29 21:02:54.895254 [INFO] switch_event.c:596 Activate Eventing Engine.
2013-08-29 21:02:54.905714 [WARNING] switch_event.c:570 Create additional event dispatch thread 0
2013-08-29 21:02:54.928594 [ERR] switch_xml.c:1385 Couldnt open /etc/freeswitch/freeswitch.xml (No such file or directory)
Cannot Initialize [Cannot Open log directory or XML Root!]
Comment 18 David Walser 2013-08-29 22:13:15 CEST
(In reply to claire robinson from comment #17)
> # freeswitch
> 2013-08-29 21:02:54.895254 [INFO] switch_event.c:596 Activate Eventing
> Engine.
> 2013-08-29 21:02:54.905714 [WARNING] switch_event.c:570 Create additional
> event dispatch thread 0
> 2013-08-29 21:02:54.928594 [ERR] switch_xml.c:1385 Couldnt open
> /etc/freeswitch/freeswitch.xml (No such file or directory)
> Cannot Initialize [Cannot Open log directory or XML Root!]

No symbol error now?  Doesn't freeswitch.xml exist now that you have freeswitch-config-vanilla installed?
Comment 19 claire robinson 2013-08-29 22:15:13 CEST
# ll /etc/freeswitch/
total 24
-rwxr-x--- 1 freeswitch daemon 18814 Aug 23 20:51 autoload_configs*
-rw------- 1 root       daemon    13 Aug 20 15:52 freeswitch.serial

# rpm -q freeswitch-config-vanilla
freeswitch-config-vanilla-1.2.12-3.mga3
Comment 20 Daniel Lucio 2013-09-04 18:44:26 CEST
ha, freeswitch.xml is missing,
im pushing a new build,
Comment 21 David Walser 2013-09-04 19:13:15 CEST
Daniel, the change you just made will not fix this.  You just made it so that it will own /etc/freeswitch (which is good), but it still will not have /etc/freeswitch/freeswitch.xml in the package, because of this:
#config(noreplace) %attr(0660, freeswitch, daemon) %{_sysconfdir}/*.xml

Notice that it's commented out.  If freeswitch.xml really exists in the buildroot, the build should fail complaining about unpackaged files, so I'm guessing there's also something missing in the %install section to make it actually install freeswitch.xml to %{buildroot}/etc/freeswitch/ in the first place.
Comment 22 Daniel Lucio 2013-09-05 13:36:28 CEST
Try latest build,
Comment 23 David Walser 2013-09-05 15:25:07 CEST
Thanks Daniel.  This should be fixed in freeswitch-1.2.12-5.mga3.
Comment 24 David Walser 2013-09-06 03:11:15 CEST
Now it's freeswitch-1.2.12-6.mga3.
Comment 25 Daniel Lucio 2013-09-07 00:44:40 CEST
Did it work for you?
Comment 26 David Walser 2013-09-07 00:46:25 CEST
Nobody's tested it since the last build.  They'll leave a note here once they do.
Comment 27 Dave Hodgins 2013-09-12 23:18:38 CEST
Advisory 10743.adv committed to svn.
Comment 28 David Walser 2013-09-12 23:28:12 CEST
Is the something-1.0-1.mga2 supposed to be in 10743.adv?
Comment 29 Dave Hodgins 2013-09-13 00:32:00 CEST
(In reply to David Walser from comment #28)
> Is the something-1.0-1.mga2 supposed to be in 10743.adv?

Nope. Thanks for catching that. When the script is run to add an advisory,
the template starts out as ...
type: security
subject: Updated [package] package fixes [something]
CVE:
 - first CVE
 - second CVE
src:
  2:
   core:
     - something-1.0-1.mga2
  3:
   core:
     - something-1.0-1.mga3
description: |
  Advisory text to describe the update.
  Wrap lines at ~75 chars.
references:
 - https://bugs.mageia.org/show_bug.cgi?id=00000

The 00000 is replaced by the bug number. After adding the other parts, I forgot
to delete the lines for the Mageia 2 source rpms.

The advisory has been corrected.
Comment 30 Dave Hodgins 2013-09-16 01:01:17 CEST
The service can now be started after installing using "urpmi -ya freeswitch",
but it cannot be restarted, as the pid file does not get deleted.
Comment 31 Dave Hodgins 2013-09-16 01:09:41 CEST
Sorry, I was wrong about the pid file not getting deleted.

I'm getting inconsistent results ...
[root@x3v ~]# systemctl restart freeswitch.service
[root@x3v ~]# systemctl status freeswitch.service
freeswitch.service - The FREESwitch  Server
          Loaded: loaded (/usr/lib/systemd/system/freeswitch.service; enabled)
          Active: failed (Result: exit-code) since Sun, 2013-09-15 18:59:42 EDT; 7s ago
         Process: 26180 ExecStop=/usr/bin/freeswitch -stop (code=exited, status=255)
         Process: 26173 ExecStart=/usr/bin/freeswitch -nc $FREESWITCH_PARAMS (code=exited, status=0/SUCCESS)
        Main PID: 22972 (code=exited, status=0/SUCCESS)
          CGroup: name=systemd:/system/freeswitch.service

Sep 15 18:59:38 x3v.hodgins.homeip.net systemd[1]: Starting The FREESwitch  Server...
Sep 15 18:59:38 x3v.hodgins.homeip.net systemd[1]: Started The FREESwitch  Server.
Sep 15 18:59:38 x3v.hodgins.homeip.net freeswitch[26173]: 26175 Backgrounding.
Sep 15 18:59:42 x3v.hodgins.homeip.net freeswitch[26180]: Cannot open pid file /run/freeswitch/freeswitch.pid.
Sep 15 18:59:42 x3v.hodgins.homeip.net systemd[1]: Unit freeswitch.service entered failed state
[root@x3v ~]# ll /run/freeswitch/freeswitch.pid
ls: cannot access /run/freeswitch/freeswitch.pid: No such file or directory
[root@x3v ~]# systemctl restart freeswitch.service
[root@x3v ~]# systemctl status freeswitch.service
freeswitch.service - The FREESwitch  Server
          Loaded: loaded (/usr/lib/systemd/system/freeswitch.service; enabled)
          Active: active (running) since Sun, 2013-09-15 19:07:31 EDT; 3s ago
         Process: 26180 ExecStop=/usr/bin/freeswitch -stop (code=exited, status=255)
         Process: 26514 ExecStart=/usr/bin/freeswitch -nc $FREESWITCH_PARAMS (code=exited, status=0/SUCCESS)
        Main PID: 26516 (freeswitch)
          CGroup: name=systemd:/system/freeswitch.service
                  └ 26516 /usr/bin/freeswitch -nc

Sep 15 19:07:31 x3v.hodgins.homeip.net freeswitch[26514]: 26516 Backgrounding.
Sep 15 19:07:31 x3v.hodgins.homeip.net systemd[1]: Started The FREESwitch  Server.
Comment 32 Dave Hodgins 2013-09-16 01:47:58 CEST
I can't recreate the problem with restarting, and as this is a security
update involving the possibility of remote code execution, I'm going
ahead and validating the update.

Someone from the sysadmin team please push 10743.adv to updates.
Comment 33 Thomas Backlund 2013-09-19 11:50:38 CEST
Update pushed:
http://advisories.mageia.org/MGASA-2013-0279.html

Note You need to log in before you can comment on or make changes to this bug.