Update for 22.5.1

UpgradeNote: The safe_asterisk script now checks that, if it was run by the
root user, the /etc/asterisk/startup.d directory and all the files it contains
are owned by root.  If the checks fail, safe_asterisk will exit with an error
and Asterisk will not be started.  Additionally, the default logging
destination is now stderr instead of tty "9" which probably won't exist
in modern systems.

Resolves: #GHSA-v9q8-9j8m-5xwp

.version

@@ -1 +1 @@
-22.5.0
+22.5.1

CHANGES.html

@@ -1 +1 @@
-ChangeLogs/ChangeLog-22.5.0.html
+ChangeLogs/ChangeLog-22.5.1.html

CHANGES.md

@@ -1 +1 @@
-ChangeLogs/ChangeLog-22.5.0.md
+ChangeLogs/ChangeLog-22.5.1.md

ChangeLogs/ChangeLog-22.5.1.html

@@ -0,0 +1,78 @@
+<html><head><title>ChangeLog for asterisk-22.5.1</title></head><body>
+<h2>Change Log for Release asterisk-22.5.1</h2>
+<h3>Links:</h3>
+<ul>
+<li><a href="https://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-22.5.1.html">Full ChangeLog</a>  </li>
+<li><a href="https://github.com/asterisk/asterisk/compare/22.5.0...22.5.1">GitHub Diff</a>  </li>
+<li><a href="https://downloads.asterisk.org/pub/telephony/asterisk/asterisk-22.5.1.tar.gz">Tarball</a>  </li>
+<li><a href="https://downloads.asterisk.org/pub/telephony/asterisk">Downloads</a>  </li>
+</ul>
+<h3>Summary:</h3>
+<ul>
+<li>Commits: 2</li>
+<li>Commit Authors: 2</li>
+<li>Issues Resolved: 0</li>
+<li>Security Advisories Resolved: 2</li>
+<li><a href="https://github.com/asterisk/asterisk/security/advisories/GHSA-mrq5-74j5-f5cr">GHSA-mrq5-74j5-f5cr</a>: Remote DoS and possible RCE in asterisk/res/res_stir_shaken/verification.c</li>
+<li><a href="https://github.com/asterisk/asterisk/security/advisories/GHSA-v9q8-9j8m-5xwp">GHSA-v9q8-9j8m-5xwp</a>: Uncontrolled Search-Path Element in safe_asterisk script may allow local privilege escalation.</li>
+</ul>
+<h3>User Notes:</h3>
+<h3>Upgrade Notes:</h3>
+<ul>
+<li>
+<h4>safe_asterisk: Add ownership checks for /etc/asterisk/startup.d and its files.</h4>
+  The safe_asterisk script now checks that, if it was run by the
+  root user, the /etc/asterisk/startup.d directory and all the files it contains
+  are owned by root.  If the checks fail, safe_asterisk will exit with an error
+  and Asterisk will not be started.  Additionally, the default logging
+  destination is now stderr instead of tty "9" which probably won't exist
+  in modern systems.</li>
+</ul>
+<h3>Developer Notes:</h3>
+<h3>Commit Authors:</h3>
+<ul>
+<li>George Joseph: (1)</li>
+<li>ThatTotallyRealMyth: (1)</li>
+</ul>
+<h2>Issue and Commit Detail:</h2>
+<h3>Closed Issues:</h3>
+<ul>
+<li>!GHSA-mrq5-74j5-f5cr: Remote DoS and possible RCE in asterisk/res/res_stir_shaken/verification.c</li>
+<li>!GHSA-v9q8-9j8m-5xwp: Uncontrolled Search-Path Element in safe_asterisk script may allow local privilege escalation.</li>
+</ul>
+<h3>Commits By Author:</h3>
+<ul>
+<li>
+<h4>George Joseph (1):</h4>
+</li>
+<li>
+<p>res_stir_shaken: Test for missing semicolon in Identity header.</p>
+</li>
+<li>
+<h4>ThatTotallyRealMyth (1):</h4>
+</li>
+<li>safe_asterisk: Add ownership checks for /etc/asterisk/startup.d and its files.</li>
+</ul>
+<h3>Commit List:</h3>
+<ul>
+<li>safe_asterisk: Add ownership checks for /etc/asterisk/startup.d and its files.</li>
+<li>res_stir_shaken: Test for missing semicolon in Identity header.</li>
+</ul>
+<h3>Commit Details:</h3>
+<h4>safe_asterisk: Add ownership checks for /etc/asterisk/startup.d and its files.</h4>
+<p>Author: ThatTotallyRealMyth
+  Date:   2025-06-10</p>
+<p>UpgradeNote: The safe_asterisk script now checks that, if it was run by the
+  root user, the /etc/asterisk/startup.d directory and all the files it contains
+  are owned by root.  If the checks fail, safe_asterisk will exit with an error
+  and Asterisk will not be started.  Additionally, the default logging
+  destination is now stderr instead of tty "9" which probably won't exist
+  in modern systems.</p>
+<p>Resolves: #GHSA-v9q8-9j8m-5xwp</p>
+<h4>res_stir_shaken: Test for missing semicolon in Identity header.</h4>
+<p>Author: George Joseph
+  Date:   2025-07-31</p>
+<p>ast_stir_shaken_vs_verify() now makes sure there's a semicolon in
+  the Identity header to prevent a possible segfault.</p>
+<p>Resolves: #GHSA-mrq5-74j5-f5cr</p>
+</body></html>

ChangeLogs/ChangeLog-22.5.1.md

@@ -0,0 +1,86 @@
+
+## Change Log for Release asterisk-22.5.1
+
+### Links:
+
+ - [Full ChangeLog](https://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-22.5.1.html)  
+ - [GitHub Diff](https://github.com/asterisk/asterisk/compare/22.5.0...22.5.1)  
+ - [Tarball](https://downloads.asterisk.org/pub/telephony/asterisk/asterisk-22.5.1.tar.gz)  
+ - [Downloads](https://downloads.asterisk.org/pub/telephony/asterisk)  
+
+### Summary:
+
+- Commits: 2
+- Commit Authors: 2
+- Issues Resolved: 0
+- Security Advisories Resolved: 2
+  - [GHSA-mrq5-74j5-f5cr](https://github.com/asterisk/asterisk/security/advisories/GHSA-mrq5-74j5-f5cr): Remote DoS and possible RCE in asterisk/res/res_stir_shaken/verification.c
+  - [GHSA-v9q8-9j8m-5xwp](https://github.com/asterisk/asterisk/security/advisories/GHSA-v9q8-9j8m-5xwp): Uncontrolled Search-Path Element in safe_asterisk script may allow local privilege escalation.
+
+### User Notes:
+
+
+### Upgrade Notes:
+
+- #### safe_asterisk: Add ownership checks for /etc/asterisk/startup.d and its files.  
+  The safe_asterisk script now checks that, if it was run by the
+  root user, the /etc/asterisk/startup.d directory and all the files it contains
+  are owned by root.  If the checks fail, safe_asterisk will exit with an error
+  and Asterisk will not be started.  Additionally, the default logging
+  destination is now stderr instead of tty "9" which probably won't exist
+  in modern systems.
+
+
+### Developer Notes:
+
+
+### Commit Authors:
+
+- George Joseph: (1)
+- ThatTotallyRealMyth: (1)
+
+## Issue and Commit Detail:
+
+### Closed Issues:
+
+  - !GHSA-mrq5-74j5-f5cr: Remote DoS and possible RCE in asterisk/res/res_stir_shaken/verification.c
+  - !GHSA-v9q8-9j8m-5xwp: Uncontrolled Search-Path Element in safe_asterisk script may allow local privilege escalation.
+
+### Commits By Author:
+
+- #### George Joseph (1):
+  - res_stir_shaken: Test for missing semicolon in Identity header.
+
+- #### ThatTotallyRealMyth (1):
+  - safe_asterisk: Add ownership checks for /etc/asterisk/startup.d and its files.
+
+
+### Commit List:
+
+-  safe_asterisk: Add ownership checks for /etc/asterisk/startup.d and its files.
+-  res_stir_shaken: Test for missing semicolon in Identity header.
+
+### Commit Details:
+
+#### safe_asterisk: Add ownership checks for /etc/asterisk/startup.d and its files.
+  Author: ThatTotallyRealMyth
+  Date:   2025-06-10
+
+  UpgradeNote: The safe_asterisk script now checks that, if it was run by the
+  root user, the /etc/asterisk/startup.d directory and all the files it contains
+  are owned by root.  If the checks fail, safe_asterisk will exit with an error
+  and Asterisk will not be started.  Additionally, the default logging
+  destination is now stderr instead of tty "9" which probably won't exist
+  in modern systems.
+
+  Resolves: #GHSA-v9q8-9j8m-5xwp
+
+#### res_stir_shaken: Test for missing semicolon in Identity header.
+  Author: George Joseph
+  Date:   2025-07-31
+
+  ast_stir_shaken_vs_verify() now makes sure there's a semicolon in
+  the Identity header to prevent a possible segfault.
+
+  Resolves: #GHSA-mrq5-74j5-f5cr
+

README.html

@@ -1,4 +1,4 @@
-<html><head><title>Readme for asterisk-22.5.0</title></head><body>
+<html><head><title>Readme for asterisk-22.5.1</title></head><body>
 <h1>The Asterisk(R) Open Source PBX</h1>
 <pre><code>By Mark Spencer &lt;markster@digium.com&gt; and the Asterisk.org developer community.
 Copyright (C) 2001-2025 Sangoma Technologies Corporation and other copyright holders.
@@ -37,7 +37,7 @@ hardware.</p>
 <p>If you are updating from a previous version of Asterisk, make sure you
 read the Change Logs.</p>
 <!-- CHANGELOGS (the URL will change based on the location of this README) -->
-<p><a href="ChangeLogs/ChangeLog-22.5.0.html">Change Logs</a></p>
+<p><a href="ChangeLogs/ChangeLog-22.5.1.html">Change Logs</a></p>
 <!-- END-CHANGELOGS -->
 
 <h3>NEW INSTALLATIONS</h3>

README.md

@@ -55,7 +55,7 @@ If you are updating from a previous version of Asterisk, make sure you
 read the Change Logs.
 
 <!-- CHANGELOGS (the URL will change based on the location of this README) -->
-[Change Logs](ChangeLogs/ChangeLog-22.5.0.html)
+[Change Logs](ChangeLogs/ChangeLog-22.5.1.html)
 <!-- END-CHANGELOGS -->
 
 ### NEW INSTALLATIONS

contrib/scripts/safe_asterisk

@@ -6,7 +6,7 @@ ASTVARRUNDIR="__ASTERISK_VARRUN_DIR__"
 ASTVARLOGDIR="__ASTERISK_LOG_DIR__"
 
 CLIARGS="$*"			# Grab any args passed to safe_asterisk
-TTY=9				# TTY (if you want one) for Asterisk to run on
+#TTY=9				# TTY (if you want one) for Asterisk to run on
 CONSOLE=yes			# Whether or not you want a console
 #NOTIFY=root@localhost		# Who to notify about crashes
 #EXEC=/path/to/somescript	# Run this command if Asterisk crashes
@@ -39,6 +39,8 @@ PRIORITY=0
 message() {
 	if test -n "$TTY" && test "$TTY" != "no"; then
 		echo "$1" >/dev/${TTY}
+	else
+		echo "$1" >&2
 	fi
 	if test -n "$SYSLOG"; then
 		logger -p "${SYSLOG}.warn" -t safe_asterisk[$$] "$1"
@@ -64,7 +66,7 @@ if test `id -u` != 0; then
 	echo "Oops. I'm not root. Falling back to standard prio and file max." >&2
 	echo "This is NOT suitable for large systems." >&2
 	PRIORITY=0
-	message "safe_asterisk was started by `id -n` (uid `id -u`)."
+	message "safe_asterisk was started by `id -un` (uid `id -u`)."
 else
 	if `uname -s | grep Linux >/dev/null 2>&1`; then
 		# maximum number of open files is set to the system maximum
@@ -160,10 +162,30 @@ trap '' PIPE
 #
 
 if test -d "${ASTETCDIR}/startup.d"; then
-	for script in "${ASTETCDIR}/startup.d/"*.sh; do
-		if test -r "${script}"; then
-			. "${script}"
+	# If this script is run by root, the startup.d directory and all scripts in it
+	# must be owned by root.
+	if test `id -u` == 0; then
+		dir_owner=$(stat -c '%u' "${ASTETCDIR}/startup.d" 2>/dev/null)
+		if test "${dir_owner}" != 0 ; then
+			message "FATAL: ${ASTETCDIR}/startup.d is not owned by root"
+			exit 1
 		fi
+
+		# Check all scripts for proper ownership before sourcing any of them.
+		for script in $(find "${ASTETCDIR}/startup.d/" -name '*.sh') ; do
+			if test -r "${script}"; then
+				script_owner=$(stat -c '%u' "${script}" 2>/dev/null)
+				if test "$script_owner" != 0 ; then
+					message "FATAL: Script $(basename "$script") is not owned by root"
+					exit 1
+				fi
+			fi
+		done
+	fi
+
+	for script in $(find "${ASTETCDIR}/startup.d/" -name '*.sh') ; do
+		echo sourceing
+		. "${script}"
 	done
 fi
 

res/res_stir_shaken/verification.c

@@ -921,6 +921,11 @@ enum ast_stir_shaken_vs_response_code
 	}
 
 	p = strchr(ctx->identity_hdr, ';');
+	if (ast_strlen_zero(p)) {
+		SCOPE_EXIT_LOG_RTN_VALUE(AST_STIR_SHAKEN_VS_INVALID_HEADER,
+			LOG_ERROR, "%s: Malformed identity header\n", ctx->tag);
+	}
+
 	len = p - ctx->identity_hdr + 1;
 	jwt_encoded = ast_malloc(len);
 	if (!jwt_encoded) {
@@ -931,7 +936,11 @@ enum ast_stir_shaken_vs_response_code
 	memcpy(jwt_encoded, ctx->identity_hdr, len);
 	jwt_encoded[len - 1] = '\0';
 
-	jwt_decode(&jwt, jwt_encoded, NULL, 0);
+	rc = jwt_decode(&jwt, jwt_encoded, NULL, 0);
+	if (rc != 0) {
+		SCOPE_EXIT_RTN_VALUE(AST_STIR_SHAKEN_VS_INVALID_HEADER, "%s: %s\n",
+			ctx->tag, vs_response_code_to_str(AST_STIR_SHAKEN_VS_INVALID_HEADER));
+	}
 
 	ppt_header = jwt_get_header(jwt, "ppt");
 	if (!ppt_header || strcmp(ppt_header, STIR_SHAKEN_PPT)) {