Update for 22.5.2

In the highly-unlikely event that get_authorization_hdr() couldn't find an
Authorization header in a request, trying to get the digest algorithm
would cauase a SEGV.  We now check that we have an auth header that matches
the realm before trying to get the algorithm from it.

Resolves: #GHSA-64qc-9x89-rx5j

.version

@@ -1 +1 @@
-22.5.0
+22.5.2

CHANGES.html

@@ -1 +1 @@
-ChangeLogs/ChangeLog-22.5.0.html
+ChangeLogs/ChangeLog-22.5.2.html

CHANGES.md

@@ -1 +1 @@
-ChangeLogs/ChangeLog-22.5.0.md
+ChangeLogs/ChangeLog-22.5.2.md

ChangeLogs/ChangeLog-22.5.1.html

@@ -0,0 +1,78 @@
+<html><head><title>ChangeLog for asterisk-22.5.1</title></head><body>
+<h2>Change Log for Release asterisk-22.5.1</h2>
+<h3>Links:</h3>
+<ul>
+<li><a href="https://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-22.5.1.html">Full ChangeLog</a>  </li>
+<li><a href="https://github.com/asterisk/asterisk/compare/22.5.0...22.5.1">GitHub Diff</a>  </li>
+<li><a href="https://downloads.asterisk.org/pub/telephony/asterisk/asterisk-22.5.1.tar.gz">Tarball</a>  </li>
+<li><a href="https://downloads.asterisk.org/pub/telephony/asterisk">Downloads</a>  </li>
+</ul>
+<h3>Summary:</h3>
+<ul>
+<li>Commits: 2</li>
+<li>Commit Authors: 2</li>
+<li>Issues Resolved: 0</li>
+<li>Security Advisories Resolved: 2</li>
+<li><a href="https://github.com/asterisk/asterisk/security/advisories/GHSA-mrq5-74j5-f5cr">GHSA-mrq5-74j5-f5cr</a>: Remote DoS and possible RCE in asterisk/res/res_stir_shaken/verification.c</li>
+<li><a href="https://github.com/asterisk/asterisk/security/advisories/GHSA-v9q8-9j8m-5xwp">GHSA-v9q8-9j8m-5xwp</a>: Uncontrolled Search-Path Element in safe_asterisk script may allow local privilege escalation.</li>
+</ul>
+<h3>User Notes:</h3>
+<h3>Upgrade Notes:</h3>
+<ul>
+<li>
+<h4>safe_asterisk: Add ownership checks for /etc/asterisk/startup.d and its files.</h4>
+  The safe_asterisk script now checks that, if it was run by the
+  root user, the /etc/asterisk/startup.d directory and all the files it contains
+  are owned by root.  If the checks fail, safe_asterisk will exit with an error
+  and Asterisk will not be started.  Additionally, the default logging
+  destination is now stderr instead of tty "9" which probably won't exist
+  in modern systems.</li>
+</ul>
+<h3>Developer Notes:</h3>
+<h3>Commit Authors:</h3>
+<ul>
+<li>George Joseph: (1)</li>
+<li>ThatTotallyRealMyth: (1)</li>
+</ul>
+<h2>Issue and Commit Detail:</h2>
+<h3>Closed Issues:</h3>
+<ul>
+<li>!GHSA-mrq5-74j5-f5cr: Remote DoS and possible RCE in asterisk/res/res_stir_shaken/verification.c</li>
+<li>!GHSA-v9q8-9j8m-5xwp: Uncontrolled Search-Path Element in safe_asterisk script may allow local privilege escalation.</li>
+</ul>
+<h3>Commits By Author:</h3>
+<ul>
+<li>
+<h4>George Joseph (1):</h4>
+</li>
+<li>
+<p>res_stir_shaken: Test for missing semicolon in Identity header.</p>
+</li>
+<li>
+<h4>ThatTotallyRealMyth (1):</h4>
+</li>
+<li>safe_asterisk: Add ownership checks for /etc/asterisk/startup.d and its files.</li>
+</ul>
+<h3>Commit List:</h3>
+<ul>
+<li>safe_asterisk: Add ownership checks for /etc/asterisk/startup.d and its files.</li>
+<li>res_stir_shaken: Test for missing semicolon in Identity header.</li>
+</ul>
+<h3>Commit Details:</h3>
+<h4>safe_asterisk: Add ownership checks for /etc/asterisk/startup.d and its files.</h4>
+<p>Author: ThatTotallyRealMyth
+  Date:   2025-06-10</p>
+<p>UpgradeNote: The safe_asterisk script now checks that, if it was run by the
+  root user, the /etc/asterisk/startup.d directory and all the files it contains
+  are owned by root.  If the checks fail, safe_asterisk will exit with an error
+  and Asterisk will not be started.  Additionally, the default logging
+  destination is now stderr instead of tty "9" which probably won't exist
+  in modern systems.</p>
+<p>Resolves: #GHSA-v9q8-9j8m-5xwp</p>
+<h4>res_stir_shaken: Test for missing semicolon in Identity header.</h4>
+<p>Author: George Joseph
+  Date:   2025-07-31</p>
+<p>ast_stir_shaken_vs_verify() now makes sure there's a semicolon in
+  the Identity header to prevent a possible segfault.</p>
+<p>Resolves: #GHSA-mrq5-74j5-f5cr</p>
+</body></html>

ChangeLogs/ChangeLog-22.5.1.md

@@ -0,0 +1,86 @@
+
+## Change Log for Release asterisk-22.5.1
+
+### Links:
+
+ - [Full ChangeLog](https://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-22.5.1.html)  
+ - [GitHub Diff](https://github.com/asterisk/asterisk/compare/22.5.0...22.5.1)  
+ - [Tarball](https://downloads.asterisk.org/pub/telephony/asterisk/asterisk-22.5.1.tar.gz)  
+ - [Downloads](https://downloads.asterisk.org/pub/telephony/asterisk)  
+
+### Summary:
+
+- Commits: 2
+- Commit Authors: 2
+- Issues Resolved: 0
+- Security Advisories Resolved: 2
+  - [GHSA-mrq5-74j5-f5cr](https://github.com/asterisk/asterisk/security/advisories/GHSA-mrq5-74j5-f5cr): Remote DoS and possible RCE in asterisk/res/res_stir_shaken/verification.c
+  - [GHSA-v9q8-9j8m-5xwp](https://github.com/asterisk/asterisk/security/advisories/GHSA-v9q8-9j8m-5xwp): Uncontrolled Search-Path Element in safe_asterisk script may allow local privilege escalation.
+
+### User Notes:
+
+
+### Upgrade Notes:
+
+- #### safe_asterisk: Add ownership checks for /etc/asterisk/startup.d and its files.  
+  The safe_asterisk script now checks that, if it was run by the
+  root user, the /etc/asterisk/startup.d directory and all the files it contains
+  are owned by root.  If the checks fail, safe_asterisk will exit with an error
+  and Asterisk will not be started.  Additionally, the default logging
+  destination is now stderr instead of tty "9" which probably won't exist
+  in modern systems.
+
+
+### Developer Notes:
+
+
+### Commit Authors:
+
+- George Joseph: (1)
+- ThatTotallyRealMyth: (1)
+
+## Issue and Commit Detail:
+
+### Closed Issues:
+
+  - !GHSA-mrq5-74j5-f5cr: Remote DoS and possible RCE in asterisk/res/res_stir_shaken/verification.c
+  - !GHSA-v9q8-9j8m-5xwp: Uncontrolled Search-Path Element in safe_asterisk script may allow local privilege escalation.
+
+### Commits By Author:
+
+- #### George Joseph (1):
+  - res_stir_shaken: Test for missing semicolon in Identity header.
+
+- #### ThatTotallyRealMyth (1):
+  - safe_asterisk: Add ownership checks for /etc/asterisk/startup.d and its files.
+
+
+### Commit List:
+
+-  safe_asterisk: Add ownership checks for /etc/asterisk/startup.d and its files.
+-  res_stir_shaken: Test for missing semicolon in Identity header.
+
+### Commit Details:
+
+#### safe_asterisk: Add ownership checks for /etc/asterisk/startup.d and its files.
+  Author: ThatTotallyRealMyth
+  Date:   2025-06-10
+
+  UpgradeNote: The safe_asterisk script now checks that, if it was run by the
+  root user, the /etc/asterisk/startup.d directory and all the files it contains
+  are owned by root.  If the checks fail, safe_asterisk will exit with an error
+  and Asterisk will not be started.  Additionally, the default logging
+  destination is now stderr instead of tty "9" which probably won't exist
+  in modern systems.
+
+  Resolves: #GHSA-v9q8-9j8m-5xwp
+
+#### res_stir_shaken: Test for missing semicolon in Identity header.
+  Author: George Joseph
+  Date:   2025-07-31
+
+  ast_stir_shaken_vs_verify() now makes sure there's a semicolon in
+  the Identity header to prevent a possible segfault.
+
+  Resolves: #GHSA-mrq5-74j5-f5cr
+

ChangeLogs/ChangeLog-22.5.2.html

@@ -0,0 +1,50 @@
+<html><head><title>ChangeLog for asterisk-22.5.2</title></head><body>
+<h2>Change Log for Release asterisk-22.5.2</h2>
+<h3>Links:</h3>
+<ul>
+<li><a href="https://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-22.5.2.html">Full ChangeLog</a>  </li>
+<li><a href="https://github.com/asterisk/asterisk/compare/22.5.1...22.5.2">GitHub Diff</a>  </li>
+<li><a href="https://downloads.asterisk.org/pub/telephony/asterisk/asterisk-22.5.2.tar.gz">Tarball</a>  </li>
+<li><a href="https://downloads.asterisk.org/pub/telephony/asterisk">Downloads</a>  </li>
+</ul>
+<h3>Summary:</h3>
+<ul>
+<li>Commits: 1</li>
+<li>Commit Authors: 1</li>
+<li>Issues Resolved: 0</li>
+<li>Security Advisories Resolved: 1</li>
+<li><a href="https://github.com/asterisk/asterisk/security/advisories/GHSA-64qc-9x89-rx5j">GHSA-64qc-9x89-rx5j</a>: A specifically malformed Authorization header in an incoming SIP request can cause Asterisk to crash</li>
+</ul>
+<h3>User Notes:</h3>
+<h3>Upgrade Notes:</h3>
+<h3>Developer Notes:</h3>
+<h3>Commit Authors:</h3>
+<ul>
+<li>George Joseph: (1)</li>
+</ul>
+<h2>Issue and Commit Detail:</h2>
+<h3>Closed Issues:</h3>
+<ul>
+<li>!GHSA-64qc-9x89-rx5j: A specifically malformed Authorization header in an incoming SIP request can cause Asterisk to crash</li>
+</ul>
+<h3>Commits By Author:</h3>
+<ul>
+<li>
+<h4>George Joseph (1):</h4>
+</li>
+<li>res_pjsip_authenticator_digest: Fix SEGV if get_authorization_hdr returns NULL.</li>
+</ul>
+<h3>Commit List:</h3>
+<ul>
+<li>res_pjsip_authenticator_digest: Fix SEGV if get_authorization_hdr returns NULL.</li>
+</ul>
+<h3>Commit Details:</h3>
+<h4>res_pjsip_authenticator_digest: Fix SEGV if get_authorization_hdr returns NULL.</h4>
+<p>Author: George Joseph
+  Date:   2025-08-28</p>
+<p>In the highly-unlikely event that get_authorization_hdr() couldn't find an
+  Authorization header in a request, trying to get the digest algorithm
+  would cauase a SEGV.  We now check that we have an auth header that matches
+  the realm before trying to get the algorithm from it.</p>
+<p>Resolves: #GHSA-64qc-9x89-rx5j</p>
+</body></html>

ChangeLogs/ChangeLog-22.5.2.md

@@ -0,0 +1,60 @@
+
+## Change Log for Release asterisk-22.5.2
+
+### Links:
+
+ - [Full ChangeLog](https://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-22.5.2.html)  
+ - [GitHub Diff](https://github.com/asterisk/asterisk/compare/22.5.1...22.5.2)  
+ - [Tarball](https://downloads.asterisk.org/pub/telephony/asterisk/asterisk-22.5.2.tar.gz)  
+ - [Downloads](https://downloads.asterisk.org/pub/telephony/asterisk)  
+
+### Summary:
+
+- Commits: 1
+- Commit Authors: 1
+- Issues Resolved: 0
+- Security Advisories Resolved: 1
+  - [GHSA-64qc-9x89-rx5j](https://github.com/asterisk/asterisk/security/advisories/GHSA-64qc-9x89-rx5j): A specifically malformed Authorization header in an incoming SIP request can cause Asterisk to crash
+
+### User Notes:
+
+
+### Upgrade Notes:
+
+
+### Developer Notes:
+
+
+### Commit Authors:
+
+- George Joseph: (1)
+
+## Issue and Commit Detail:
+
+### Closed Issues:
+
+  - !GHSA-64qc-9x89-rx5j: A specifically malformed Authorization header in an incoming SIP request can cause Asterisk to crash
+
+### Commits By Author:
+
+- #### George Joseph (1):
+  - res_pjsip_authenticator_digest: Fix SEGV if get_authorization_hdr returns NULL.
+
+
+### Commit List:
+
+-  res_pjsip_authenticator_digest: Fix SEGV if get_authorization_hdr returns NULL.
+
+### Commit Details:
+
+#### res_pjsip_authenticator_digest: Fix SEGV if get_authorization_hdr returns NULL.
+  Author: George Joseph
+  Date:   2025-08-28
+
+  In the highly-unlikely event that get_authorization_hdr() couldn't find an
+  Authorization header in a request, trying to get the digest algorithm
+  would cauase a SEGV.  We now check that we have an auth header that matches
+  the realm before trying to get the algorithm from it.
+
+  Resolves: #GHSA-64qc-9x89-rx5j
+

README.html

@@ -1,4 +1,4 @@
-<html><head><title>Readme for asterisk-22.5.0</title></head><body>
+<html><head><title>Readme for asterisk-22.5.2</title></head><body>
 <h1>The Asterisk(R) Open Source PBX</h1>
 <pre><code>By Mark Spencer &lt;markster@digium.com&gt; and the Asterisk.org developer community.
 Copyright (C) 2001-2025 Sangoma Technologies Corporation and other copyright holders.
@@ -37,7 +37,7 @@ hardware.</p>
 <p>If you are updating from a previous version of Asterisk, make sure you
 read the Change Logs.</p>
 <!-- CHANGELOGS (the URL will change based on the location of this README) -->
-<p><a href="ChangeLogs/ChangeLog-22.5.0.html">Change Logs</a></p>
+<p><a href="ChangeLogs/ChangeLog-22.5.2.html">Change Logs</a></p>
 <!-- END-CHANGELOGS -->
 
 <h3>NEW INSTALLATIONS</h3>

README.md

@@ -55,7 +55,7 @@ If you are updating from a previous version of Asterisk, make sure you
 read the Change Logs.
 
 <!-- CHANGELOGS (the URL will change based on the location of this README) -->
-[Change Logs](ChangeLogs/ChangeLog-22.5.0.html)
+[Change Logs](ChangeLogs/ChangeLog-22.5.2.html)
 <!-- END-CHANGELOGS -->
 
 ### NEW INSTALLATIONS

contrib/scripts/safe_asterisk

@@ -6,7 +6,7 @@ ASTVARRUNDIR="__ASTERISK_VARRUN_DIR__"
 ASTVARLOGDIR="__ASTERISK_LOG_DIR__"
 
 CLIARGS="$*"			# Grab any args passed to safe_asterisk
-TTY=9				# TTY (if you want one) for Asterisk to run on
+#TTY=9				# TTY (if you want one) for Asterisk to run on
 CONSOLE=yes			# Whether or not you want a console
 #NOTIFY=root@localhost		# Who to notify about crashes
 #EXEC=/path/to/somescript	# Run this command if Asterisk crashes
@@ -39,6 +39,8 @@ PRIORITY=0
 message() {
 	if test -n "$TTY" && test "$TTY" != "no"; then
 		echo "$1" >/dev/${TTY}
+	else
+		echo "$1" >&2
 	fi
 	if test -n "$SYSLOG"; then
 		logger -p "${SYSLOG}.warn" -t safe_asterisk[$$] "$1"
@@ -64,7 +66,7 @@ if test `id -u` != 0; then
 	echo "Oops. I'm not root. Falling back to standard prio and file max." >&2
 	echo "This is NOT suitable for large systems." >&2
 	PRIORITY=0
-	message "safe_asterisk was started by `id -n` (uid `id -u`)."
+	message "safe_asterisk was started by `id -un` (uid `id -u`)."
 else
 	if `uname -s | grep Linux >/dev/null 2>&1`; then
 		# maximum number of open files is set to the system maximum
@@ -160,10 +162,30 @@ trap '' PIPE
 #
 
 if test -d "${ASTETCDIR}/startup.d"; then
-	for script in "${ASTETCDIR}/startup.d/"*.sh; do
-		if test -r "${script}"; then
-			. "${script}"
+	# If this script is run by root, the startup.d directory and all scripts in it
+	# must be owned by root.
+	if test `id -u` == 0; then
+		dir_owner=$(stat -c '%u' "${ASTETCDIR}/startup.d" 2>/dev/null)
+		if test "${dir_owner}" != 0 ; then
+			message "FATAL: ${ASTETCDIR}/startup.d is not owned by root"
+			exit 1
 		fi
+
+		# Check all scripts for proper ownership before sourcing any of them.
+		for script in $(find "${ASTETCDIR}/startup.d/" -name '*.sh') ; do
+			if test -r "${script}"; then
+				script_owner=$(stat -c '%u' "${script}" 2>/dev/null)
+				if test "$script_owner" != 0 ; then
+					message "FATAL: Script $(basename "$script") is not owned by root"
+					exit 1
+				fi
+			fi
+		done
+	fi
+
+	for script in $(find "${ASTETCDIR}/startup.d/" -name '*.sh') ; do
+		echo sourceing
+		. "${script}"
 	done
 fi
 

res/res_pjsip_authenticator_digest.c

@@ -184,24 +184,29 @@ static pj_status_t digest_lookup(pj_pool_t *pool,
 	const char *creds;
 	const char *auth_name = (auth ? ast_sorcery_object_get_id(auth) : "none");
 	struct pjsip_authorization_hdr *auth_hdr = get_authorization_hdr(auth_name, realm, param->rdata);
-	const pjsip_auth_algorithm *algorithm =
-		ast_sip_auth_get_algorithm_by_iana_name(&auth_hdr->credential.digest.algorithm);
+	const pjsip_auth_algorithm *algorithm = auth_hdr ?
+		ast_sip_auth_get_algorithm_by_iana_name(&auth_hdr->credential.digest.algorithm) : NULL;
 	const char *src_name = param->rdata->pkt_info.src_name;
 	SCOPE_ENTER(4, "%s:%s:"
 		" srv realm: " PJSTR_PRINTF_SPEC
 		" auth realm: %s"
-		" hdr realm: " PJSTR_PRINTF_SPEC
 		" auth user: %s"
 		" hdr user: " PJSTR_PRINTF_SPEC
-		" algorithm: " PJSTR_PRINTF_SPEC
 		"\n",
 		auth_name, src_name,
 		PJSTR_PRINTF_VAR(param->realm),
 		realm,
-		PJSTR_PRINTF_VAR(auth_hdr->credential.common.realm),
 		auth->auth_user,
-		PJSTR_PRINTF_VAR(param->acc_name),
-		PJSTR_PRINTF_VAR(algorithm->iana_name));
+		PJSTR_PRINTF_VAR(param->acc_name));
+
+	/*
+	 * If a client is responding correctly, most of the error conditions below
+	 * can't happen because we sent them the correct info in the 401 response.
+	 * However, if a client is trying to authenticate with us without
+	 * having received a challenge or if they are trying to
+	 * authenticate with a different realm or algorithm than we sent them,
+	 * we need to catch that.
+	 */
 
 	if (!auth) {
 		/* This can only happen if the auth object was not saved to thread-local storage */
@@ -209,6 +214,26 @@ static pj_status_t digest_lookup(pj_pool_t *pool,
 			auth_name, src_name);
 	}
 
+	if (auth_hdr == NULL) {
+		/*
+		 * This can only happen if the incoming request did not have an
+		 * Authorization header or the realm in the header was missing or incorrect.
+		 */
+		SCOPE_EXIT_RTN_VALUE(PJSIP_SC_FORBIDDEN,
+			"%s:%s: No Authorization header found for realm '%s'\n",
+			auth_name, src_name, realm);
+	}
+
+	if (algorithm == NULL) {
+		/*
+		 * This can only happen if the incoming request had an algorithm
+		 * we don't support.
+		 */
+		SCOPE_EXIT_RTN_VALUE(PJSIP_SC_FORBIDDEN,
+			"%s:%s: Unsupported algorithm '" PJSTR_PRINTF_SPEC "'\n",
+			auth_name, src_name, PJSTR_PRINTF_VAR(auth_hdr->credential.digest.algorithm));
+	}
+
 	if (auth->type == AST_SIP_AUTH_TYPE_ARTIFICIAL) {
 		/*
 		 * This shouldn't happen because this function can only be invoked

res/res_stir_shaken/verification.c

@@ -921,6 +921,11 @@ enum ast_stir_shaken_vs_response_code
 	}
 
 	p = strchr(ctx->identity_hdr, ';');
+	if (ast_strlen_zero(p)) {
+		SCOPE_EXIT_LOG_RTN_VALUE(AST_STIR_SHAKEN_VS_INVALID_HEADER,
+			LOG_ERROR, "%s: Malformed identity header\n", ctx->tag);
+	}
+
 	len = p - ctx->identity_hdr + 1;
 	jwt_encoded = ast_malloc(len);
 	if (!jwt_encoded) {
@@ -931,7 +936,11 @@ enum ast_stir_shaken_vs_response_code
 	memcpy(jwt_encoded, ctx->identity_hdr, len);
 	jwt_encoded[len - 1] = '\0';
 
-	jwt_decode(&jwt, jwt_encoded, NULL, 0);
+	rc = jwt_decode(&jwt, jwt_encoded, NULL, 0);
+	if (rc != 0) {
+		SCOPE_EXIT_RTN_VALUE(AST_STIR_SHAKEN_VS_INVALID_HEADER, "%s: %s\n",
+			ctx->tag, vs_response_code_to_str(AST_STIR_SHAKEN_VS_INVALID_HEADER));
+	}
 
 	ppt_header = jwt_get_header(jwt, "ppt");
 	if (!ppt_header || strcmp(ppt_header, STIR_SHAKEN_PPT)) {