Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 249573 - net-misc/asterisk- version bump
Summary: net-misc/asterisk- version bump
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: New packages (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: voip herd (OBSOLETE)
Depends on:
Blocks: CVE-2008-1897 CVE-2008-3263 250748 CVE-2009-0041
  Show dependency tree
Reported: 2008-12-02 05:57 UTC by Rajiv Aaron Manglani (RETIRED)
Modified: 2009-03-12 03:33 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---

use external dev-libs/ilbc-rfc3951 (asterisk-1.2-ilbc.diff,588 bytes, patch)
2009-01-02 08:14 UTC, Anton Bolshakov
Details | Diff
quick ebuild without any gentoo patches (asterisk-,12.03 KB, text/plain)
2009-01-02 08:17 UTC, Anton Bolshakov

Note You need to log in before you can comment on or make changes to this bug.
Description Rajiv Aaron Manglani (RETIRED) gentoo-dev 2008-12-02 05:57:28 UTC
The development team has released Asterisk versions, 
1.4.23-rc2,, 1.6.1-beta3, as well as Asterisk-Addons versions 
and 1.6.1-rc2.  These releases are available for immediate download from

This update for Asterisk includes a fix for a regression introduced in 
Asterisk 1.2.30 and Asterisk and has existed in the Asterisk 1.6 
branch since release.  All releases with the exception of Asterisk 
also contain a vast assortment of bugfixes in these releases.  For a full 
list of changes, see the ChangeLogs:

Thank you for your continued support of Asterisk!
Comment 1 Jesse Adelman 2008-12-06 02:00:46 UTC
Here's the changelog:

2008-12-01  Tilghman Lesher <>

	* Asterisk released

2008-11-25 21:37 +0000 [r159245]  Tilghman Lesher <>

	* channels/chan_iax2.c: Regression fix for last security fix. Set
	  the iseqno correctly. (closes issue #13918) Reported by:
	  ffloimair Patches: 20081119__bug13918.diff.txt uploaded by
	  Corydon76 (license 14) Tested by: ffloimair

2008-08-09  Tilghman Lesher <>

	* Asterisk released

2008-08-09 15:24 +0000 [r136945]  Tilghman Lesher <>

	* include/asterisk/compat.h, include/asterisk/astobj2.h: Regression
	  fixes for Solaris

2008-07-25 15:00 +0000 [r133577]  Russell Bryant <>

	* LICENSE: Fix the IAX2 URI for calling Digium

2008-07-23  Tilghman Lesher <>

	* Asterisk released

2008-07-24 03:46 +0000 [r133360]  Tilghman Lesher <>

	* channels/chan_iax2.c: This part was not correctly patched for

2008-07-22  Russell Bryant <>

	* Asterisk 1.2.30 released

2008-07-22 21:14 +0000 [r132711]  Tilghman Lesher <>

	* configs/iax.conf.sample, channels/chan_iax2.c: Fixes for
	  AST-2008-010 and AST-2008-011

2008-06-03  Russell Bryant <>

	* Asterisk 1.2.29 released

2008-06-03 19:30 +0000 [r120109]  Joshua Colp <>

	* channels/chan_sip.c: Copy the From header into a variable so that
	  pedantic SIP handling does not try to mess with a NULL pointer.
	  (AST-2008-008) (closes issue #12607) Reported by: hooi

2008-05-30 12:49 +0000 [r119008-119237]  Russell Bryant <>

	* channels/chan_iax2.c: - Instead of only enforcing destination
	  call number checking on an ACK, check all full frames except for
	  PING and LAGRQ, which may be sent by older versions too quickly
	  to contain the destination call number. (As suggested by Tim
	  Panton on the asterisk-dev list) - Merge changes from
	  team/russell/iax2-frame-race, which prevents PING and LAGRQ from
	  being sent before the destination call number is known.

	* channels/chan_iax2.c: Merge changes from
	  team/russell/iax2-another-fix-to-the-fix As described in the
	  following post to the asterisk-dev mailing list, only enforce
	  destination call numbers when processing an ACK.

2008-05-21  Russell Bryant <>

	* Asterisk released

2008-05-08 19:14 +0000 [r115564]  Russell Bryant <>

	* channels/chan_iax2.c: Fix a race condition that bbryant just
	  found while doing some IAX2 testing. He was running Asterisk
	  trunk running IAX2 calls through a few Asterisk boxes, however,
	  the audio was extremely choppy. We looked at a packet trace and
	  saw a storm of INVAL and VNAK frames being sent from one box to
	  another. It turned out that what had happened was that one box
	  tried to send a CONTROL frame before the 3 way handshake had
	  completed. So, that frame did not include the destination call
	  number, because it didn't have it yet. Part of our recent work
	  for security issues included an additional check to ensure that
	  frames that are supposed to include the destination call number
	  have the correct one. This caused the frame to be rejected with
	  an INVAL. The frame would get retransmitted for forever, rejected
	  every time ... This race condition exists in all versions that
	  got the security changes, in theory. However, it is really only
	  likely that this would cause a problem in Asterisk trunk. There
	  was a control frame being sent (SRCUPDATE) at the _very_
	  beginning of the call, which does not exist in 1.2 or 1.4.
	  However, I am fixing all versions that could potentially be
	  affected by the introduced race condition. These changes are what
	  bbryant and I came up with to fix the issue. Instead of simply
	  dropping control frames that get sent before the handshake is
	  complete, the code attempts to wait a little while, since in most
	  cases, the handshake will complete very quickly. If it doesn't
	  complete after yielding for a little while, then the frame gets

2008-05-07 16:22 +0000 [r115511]  Russell Bryant <>

	* include/asterisk/dlinkedlists.h (removed), channels/chan_iax2.c:
	  Remove remnants of dlinkedlists. I didn't actually use them in
	  the final version of my IAX2 improvements.

2008-05-06 19:54 +0000 [r115421]  Jason Parker <>

	* contrib/scripts/ read requires an argument on
	  some non-bash shells (closes issue #12593) Reported by: bkruse
	  Patches: getilbc.sh_12593_v1.diff uploaded by bkruse (license

2008-05-05 17:53 +0000 [r115296]  Russell Bryant <>

	* Makefile, include/asterisk/astobj2.h (added), astobj2.c (added),
	  include/asterisk/dlinkedlists.h (added), channels/chan_iax2.c:
	  Merge changes from team/russell/iax2_find_callno_1.2 These
	  changes address a critical performance issue introduced in the
	  latest release. The fix for the latest security issue included a
	  change that made Asterisk randomly choose call numbers to make
	  them more difficult to guess by attackers. However, due to some
	  inefficient (this is by far, an understatement) code, when
	  Asterisk chose high call numbers, chan_iax2 became unusable after
	  just a small number of calls. On a small embedded platform, it
	  would not be able to handle a single call. On my Intel Core 2 Duo
	  @ 2.33 GHz, I couldn't run more than about 16 IAX2 channels.
	  Ouch. These changes address some performance issues of the
	  find_callno() function that have bothered me for a very long
	  time. On every incoming media frame, it iterated through every
	  possible call number trying to find a matching active call. This
	  involved a mutex lock and unlock for each call number checked.
	  So, if the random call number chosen was 20000, then every media
	  frame would cause 20000 locks and unlocks. Previously, this
	  problem was not as obvious since Asterisk always chose the lowest
	  call number it could. A second container for IAX2 pvt structs has
	  been added. It is an astobj2 hash table. When we know the remote
	  side's call number, the pvt goes into the hash table with a hash
	  value of the remote side's call number. Then, lookups for
	  incoming media frames are a very fast hash lookup instead of an
	  absolutely insane array traversal. In a quick test, I was able to
	  get more than 3600% more IAX2 channels on my machine with these

2008-04-29 12:52 +0000 [r114822]  Kevin P. Fleming <>

	* contrib/scripts/ stop script from appending
	  source code if run multiple times

2008-04-22  Russell Bryant <>

	* Asterisk 1.2.28 released

2008-04-22 22:20 +0000 [r114561]  Russell Bryant <>

	* channels/chan_iax2.c: When we receive a full frame that is
	  supposed to contain our call number, ensure that it has the
	  correct one. (closes issue #10078) (AST-2008-006)

2008-03-26 19:49 +0000 [r110869-111125]  Kevin P. Fleming <>

	* UPGRADE.txt: update UPGRADE notes to document usage of the script

	* contrib/scripts/ (added), codecs/ilbc: add a
	  script to make getting the iLBC source code simple for end users

	* codecs/ilbc/StateConstructW.h (removed), codecs/ilbc/packing.h
	  (removed), codecs/ilbc/getCBvec.c (removed),
	  codecs/ilbc/LPCdecode.c (removed), codecs/ilbc/enhancer.c
	  (removed), codecs/ilbc/lsf.c (removed), codecs/ilbc/iLBC_encode.c
	  (removed), codecs/ilbc/getCBvec.h (removed),
	  codecs/ilbc/LPCdecode.h (removed), codecs/ilbc/enhancer.h
	  (removed), codecs/ilbc/FrameClassify.c (removed),
	  codecs/ilbc/iLBC_define.h (removed), codecs/ilbc/lsf.h (removed),
	  codecs/ilbc/iLBC_encode.h (removed), codecs/ilbc/FrameClassify.h
	  (removed), codecs/ilbc/helpfun.c (removed), codecs/ilbc/doCPLC.c
	  (removed), codecs/ilbc/anaFilter.c (removed),
	  codecs/ilbc/helpfun.h (removed), codecs/ilbc/createCB.c
	  (removed), codecs/ilbc/doCPLC.h (removed),
	  codecs/ilbc/anaFilter.h (removed), UPGRADE.txt,
	  codecs/ilbc/iLBC_decode.c (removed), codecs/ilbc/constants.c
	  (removed), codecs/ilbc/createCB.h (removed),
	  codecs/ilbc/iLBC_decode.h (removed), codecs/ilbc/constants.h
	  (removed), codecs/ilbc/iCBSearch.c (removed),
	  codecs/ilbc/filter.c (removed), codecs/ilbc/gainquant.c
	  (removed), codecs/ilbc/hpInput.c (removed),
	  codecs/ilbc/hpOutput.c (removed), codecs/ilbc/iCBSearch.h
	  (removed), codecs/ilbc/filter.h (removed), codecs/ilbc/hpInput.h
	  (removed), codecs/ilbc/gainquant.h (removed),
	  codecs/ilbc/LPCencode.c (removed), codecs/ilbc/hpOutput.h
	  (removed), codecs/ilbc/StateSearchW.c (removed),
	  codecs/ilbc/LPCencode.h (removed), codecs/ilbc/StateSearchW.h
	  (removed), codecs/ilbc/iCBConstruct.c (removed),
	  codecs/ilbc/syntFilter.c (removed), codecs/ilbc/iCBConstruct.h
	  (removed), codecs/ilbc/syntFilter.h (removed),
	  codecs/ilbc/StateConstructW.c (removed), codecs/ilbc/packing.c
	  (removed): due to licensing restrictions, we cannot distribute
	  the source code for iLBC encoding and decoding... so remove it,
	  and add instructions on how the user can obtain it themselves

2008-03-20 21:53 +0000 [r110335]  Russell Bryant <>

	* channels/chan_sip.c, channels/chan_iax2.c: Fix some very broken
	  code that was introduced in 1.2.26 as a part of the security fix.
	  The dnsmgr is not appropriate here. The dnsmgr takes a pointer to
	  an address structure that a background thread continuously
	  updates. However, in these cases, a stack variable was passed.
	  That means that the dnsmgr thread would be continuously writing
	  to bogus memory.

Looking forward to a bump on this in-tree (though long deprecated) branch of Asterisk. Thanks!
Comment 2 Bruno Buss 2008-12-12 19:36:19 UTC
Should bump to because bug 250748.

Changelog for
2008-12-10  Tilghman Lesher <>

	* Asterisk released

2008-12-10 21:06 +0000 [r162868]  Tilghman Lesher <>

	* channels/chan_iax2.c: Fix for AST-2008-012

2008-12-05 20:50 +0000 [r161421]  Sean Bright <>

	* include/asterisk/astobj2.h, astobj2.c: Fix build errors on
	  FreeBSD (uint -> unsigned int). (closes issue #14006) Reported
	  by: alphaque Patches: astobj2.h-patch uploaded by alphaque
	  (license 259) (Slightly modified by seanbright)
Comment 3 Anton Bolshakov 2009-01-02 08:14:56 UTC
Created attachment 177069 [details, diff]
use external dev-libs/ilbc-rfc3951
Comment 4 Anton Bolshakov 2009-01-02 08:17:23 UTC
Created attachment 177070 [details]
quick ebuild without any gentoo patches

Need to review all previous patches, so it's disabled for now.
Comment 5 Mounir Lamouri (volkmar) (RETIRED) gentoo-dev 2009-02-23 02:24:29 UTC
There is now (
Version bump is quite important as it should fix some security bugs.
Comment 6 Anton Bolshakov 2009-02-23 03:04:57 UTC
It seems that support for 1.2.x is over, the source code has been moved to

I would vote for marking this bug absolute, hardmasking current "stable" 1.2.x ebuild in the portage and moving on to the next version(s).

ps. just rename my ebuild and fix src path if you still want to use 1.2
Comment 7 into-the-trash-it-goes 2009-02-23 06:18:07 UTC
In response to Comment 6, I agree in principle - it is abundantly clear that the newer versions of asterisk need to make it out of the overlay ghetto and that 1.2 is destined is due for retirement and a well-earned pension. However, I personally don't think that 1.2 should be removed until:

1) All asterisk-related components of the voip overlay are rendered current
2) The ebuilds are reviewed, fully tested, subjected to QA procedures and committed to the portage tree

As this is presumably not going to happen overnight, I think that it would be in our best interests to have the final 1.2 release committed and the older versions removed. We should assume that some users have it operational in production, in which case we would do well to be supportive of their immediate needs. Not to mention that having security bugs drag out is never a good thing.

Although I use 1.4, I will try to allocate some time to test the revised 1.2 ebuild during the week ahead.
Comment 8 Rajiv Aaron Manglani (RETIRED) gentoo-dev 2009-03-12 03:33:53 UTC
chainsaw added net-misc/asterisk- to the tree.

+*asterisk- (11 Mar 2009)
+  11 Mar 2009; <>
+  +files/1.2.0/asterisk-,
+  +files/1.2.0/asterisk-,
+  +files/1.2.0/asterisk-, +asterisk-
+  Version bump, for security bugs #250748 and #254304. Took a 1.4 build fix
+  that is relevant to 1.2, Digium bug #11238. Wrote patch to fix up typo in
+  open call, a comma is not a pipe sign. Used EAPI 2 for USE-based
+  dependencies instead of calling die. Patch from Mounir Lamouri adding
+  -lspeexdsp closes bug #206463 filed by John Read.