"The vulnerability affects applications that uses PJSIP DNS resolver, e.g: in PJSUA/PJSUA2 configured via pjsua_config.nameserver or UaConfig.nameserver. It doesn't affect PJSIP users that does not utilises PJSIP DNS resolver, i.e: one of the following: not configuring nameserver in PJSUA/PJSUA2 (as described above), so the library will use the OS resolver such as via getaddrinfo(), or using an external resolver implementation, i.e: configured using pjsip_resolver_set_ext_resolver(). Also related to GHSA-p6g5-v97c-w5q4. (The difference is that this issue occurs when parsing RR record parse_rr(), while the issue in GHSA-p6g5-v97c-w5q4 is in parsing the query record parse_query())." Note that there are two other vulnerabilities that are officially fixed by upstream in 2.13.1 which we already resolved with bug 887559. This fix is in 2.13.1, please stabilize.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=c0d221f307147d6e10c6f7292b4607f41d713ba4 commit c0d221f307147d6e10c6f7292b4607f41d713ba4 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2024-09-22 06:00:29 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2024-09-22 06:00:37 +0000 [ GLSA 202409-05 ] PJSIP: Heap Buffer Overflow Bug: https://bugs.gentoo.org/917463 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Hans de Graaff <graaff@gentoo.org> glsa-202409-05.xml | 42 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+)
