917613 – (CVE-2023-38703) net-libs/pjproject: UAF in SRTP media transport

Bug 917613 (CVE-2023-38703) - net-libs/pjproject: UAF in SRTP media transport

Summary: net-libs/pjproject: UAF in SRTP media transport

Status:	CONFIRMED

Alias:	CVE-2023-38703

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:	https://github.com/pjsip/pjproject/se...
Whiteboard:	B2 [ebuild]
Keywords:

Depends on:
Blocks:

Reported:	2023-11-20 03:13 UTC by John Helmert III
Modified:	2023-11-20 03:13 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description John Helmert III archtester

2023-11-20 03:13:42 UTC

CVE-2023-38703:

PJSIP is a free and open source multimedia communication library written in C with high level API in C, C++, Java, C#, and Python languages. SRTP is a higher level media transport which is stacked upon a lower level media transport such as UDP and ICE. Currently a higher level transport is not synchronized with its lower level transport that may introduce use-after-free issue. This vulnerability affects applications that have SRTP capability (`PJMEDIA_HAS_SRTP` is set) and use underlying media transport other than UDP. This vulnerability’s impact may range from unexpected application termination to control flow hijack/memory corruption. The patch is available as a commit in the master branch.

Fix is in 2.14, please bump.