Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 803614 (CVE-2021-32686)

Summary: <net-libs/pjproject-2.10-r2: DoS vulnerability (CVE-2021-32686)
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: jaco, proxy-maint
Priority: Normal Keywords: PullRequest
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://github.com/pjsip/pjproject/security/advisories/GHSA-cv8x-p47p-99wr
See Also: https://github.com/gentoo/gentoo/pull/21761
https://bugs.gentoo.org/show_bug.cgi?id=875863
Whiteboard: B3 [glsa+]
Package list:
Runtime testing required: ---

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-07-24 02:55:25 UTC
CVE-2021-32686:

PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In PJSIP before version 2.11.1, there are a couple of issues found in the SSL socket. First, a race condition between callback and destroy, due to the accepted socket having no group lock. Second, the SSL socket parent/listener may get destroyed during handshake. Both issues were reported to happen intermittently in heavy load TLS connections. They cause a crash, resulting in a denial of service. These are fixed in version 2.11.1.


Please bump.
Comment 1 NATTkA bot gentoo-dev 2021-07-29 17:20:29 UTC Comment hidden (obsolete)
Comment 2 NATTkA bot gentoo-dev 2021-07-29 17:28:31 UTC Comment hidden (obsolete)
Comment 3 NATTkA bot gentoo-dev 2021-07-29 17:36:31 UTC Comment hidden (obsolete)
Comment 4 NATTkA bot gentoo-dev 2021-07-29 17:44:34 UTC Comment hidden (obsolete)
Comment 5 NATTkA bot gentoo-dev 2021-07-29 17:52:37 UTC Comment hidden (obsolete)
Comment 6 NATTkA bot gentoo-dev 2021-07-29 17:56:33 UTC Comment hidden (obsolete)
Comment 7 NATTkA bot gentoo-dev 2021-07-29 18:00:32 UTC Comment hidden (obsolete)
Comment 8 NATTkA bot gentoo-dev 2021-07-29 18:08:50 UTC
Package list is empty or all packages have requested keywords.
Comment 9 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-10-17 16:24:39 UTC
Seems that the patch was backported to 2.10-r2 here:

commit 93f6d97e4bd66daa168e1790f8cb3b8086854bd1
Author: Jaco Kroon <jaco@uls.co.za>
Date:   Fri Jul 23 07:10:18 2021 +0200

    net-libs/pjproject: sec bump

    Upstream not releasing new version, so just bring in the patch to -r2.

    This addresses AST-2021-009 for

    Closes: https://bugs.gentoo.org/803440
    Package-Manager: Portage-3.0.20, Repoman-3.0.2
    Signed-off-by: Jaco Kroon <jaco@uls.co.za>
    Closes: https://github.com/gentoo/gentoo/pull/21752
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

Please cleanup.
Comment 10 Jaco Kroon 2021-10-17 18:36:50 UTC
It was indeed back-ported and asterisk will not (currently) work with 2.11.1 due to library name changes.  Not been able to figure out why yet.
Comment 11 Larry the Git Cow gentoo-dev 2022-06-15 13:32:18 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=74bc4476b50218718af7c43038176f1d69c50e61

commit 74bc4476b50218718af7c43038176f1d69c50e61
Author:     Jaco Kroon <jaco@uls.co.za>
AuthorDate: 2021-07-24 08:36:57 +0000
Commit:     Joonas Niilola <juippis@gentoo.org>
CommitDate: 2022-06-15 13:32:11 +0000

    net-libs/pjproject: Version 2.12.1.
    
    Upstream release.
    
    Remove the need for custom patches (which is still required but no
    longer applies, instead, rely on ./configure detecting openssl, we do
    depend on it, and only --disable-ssl works, passing --enable-ssl also
    effectively disables ssl).
    
    Compile tested asterisk 13, 16 and 18 (in-tree versions) against this.
    Would appreciate a double-check on this one.  One version from each is
    sufficient.
    
    Since the two libraries that were the target of parallel build failures
    are now one, I believe the parallel build issue is fixed too.
    
    Included patch for CVE-2022-31031
    
    Closes: https://bugs.gentoo.org/833765
    Closes: https://bugs.gentoo.org/817803
    Closes: https://bugs.gentoo.org/808099
    Closes: https://bugs.gentoo.org/834491
    Bug: https://bugs.gentoo.org/803614
    Bug: https://bugs.gentoo.org/765799
    Bug: https://bugs.gentoo.org/829894
    Package-Manager: Portage-3.0.20, Repoman-3.0.2
    Signed-off-by: Jaco Kroon <jaco@uls.co.za>
    Closes: https://github.com/gentoo/gentoo/pull/21761
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

 net-libs/pjproject/Manifest                        |   1 +
 .../files/pjproject-2.12.1-CVE-2022-31031.patch    |  41 +++++++
 net-libs/pjproject/pjproject-2.12.1.ebuild         | 125 +++++++++++++++++++++
 3 files changed, 167 insertions(+)
Comment 12 Jaco Kroon 2022-07-13 08:09:07 UTC
https://bugs.gentoo.org/829894
Comment 13 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-31 15:26:48 UTC
GLSA request filed
Comment 14 Larry the Git Cow gentoo-dev 2022-10-31 20:26:14 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=5cbf3d86fb2bca0fdeb9214550c2f68d0bcb7467

commit 5cbf3d86fb2bca0fdeb9214550c2f68d0bcb7467
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-10-31 20:22:18 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-10-31 20:25:50 +0000

    [ GLSA 202210-37 ] PJSIP: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/803614
    Bug: https://bugs.gentoo.org/829894
    Bug: https://bugs.gentoo.org/875863
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202210-37.xml | 60 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 60 insertions(+)
Comment 15 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-31 20:27:22 UTC
GLSA released, all done!