Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 887559 (CVE-2022-23537, CVE-2022-23547)

Summary: <net-libs/pjproject-2.13-r1: heap buffer overread
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Jaco Kroon <jaco>
Status: RESOLVED FIXED    
Severity: minor CC: jaco, proxy-maint
Priority: Normal Keywords: PullRequest
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://github.com/pjsip/pjproject/security/advisories/GHSA-9pfh-r8x4-w26w
See Also: https://github.com/gentoo/gentoo/pull/30088
https://github.com/gentoo/gentoo/pull/31056
Whiteboard: B4 [noglsa]
Package list:
Runtime testing required: ---
Bug Depends on: 906057    
Bug Blocks:    

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-12-20 21:42:23 UTC
CVE-2022-23537:

PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. Buffer overread is possible when parsing a specially crafted STUN message with unknown attribute. The vulnerability affects applications that uses STUN including PJNATH and PJSUA-LIB. The patch is available as a commit in the master branch (2.13.1).

The GHSA severity is "critical", unclear what's critical about a buffer overread.

Unreleased patch: https://github.com/pjsip/pjproject/commit/d8440f4d711a654b511f50f79c0445b26f9dd1e1
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-12-23 21:57:39 UTC
CVE-2022-23547 (https://github.com/pjsip/pjproject/security/advisories/GHSA-cxwq-5g9x-x7fr
https://github.com/pjsip/pjproject/commit/bc4812d31a67d5e2f973fbfaf950d6118226cf36

PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. This issue is similar to GHSA-9pfh-r8x4-w26w. Possible buffer overread when parsing a certain STUN message. The vulnerability affects applications that uses STUN including PJNATH and PJSUA-LIB. The patch is available as commit in the master branch.
Comment 2 Jaco Kroon 2023-03-13 06:41:56 UTC
I guess that depends on what you use that data for ... asterisk uses STUN potentially, simple workaround (which in general I recommend, but not always possible) is to not use STUN.  Technically you need STUN for ICE which you need for WebRTC, but it's possible to configure your way around that.

Both advisories reference a release 2.13.1 which I can't seem to locate at all.
Comment 3 Larry the Git Cow gentoo-dev 2023-04-05 12:00:58 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0697e55a6fa27051a99aa59fde8b5716c022696e

commit 0697e55a6fa27051a99aa59fde8b5716c022696e
Author:     Jaco Kroon <jaco@uls.co.za>
AuthorDate: 2023-03-13 06:54:28 +0000
Commit:     Joonas Niilola <juippis@gentoo.org>
CommitDate: 2023-04-05 11:56:14 +0000

    net-libs/pjproject: Add 2.13-r1
    
    Bug: https://bugs.gentoo.org/887559
    Closes: https://bugs.gentoo.org/888879
    Signed-off-by: Jaco Kroon <jaco@uls.co.za>
    Closes: https://github.com/gentoo/gentoo/pull/30088
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

 ...3537-buffer-overread-on-STUN-error-decode.patch |  95 ++++++++++++++
 ...2022-23547-buffer-overread-on-STUN-decode.patch |  50 ++++++++
 ...NOTIFY-tdata-is-set-before-sending-it_new.patch |  46 +++++++
 net-libs/pjproject/pjproject-2.13-r1.ebuild        | 142 +++++++++++++++++++++
 4 files changed, 333 insertions(+)
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-04-19 03:59:20 UTC
Thanks! Please stabilize when ready.
Comment 5 Jaco Kroon 2023-05-16 10:17:43 UTC
May/Should I re-assign to security@ given that there is nothing further on this I can contribute?
Comment 6 Larry the Git Cow gentoo-dev 2023-05-18 05:00:49 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8686b210bccaafa6e98ee6a4e4578d82bb47ff97

commit 8686b210bccaafa6e98ee6a4e4578d82bb47ff97
Author:     Jaco Kroon <jaco@uls.co.za>
AuthorDate: 2023-05-16 10:27:52 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2023-05-18 04:56:39 +0000

    net-libs/pjproject: drop 2.12.1-r2, 2.13
    
    Bug: https://bugs.gentoo.org/887559
    Signed-off-by: Jaco Kroon <jaco@uls.co.za>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 net-libs/pjproject/Manifest                   |   1 -
 net-libs/pjproject/pjproject-2.12.1-r2.ebuild | 144 --------------------------
 net-libs/pjproject/pjproject-2.13.ebuild      | 139 -------------------------
 3 files changed, 284 deletions(-)
Comment 7 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-05-18 05:05:00 UTC
Thanks, only overread so no GLSA. All done!