Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 917463 (CVE-2023-27585)

Summary: <net-libs/pjproject-2.13.1: heap buffer overflow when parsing DNS packet
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: CONFIRMED ---    
Severity: normal CC: jaco, proxy-maint
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://github.com/pjsip/pjproject/security/advisories/GHSA-q9cp-8wcq-7pfr
Whiteboard: B2 [glsa+ cleanup]
Package list:
Runtime testing required: ---
Bug Depends on: 917659    
Bug Blocks:    

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-11-17 03:44:56 UTC
"The vulnerability affects applications that uses PJSIP DNS resolver, e.g: in PJSUA/PJSUA2 configured via pjsua_config.nameserver or UaConfig.nameserver.

It doesn't affect PJSIP users that does not utilises PJSIP DNS resolver, i.e: one of the following:

    not configuring nameserver in PJSUA/PJSUA2 (as described above), so the library will use the OS resolver such as via getaddrinfo(), or
    using an external resolver implementation, i.e: configured using pjsip_resolver_set_ext_resolver().

Also related to GHSA-p6g5-v97c-w5q4.
(The difference is that this issue occurs when parsing RR record parse_rr(), while the issue in GHSA-p6g5-v97c-w5q4 is in parsing the query record parse_query())."

Note that there are two other vulnerabilities that are officially
fixed by upstream in 2.13.1 which we already resolved with bug 887559.

This fix is in 2.13.1, please stabilize.
Comment 1 Larry the Git Cow gentoo-dev 2024-09-22 06:00:38 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=c0d221f307147d6e10c6f7292b4607f41d713ba4

commit c0d221f307147d6e10c6f7292b4607f41d713ba4
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2024-09-22 06:00:29 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2024-09-22 06:00:37 +0000

    [ GLSA 202409-05 ] PJSIP: Heap Buffer Overflow
    
    Bug: https://bugs.gentoo.org/917463
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202409-05.xml | 42 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 42 insertions(+)