| Summary: | <net-libs/pjproject-2.13.1: heap buffer overflow when parsing DNS packet | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | John Helmert III <ajak> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | CONFIRMED --- | ||
| Severity: | normal | CC: | jaco, proxy-maint |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://github.com/pjsip/pjproject/security/advisories/GHSA-q9cp-8wcq-7pfr | ||
| Whiteboard: | B2 [glsa cleanup] | ||
| Package list: | Runtime testing required: | --- | |
| Bug Depends on: | 917659 | ||
| Bug Blocks: | |||
"The vulnerability affects applications that uses PJSIP DNS resolver, e.g: in PJSUA/PJSUA2 configured via pjsua_config.nameserver or UaConfig.nameserver. It doesn't affect PJSIP users that does not utilises PJSIP DNS resolver, i.e: one of the following: not configuring nameserver in PJSUA/PJSUA2 (as described above), so the library will use the OS resolver such as via getaddrinfo(), or using an external resolver implementation, i.e: configured using pjsip_resolver_set_ext_resolver(). Also related to GHSA-p6g5-v97c-w5q4. (The difference is that this issue occurs when parsing RR record parse_rr(), while the issue in GHSA-p6g5-v97c-w5q4 is in parsing the query record parse_query())." Note that there are two other vulnerabilities that are officially fixed by upstream in 2.13.1 which we already resolved with bug 887559. This fix is in 2.13.1, please stabilize.