Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 775359 (CVE-2020-15260, CVE-2021-21375) - <net-libs/pjproject-2.10-r1: Multiple vulnerabilities (CVE-2020-{15260,21375})
Summary: <net-libs/pjproject-2.10-r1: Multiple vulnerabilities (CVE-2020-{15260,21375})
Status: RESOLVED FIXED
Alias: CVE-2020-15260, CVE-2021-21375
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [glsa+ cve]
Keywords: PullRequest
Depends on:
Blocks:
 
Reported: 2021-03-11 06:36 UTC by Sam James
Modified: 2021-07-20 04:04 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester gentoo-dev Security 2021-03-11 06:36:23 UTC
* CVE-2020-15260

Description:
"PJSIP transport can be reused if they have the same IP address + port + protocol. However, this is insufficient for secure transport since it lacks remote hostname authentication.

Suppose we have created a TLS connection to `sip.foo.com`, which has an IP address `100.1.1.1`. If we want to create a TLS connection to another hostname, say `sip.bar.com`, which has the same IP address, then it will reuse that existing connection, even though `100.1.1.1` does not have certificate to authenticate as `sip.bar.com`. 

The vulnerability allows for an insecure interaction without user awareness. It affects users who need access to connections to different destinations that translate to the same address, and allows man-in-the-middle attack if attacker can route a connection to another destination such as in the case of DNS spoofing."

Advisory: https://github.com/pjsip/pjproject/security/advisories/GHSA-8hcp-hm38-mfph

* CVE-2021-21375

Description:
"In PJSIP version 2.10 and earlier, after an initial INVITE has been sent, when two 183 responses are received, with the first one causing negotiation failure, a crash will occur. This results in a denial of service."

Advisory: https://github.com/pjsip/pjproject/security/advisories/GHSA-hvq6-f89p-frvp
Comment 1 Larry the Git Cow gentoo-dev 2021-03-11 08:27:15 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=69e63f7c831f2a585cd34cb74a3f8bbff901f798

commit 69e63f7c831f2a585cd34cb74a3f8bbff901f798
Author:     Jaco Kroon <jaco@uls.co.za>
AuthorDate: 2021-03-11 07:34:54 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-03-11 08:19:44 +0000

    net-libs/pjproject: security rev bump to 2.10-r1
    
    Upstream didn't release a new version as one would expect. Instead
    patches are applied locally.
    
    Also add subslot because they are equally good at maintaining ABI
    compatibility, and SONAME is never updated, thus we need to be able to
    depend on subslots to rebuild (preserved-rebuild is no good).
    
    Bug: https://bugs.gentoo.org/775359
    Bug: https://bugs.gentoo.org/775353
    Package-Manager: Portage-3.0.13, Repoman-3.0.2
    Signed-off-by: Jaco Kroon <jaco@uls.co.za>
    Closes: https://github.com/gentoo/gentoo/pull/19876
    Signed-off-by: Sam James <sam@gentoo.org>

 ...ct-2.10-CVE-2020-15260-tls-hostname-check.patch | 125 +++++++++++++++++++++
 ...-CVE-2021-21375-negotiation-failure-crash.patch |  45 ++++++++
 ...ion-between-transport-destroy-and-acquire.patch | 108 ++++++++++++++++++
 net-libs/pjproject/pjproject-2.10-r1.ebuild        | 125 +++++++++++++++++++++
 4 files changed, 403 insertions(+)
Comment 2 Sam James archtester gentoo-dev Security 2021-03-11 08:27:52 UTC
Please stable when ready.
Comment 3 Sam James archtester gentoo-dev Security 2021-03-12 18:32:43 UTC
amd64 done
Comment 4 Sam James archtester gentoo-dev Security 2021-03-14 01:28:29 UTC
x86 done

all arches done
Comment 5 John Helmert III gentoo-dev Security 2021-03-15 14:05:38 UTC
Please cleanup.
Comment 6 Larry the Git Cow gentoo-dev 2021-03-15 19:20:19 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=627a5846c40c46660578365824ff1c3fedd161d0

commit 627a5846c40c46660578365824ff1c3fedd161d0
Author:     Jaco Kroon <jaco@uls.co.za>
AuthorDate: 2021-03-15 19:20:05 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2021-03-15 19:20:05 +0000

    net-libs/pjproject: security cleanup
    
    Bug: https://bugs.gentoo.org/775359
    Package-Manager: Portage-3.0.13, Repoman-3.0.2
    Signed-off-by: Jaco Kroon <jaco@uls.co.za>
    Closes: https://github.com/gentoo/gentoo/pull/19939
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 net-libs/pjproject/Manifest                  |   2 -
 net-libs/pjproject/metadata.xml              |   4 +-
 net-libs/pjproject/pjproject-2.10.ebuild     | 123 ---------------------------
 net-libs/pjproject/pjproject-2.7.2-r2.ebuild | 117 -------------------------
 net-libs/pjproject/pjproject-2.9-r2.ebuild   | 123 ---------------------------
 5 files changed, 2 insertions(+), 367 deletions(-)
Comment 7 John Helmert III gentoo-dev Security 2021-03-15 19:21:01 UTC
Thanks!
Comment 8 John Helmert III gentoo-dev Security 2021-07-18 00:23:22 UTC
Request filed
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2021-07-20 04:04:23 UTC
This issue was resolved and addressed in
 GLSA 202107-42 at https://security.gentoo.org/glsa/202107-42
by GLSA coordinator John Helmert III (ajak).