Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 803614 (CVE-2021-32686) - <net-libs/pjproject-2.10-r2: DoS vulnerability (CVE-2021-32686)
Summary: <net-libs/pjproject-2.10-r2: DoS vulnerability (CVE-2021-32686)
Status: IN_PROGRESS
Alias: CVE-2021-32686
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Jaco Kroon
URL: https://github.com/pjsip/pjproject/se...
Whiteboard: B3 [glsa? cleanup]
Keywords: PullRequest
Depends on:
Blocks:
 
Reported: 2021-07-24 02:55 UTC by John Helmert III
Modified: 2022-06-15 13:32 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-07-24 02:55:25 UTC
CVE-2021-32686:

PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In PJSIP before version 2.11.1, there are a couple of issues found in the SSL socket. First, a race condition between callback and destroy, due to the accepted socket having no group lock. Second, the SSL socket parent/listener may get destroyed during handshake. Both issues were reported to happen intermittently in heavy load TLS connections. They cause a crash, resulting in a denial of service. These are fixed in version 2.11.1.


Please bump.
Comment 1 NATTkA bot gentoo-dev 2021-07-29 17:20:29 UTC Comment hidden (obsolete)
Comment 2 NATTkA bot gentoo-dev 2021-07-29 17:28:31 UTC Comment hidden (obsolete)
Comment 3 NATTkA bot gentoo-dev 2021-07-29 17:36:31 UTC Comment hidden (obsolete)
Comment 4 NATTkA bot gentoo-dev 2021-07-29 17:44:34 UTC Comment hidden (obsolete)
Comment 5 NATTkA bot gentoo-dev 2021-07-29 17:52:37 UTC Comment hidden (obsolete)
Comment 6 NATTkA bot gentoo-dev 2021-07-29 17:56:33 UTC Comment hidden (obsolete)
Comment 7 NATTkA bot gentoo-dev 2021-07-29 18:00:32 UTC Comment hidden (obsolete)
Comment 8 NATTkA bot gentoo-dev 2021-07-29 18:08:50 UTC
Package list is empty or all packages have requested keywords.
Comment 9 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-10-17 16:24:39 UTC
Seems that the patch was backported to 2.10-r2 here:

commit 93f6d97e4bd66daa168e1790f8cb3b8086854bd1
Author: Jaco Kroon <jaco@uls.co.za>
Date:   Fri Jul 23 07:10:18 2021 +0200

    net-libs/pjproject: sec bump

    Upstream not releasing new version, so just bring in the patch to -r2.

    This addresses AST-2021-009 for

    Closes: https://bugs.gentoo.org/803440
    Package-Manager: Portage-3.0.20, Repoman-3.0.2
    Signed-off-by: Jaco Kroon <jaco@uls.co.za>
    Closes: https://github.com/gentoo/gentoo/pull/21752
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

Please cleanup.
Comment 10 Jaco Kroon 2021-10-17 18:36:50 UTC
It was indeed back-ported and asterisk will not (currently) work with 2.11.1 due to library name changes.  Not been able to figure out why yet.
Comment 11 Larry the Git Cow gentoo-dev 2022-06-15 13:32:18 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=74bc4476b50218718af7c43038176f1d69c50e61

commit 74bc4476b50218718af7c43038176f1d69c50e61
Author:     Jaco Kroon <jaco@uls.co.za>
AuthorDate: 2021-07-24 08:36:57 +0000
Commit:     Joonas Niilola <juippis@gentoo.org>
CommitDate: 2022-06-15 13:32:11 +0000

    net-libs/pjproject: Version 2.12.1.
    
    Upstream release.
    
    Remove the need for custom patches (which is still required but no
    longer applies, instead, rely on ./configure detecting openssl, we do
    depend on it, and only --disable-ssl works, passing --enable-ssl also
    effectively disables ssl).
    
    Compile tested asterisk 13, 16 and 18 (in-tree versions) against this.
    Would appreciate a double-check on this one.  One version from each is
    sufficient.
    
    Since the two libraries that were the target of parallel build failures
    are now one, I believe the parallel build issue is fixed too.
    
    Included patch for CVE-2022-31031
    
    Closes: https://bugs.gentoo.org/833765
    Closes: https://bugs.gentoo.org/817803
    Closes: https://bugs.gentoo.org/808099
    Closes: https://bugs.gentoo.org/834491
    Bug: https://bugs.gentoo.org/803614
    Bug: https://bugs.gentoo.org/765799
    Bug: https://bugs.gentoo.org/829894
    Package-Manager: Portage-3.0.20, Repoman-3.0.2
    Signed-off-by: Jaco Kroon <jaco@uls.co.za>
    Closes: https://github.com/gentoo/gentoo/pull/21761
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

 net-libs/pjproject/Manifest                        |   1 +
 .../files/pjproject-2.12.1-CVE-2022-31031.patch    |  41 +++++++
 net-libs/pjproject/pjproject-2.12.1.ebuild         | 125 +++++++++++++++++++++
 3 files changed, 167 insertions(+)