Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 917463 (CVE-2023-27585) - <net-libs/pjproject-2.13.1: heap buffer overflow when parsing DNS packet
Summary: <net-libs/pjproject-2.13.1: heap buffer overflow when parsing DNS packet
Alias: CVE-2023-27585
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: B2 [glsa? cleanup]
Depends on: 917659
  Show dependency tree
Reported: 2023-11-17 03:44 UTC by John Helmert III
Modified: 2023-11-22 19:30 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-11-17 03:44:56 UTC
"The vulnerability affects applications that uses PJSIP DNS resolver, e.g: in PJSUA/PJSUA2 configured via pjsua_config.nameserver or UaConfig.nameserver.

It doesn't affect PJSIP users that does not utilises PJSIP DNS resolver, i.e: one of the following:

    not configuring nameserver in PJSUA/PJSUA2 (as described above), so the library will use the OS resolver such as via getaddrinfo(), or
    using an external resolver implementation, i.e: configured using pjsip_resolver_set_ext_resolver().

Also related to GHSA-p6g5-v97c-w5q4.
(The difference is that this issue occurs when parsing RR record parse_rr(), while the issue in GHSA-p6g5-v97c-w5q4 is in parsing the query record parse_query())."

Note that there are two other vulnerabilities that are officially
fixed by upstream in 2.13.1 which we already resolved with bug 887559.

This fix is in 2.13.1, please stabilize.