Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 875863 (CVE-2022-39244, CVE-2022-39269) - <net-libs/pjproject-2.12.1-r2: multiple vulnerabilities
Summary: <net-libs/pjproject-2.12.1-r2: multiple vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2022-39244, CVE-2022-39269
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B4 [glsa+]
Keywords: PullRequest
Depends on: 878241
Blocks:
  Show dependency tree
 
Reported: 2022-10-07 13:22 UTC by John Helmert III
Modified: 2022-10-31 20:27 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-07 13:22:57 UTC
CVE-2022-39269 (https://github.com/pjsip/pjproject/security/advisories/GHSA-wx5m-cj97-4wwg):
https://github.com/pjsip/pjproject/commit/d2acb9af4e27b5ba75d658690406cec9c274c5cc

PJSIP is a free and open source multimedia communication library written in C. When processing certain packets, PJSIP may incorrectly switch from using SRTP media transport to using basic RTP upon SRTP restart, causing the media to be sent insecurely. The vulnerability impacts all PJSIP users that use SRTP. The patch is available as commit d2acb9a in the master branch of the project and will be included in version 2.13. Users are advised to manually patch or to upgrade. There are no known workarounds for this vulnerability.

CVE-2022-39244 (https://github.com/pjsip/pjproject/security/advisories/GHSA-fq45-m3f7-3mhj):
https://github.com/pjsip/pjproject/commit/c4d34984ec92b3d5252a7d5cddd85a1d3a8001ae

PJSIP is a free and open source multimedia communication library written in C. In versions of PJSIP prior to 2.13 the PJSIP parser, PJMEDIA RTP decoder, and PJMEDIA SDP parser are affeced by a buffer overflow vulnerability. Users connecting to untrusted clients are at risk. This issue has been patched and is available as commit c4d3498 in the master branch and will be included in releases 2.13 and later. Users are advised to upgrade. There are no known workarounds for this issue.
Comment 1 Larry the Git Cow gentoo-dev 2022-10-12 23:32:55 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9190173b8ee7cf9ee818ad61aebc841f11fa834f

commit 9190173b8ee7cf9ee818ad61aebc841f11fa834f
Author:     orbea <orbea@riseup.net>
AuthorDate: 2022-10-07 19:10:13 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-10-12 23:22:50 +0000

    net-libs/pjproject: Add 2.12.1-r2
    
    * Fixes the build with musl
    * Fixes a bashism
    * Backports two CVE fix patches
    
    Closes: https://bugs.gentoo.org/865719
    Upstream-PR: https://github.com/pjsip/pjproject/pull/3220
    Upstream-Commit: https://github.com/pjsip/pjproject/commit/bae7e5f4ff9047170e7e160ab52f6d9993aeae80
    Bug: https://bugs.gentoo.org/875863
    Upstream-Commit: https://github.com/pjsip/pjproject/commit/d2acb9af4e27b5ba75d658690406cec9c274c5cc
    Upstream-Commit: https://github.com/pjsip/pjproject/commit/c4d34984ec92b3d5252a7d5cddd85a1d3a8001ae
    Closes: https://bugs.gentoo.org/867343
    Upstream-PR: https://github.com/pjsip/pjproject/pull/3263
    Signed-off-by: orbea <orbea@riseup.net>
    Closes: https://github.com/gentoo/gentoo/pull/27677
    Signed-off-by: Sam James <sam@gentoo.org>

 .../files/pjproject-2.12.1-r2-CVE-2022-39244.patch | 306 +++++++++++++++++++++
 .../files/pjproject-2.12.1-r2-CVE-2022-39269.patch |  33 +++
 .../files/pjproject-2.12.1-r2-bashism.patch        |  44 +++
 .../pjproject/files/pjproject-2.12.1-r2-musl.patch | 102 +++++++
 net-libs/pjproject/pjproject-2.12.1-r2.ebuild      | 144 ++++++++++
 5 files changed, 629 insertions(+)
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-24 22:23:46 UTC
Please stable when ready, thanks! Sorry for missing.

I guess we'll need to CC security@ on security bugs when we're not assigned.
Comment 3 Jaco Kroon 2022-10-25 09:26:20 UTC
Hi All,

Sorry for all the noise (adding multiple URLs seems to be messy).

Figured I'd link everything that potentially relates.  There are two older security bugs which has also not been GLSA'd, I'd recommend just issuing one big GLSA for the whole lot, but I'm not part of the security team, so don't know what the policies are.

The depends on is the stable bug, so once that's happy we can progress with all of this.

Kind Regards,
Jaco
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-27 16:39:42 UTC
Please cleanup.
Comment 5 Larry the Git Cow gentoo-dev 2022-10-30 02:58:01 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2f0a8066cec1e9356367684a5dffb808f0be6ac8

commit 2f0a8066cec1e9356367684a5dffb808f0be6ac8
Author:     Jaco Kroon <jaco@uls.co.za>
AuthorDate: 2022-10-27 19:44:42 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-10-30 02:57:47 +0000

    net-libs/pjproject: drop 2.12.1-r1
    
    Bug: https://bugs.gentoo.org/875863
    
    Signed-off-by: Jaco Kroon <jaco@uls.co.za>
    Closes: https://github.com/gentoo/gentoo/pull/27992
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 net-libs/pjproject/pjproject-2.12.1-r1.ebuild | 140 --------------------------
 1 file changed, 140 deletions(-)
Comment 6 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-31 15:26:39 UTC
GLSA request filed
Comment 7 Larry the Git Cow gentoo-dev 2022-10-31 20:26:17 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=5cbf3d86fb2bca0fdeb9214550c2f68d0bcb7467

commit 5cbf3d86fb2bca0fdeb9214550c2f68d0bcb7467
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-10-31 20:22:18 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-10-31 20:25:50 +0000

    [ GLSA 202210-37 ] PJSIP: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/803614
    Bug: https://bugs.gentoo.org/829894
    Bug: https://bugs.gentoo.org/875863
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202210-37.xml | 60 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 60 insertions(+)
Comment 8 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-31 20:27:09 UTC
GLSA released, all done!