[SECURITY] [DLA 3887-1] ring security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 3887-1] ring security update
From: Roberto C. Sánchez <roberto@debian.org>
Date: Sat, 14 Sep 2024 21:13:40 -0400
Message-id: <[🔎] ZuY0xM_gEF7KHo5U@localhost>
Mail-followup-to: Roberto C. Sánchez <roberto@debian.org>, debian-lts-announce@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-------------------------------------------------------------------------
Debian LTS Advisory DLA-3887-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                  Roberto C. Sánchez
September 14, 2024                            https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package        : ring
Version        : 20210112.2.b757bac~ds1-1+deb11u1
CVE ID         : CVE-2021-32686 CVE-2021-37706 CVE-2021-43299 CVE-2021-43300 
                 CVE-2021-43301 CVE-2021-43302 CVE-2021-43303 CVE-2021-43804 
                 CVE-2021-43845 CVE-2022-21722 CVE-2022-21723 CVE-2022-23537 
                 CVE-2022-23547 CVE-2022-23608 CVE-2022-24754 CVE-2022-24763 
                 CVE-2022-24764 CVE-2022-24793 CVE-2022-31031 CVE-2022-39244 
                 CVE-2023-27585

Multiple vulnerabilities were found to affect ring, a secure and
distributed voice, video, and chat platform.

CVE-2021-32686

    The embedded copy of pjproject is affected by this CVE.
    A race condition between callback and destroy, due to the accepted socket
    having no group lock. Additionally, the SSL socket parent/listener may get
    destroyed during handshake. Both issues were reported to happen
    intermittently in heavy load TLS connections. They cause a crash, resulting
    in a denial of service.

CVE-2021-37706

    The embedded copy of pjproject is affected by this CVE.
    If the incoming STUN message contains an ERROR-CODE attribute, the header
    length is not checked before performing a subtraction operation, potentially
    resulting in an integer underflow scenario. This issue affects all users
    that use STUN. A malicious actor located within the victim's network may
    forge and send a specially crafted UDP (STUN) message that could remotely
    execute arbitrary code on the victim’s machine.

CVE-2021-43299

    The embedded copy of pjproject is affected by these CVEs.
    An attacker-controlled 'filename' argument may cause a buffer overflow since
    it is copied to a fixed-size stack buffer without any size validation.

CVE-2021-43300

    The embedded copy of pjproject is affected by these CVEs.
    An attacker-controlled 'filename' argument may cause a buffer overflow since
    it is copied to a fixed-size stack buffer without any size validation.

CVE-2021-43301

    The embedded copy of pjproject is affected by these CVEs.
    An attacker-controlled 'filename' argument may cause a buffer overflow since
    it is copied to a fixed-size stack buffer without any size validation.

CVE-2021-43302

    The embedded copy of pjproject is affected by these CVEs.
    An attacker-controlled 'filename' argument may cause a buffer overflow since
    it is copied to a fixed-size stack buffer without any size validation.

CVE-2021-43303

    The embedded copy of pjproject is affected by these CVEs.
    An attacker-controlled 'filename' argument may cause a buffer overflow since
    it is copied to a fixed-size stack buffer without any size validation.

CVE-2021-43804

    The embedded copy of pjproject is affected by this CVE.
    In affected versions if the incoming RTCP BYE message contains a reason's
    length, this declared length is not checked against the actual received
    packet size, potentially resulting in an out-of-bound read access.

CVE-2021-43845

    The embedded copy of pjproject is affected by this CVE.
    If incoming RTCP XR message contain block, the data field is not checked
    against the received packet size, potentially resulting in an out-of-bound
    read access.

CVE-2022-21722

    The embedded copy of pjproject is affected by this CVE.
    There are various cases where it is possible that certain incoming RTP/RTCP
    packets can potentially cause out-of-bound read access.

CVE-2022-21723

    The embedded copy of pjproject is affected by this CVE.
    Parsing an incoming SIP message that contains a malformed multipart can
    potentially cause out-of-bound read access.

CVE-2022-23537

    The embedded copy of pjproject is affected by this CVE.
    Buffer overread is possible when parsing a specially crafted STUN message
    with unknown attribute.

CVE-2022-23547

    The embedded copy of pjproject is affected by this CVE.
    Possible buffer overread when parsing a certain STUN message.

CVE-2022-23608

    The embedded copy of pjproject is affected by this CVE.
    When in a dialog set (or forking) scenario, a hash key shared by multiple
    UAC dialogs can potentially be prematurely freed when one of the dialogs is
    destroyed . The issue may cause a dialog set to be registered in the hash
    table multiple times (with different hash keys) leading to undefined
    behavior such as dialog list collision which eventually leading to endless
    loop.

CVE-2022-24754

    The embedded copy of pjproject is affected by this CVE.
    There is a stack-buffer overflow vulnerability which only impacts PJSIP
    users who accept hashed digest credentials (credentials with data_type
    `PJSIP_CRED_DATA_DIGEST`).

CVE-2022-24763

    The embedded copy of pjproject is affected by this CVE.
    A denial-of-service vulnerability affects PJSIP users that consume PJSIP's
    XML parsing in their apps.

CVE-2022-24764

    The embedded copy of pjproject is affected by this CVE.
    A stack buffer overflow vulnerability affects PJSUA2 users or users that
    call the API `pjmedia_sdp_print(), pjmedia_sdp_media_print()`.

CVE-2022-24793

    The embedded copy of pjproject is affected by this CVE.
    A buffer overflow vulnerability in affects applications that use PJSIP DNS
    resolution.

CVE-2022-31031

    The embedded copy of pjproject is affected by this CVE.
    A stack buffer overflow vulnerability affects PJSIP users that use STUN in
    their applications, either by: setting a STUN server in their account/media
    config in PJSUA/PJSUA2 level, or directly using `pjlib-util/stun_simple`
    API.

CVE-2022-39244

    The embedded copy of pjproject is affected by this CVE.
    The PJSIP parser, PJMEDIA RTP decoder, and PJMEDIA SDP parser are affeced
    by a buffer overflow vulnerability. Users connecting to untrusted clients
    are at risk.

CVE-2023-27585

    The embedded copy of pjproject is affected by this CVE.
    A buffer overflow vulnerability affects applications that use PJSIP DNS
    resolver.

For Debian 11 bullseye, these problems have been fixed in version
20210112.2.b757bac~ds1-1+deb11u1.

We recommend that you upgrade your ring packages.

For the detailed security status of ring please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/ring

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

Attachment: signature.asc
Description: PGP signature

Reply to:

Prev by Date: [SECURITY] [DLA 3886-1] nodejs security update
Next by Date: [SECURITY] [DLA 3888-1] php-twig security update
Previous by thread: [SECURITY] [DLA 3886-1] nodejs security update
Next by thread: [SECURITY] [DLA 3888-1] php-twig security update
Index(es):
- Date
- Thread