Re: [SECURITY] [DLA 2962-1] pjproject security update

To: debian-lts@lists.debian.org
Subject: Re: [SECURITY] [DLA 2962-1] pjproject security update
From: Bastian Triller <bastian.triller@gmail.com>
Date: Wed, 30 Mar 2022 12:05:48 +0200
Message-id: <[🔎] CALJ8HB4U3R60yauzL6Thh4skYGMLr66unYTj6F+RL+_0_pUgXA@mail.gmail.com>
In-reply-to: <YkHE2aTwKzMSosta@disroot.org>
References: <YkHE2aTwKzMSosta@disroot.org>

Hello,

we upgraded to 2.5.5~dfsg-6+deb9u3 and we're seeing crashes in
Asterisk. It seems the patch for CVE-2022-23608 is faulty. In your
patch, the hash table key is assigned twice in hunk #2 but not in hunk
#4.
Please see attached patch CVE-2022-23608_fixed.patch.

Thanks for your effort.

Regards,
Bastian

On Mon, Mar 28, 2022 at 4:59 PM Abhijith PA <abhijith@debian.org> wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> - -------------------------------------------------------------------------
> Debian LTS Advisory DLA-2962-1                debian-lts@lists.debian.org
> https://www.debian.org/lts/security/                          Abhijith PA
> March 28, 2022                                https://wiki.debian.org/LTS
> - -------------------------------------------------------------------------
>
> Package        : pjproject
> Version        : 2.5.5~dfsg-6+deb9u3
> CVE ID         : CVE-2021-32686 CVE-2021-37706 CVE-2021-41141 CVE-2021-43299
>                  CVE-2021-43300 CVE-2021-43301 CVE-2021-43302 CVE-2021-43303
>                  CVE-2021-43804 CVE-2021-43845 CVE-2022-21722 CVE-2022-21723
>                  CVE-2022-23608 CVE-2022-24754 CVE-2022-24764
>
> Multiple security issues were discovered in pjproject, is a free and
> open source multimedia communication library.
>
> CVE-2021-32686
>
>     A race condition between callback and destroy, due to the accepted
>     socket having no group lock. Second, the SSL socket
>     parent/listener may get destroyed during handshake. s. They cause
>     crash, resulting in a denial of service.
>
> CVE-2021-37706
>
>     An incoming STUN message contains an ERROR-CODE attribute, the
>     header length is not checked before performing a subtraction
>     operation, potentially resulting in an integer underflow scenario.
>     This issue affects all users that use STUN. A malicious actor
>     located within the victim’s network may forge and send a specially
>     crafted UDP (STUN) message that could remotely execute arbitrary
>     code on the victim’s machine
>
> CVE-2021-41141
>
>     In various parts of PJSIP, when error/failure occurs, it is found
>     that the function returns without releasing the currently held
>     locks. This could result in a system deadlock, which cause a
>     denial of service for the users.
>
> CVE-2021-43299
>
>     Stack overflow in PJSUA API when calling pjsua_player_create. An
>     attacker-controlled 'filename' argument may cause a buffer
>     overflow since it is copied to a fixed-size stack buffer without
>     any size validation.
>
> CVE-2021-43300
>
>     Stack overflow in PJSUA API when calling pjsua_recorder_create. An
>     attacker-controlled 'filename' argument may cause a buffer
>     overflow since it is copied to a fixed-size stack buffer without
>     any size validation.
>
> CVE-2021-43301
>
>     Stack overflow in PJSUA API when calling pjsua_playlist_create. An
>     attacker-controlled 'file_names' argument may cause a buffer
>     overflow since it is copied to a fixed-size stack buffer without
>     any size validation.
>
> CVE-2021-43302
>
>     Read out-of-bounds in PJSUA API when calling
>     pjsua_recorder_create. An attacker-controlled 'filename' argument
>     may cause an out-of-bounds read when the filename is shorter than
>     4 characters.
>
> CVE-2021-43303
>
>     Buffer overflow in PJSUA API when calling pjsua_call_dump. An
>     attacker-controlled 'buffer' argument may cause a buffer overflow,
>     since supplying an output buffer smaller than 128 characters may
>     overflow the output buffer, regardless of the 'maxlen' argument
>     supplied
>
> CVE-2021-43804
>
>     An incoming RTCP BYE message contains a reason's length, this
>     declared length is not checked against the actual received packet
>     size, potentially resulting in an out-of-bound read access. A
>     malicious actor can send a RTCP BYE message with an invalid reason
>     length
>
> CVE-2021-43845
>
>     if incoming RTCP XR message contain block, the data field is not
>     checked against the received packet size, potentially resulting in
>     an out-of-bound read access
>
> CVE-2022-21722
>
>     it is possible that certain incoming RTP/RTCP packets can
>     potentially cause out-of-bound read access. This issue affects
>     all users that use PJMEDIA and accept incoming RTP/RTCP.
>
> CVE-2022-21723
>
>     Parsing an incoming SIP message that contains a malformed
>     multipart can potentially cause out-of-bound read access. This
>     issue affects all PJSIP users that accept SIP multipart.
>
> CVE-2022-23608
>
>     When in a dialog set (or forking) scenario, a hash key shared by
>     multiple UAC dialogs can potentially be prematurely freed when one
>     of the dialogs is destroyed . The issue may cause a dialog set to
>     be registered in the hash table multiple times (with different
>     hash keys) leading to undefined behavior such as dialog list
>     collision which eventually leading to endless loop
>
> CVE-2022-24754
>
>     There is a stack-buffer overflow vulnerability which only impacts
>     PJSIP users who accept hashed digest credentials (credentials with
>     data_type `PJSIP_CRED_DATA_DIGEST`).
>
> CVE-2022-24764
>
>      A stack buffer overflow vulnerability that affects PJSUA2 users
>      or users that call the API `pjmedia_sdp_print(),
>      pjmedia_sdp_media_print()`
>
> For Debian 9 stretch, these problems have been fixed in version
> 2.5.5~dfsg-6+deb9u3.
>
> We recommend that you upgrade your pjproject packages.
>
> For the detailed security status of pjproject please refer to
> its security tracker page at:
> https://security-tracker.debian.org/tracker/pjproject
>
> Further information about Debian LTS security advisories, how to apply
> these updates to your system and frequently asked questions can be
> found at: https://wiki.debian.org/LTS
> -----BEGIN PGP SIGNATURE-----
>
> iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAmJBxNgACgkQhj1N8u2c
> KO811w//eACT9HmMad2WGodOhdDVqFB0FVdmWOs/k9zaqm8T4H7yYjRMZmbSXvPD
> WyPPqmuWbXEg2BLEtI3Xupdu1b4bUrvGt4S64dyRJOI/nBGHb7u6XFtSciHttjPc
> gOl9GZjOpV8TBJcVBRxbEtJkws+blJfWuPlXbswWlFjejDlrueCNqqBeHAnDY+8r
> zJ0DCEgsPGyG0LqoONSaprdkAE7JAQa2WINPuatB1jY4vlYX7DyKJA2k1GNCLydM
> hehNIl1ovuxrkCJwDFhi/kaaXCDHSYC2KyKgE8NJDV8dZ7Vlx5hVsns//i1fm+5x
> HDNUPd4MXhRvlo2ngEXZDIF9m4yankO27JJnjZ+HInT8JCy9PC4nQBm428suZDTN
> 1ENjzNTPZfR7FX51SSr/yGb1TX2+ZRyhcCHcEQYNYdaSVAjLAez3BSgTvbz+WCGL
> AUP8aA5w42knattXYm3p6aimWvDIuVxNZDrPVsaSF3uukwkHZS1GpzhUNCaPaqTn
> kNaIJ5j0R0wnTdV+T0N6I7Xhfg8zmgyGnkjhXTg+GMA5IdFAsJjsZ9SoC57x+vOt
> qP0V1+qChV8NBoZ+tx1YC4KhLBv1hBdSaezpEbOZXqnRkrtxfwguTjknNMtrqoIB
> i2B8y+qtFE8GqDWUoWWjs3JTH9aMEpE4rzDfzeHNUoJo8Ni7zh8=
> =kyBI
> -----END PGP SIGNATURE-----
>

Attachment: CVE-2022-23608.patch
Description: Binary data

Attachment: CVE-2022-23608_fixed.patch
Description: Binary data

Reply to:

Follow-Ups:
- Re: [SECURITY] [DLA 2962-1] pjproject security update
  - From: Abhijith PA <abhijith@disroot.org>

Prev by Date: Re: [Git][security-tracker-team/security-tracker][master] Reserve DLA-2936-1 for libgit2
Next by Date: Re: [SECURITY] [DLA 2962-1] pjproject security update
Previous by thread: Re: [SECURITY] [DLA 2955-1] bind9 security update
Next by thread: Re: [SECURITY] [DLA 2962-1] pjproject security update
Index(es):
- Date
- Thread