Debian LTS: DLA-2962-1: pjproject security update
Summary
CVE-2021-32686
A race condition between callback and destroy, due to the accepted
socket having no group lock. Second, the SSL socket
parent/listener may get destroyed during handshake. s. They cause
crash, resulting in a denial of service.
CVE-2021-37706
An incoming STUN message contains an ERROR-CODE attribute, the
header length is not checked before performing a subtraction
operation, potentially resulting in an integer underflow scenario.
This issue affects all users that use STUN. A malicious actor
located within the victim’s network may forge and send a specially
crafted UDP (STUN) message that could remotely execute arbitrary
code on the victim’s machine
CVE-2021-41141
In various parts of PJSIP, when error/failure occurs, it is found
that the function returns without releasing the currently held
locks. This could result in a system deadlock, which cause a
denial of service for the users.
CVE-2021-43299
Stack overflow in PJSUA API when calling pjsua_player_create. An
attacker-controlled 'filename' argument may cause a buffer
overflow since it is copied to a fixed-size stack buffer without
any size validation.
CVE-2021-43300
Stack overflow in PJSUA API when calling pjsua_recorder_create. An
attacker-controlled 'filename' argument may cause a buffer
overflow since it is copied to a fixed-size stack buffer without
any size validation.
CVE-2021-43301
Stack overflow in PJSUA API when calling pjsua_playlist_create. An
attacker-controlled 'file_names' argument may cause a buffer
overflow since it is copied to a fixed-size stack buffer without
any size validation.
CVE-2021-43302
Read out-of-bounds in PJSUA API when calling
pjsua_recorder_create. An attacker-controlled 'filename' argument
may cause an out-of-bounds read when the filename is shorter than
4 characters.
CVE-2021-43303
Buffer overflow in PJSUA API when calling pjsua_call_dump. An
attacker-controlled 'buffer' argument may cause a buffer overflow,
since supplying an output buffer smaller than 128 characters may
overflow the output buffer, regardless of the 'maxlen' argument
supplied
CVE-2021-43804
An incoming RTCP BYE message contains a reason's length, this
declared length is not checked against the actual received packet
size, potentially resulting in an out-of-bound read access. A
malicious actor can send a RTCP BYE message with an invalid reason
length
CVE-2021-43845
if incoming RTCP XR message contain block, the data field is not
checked against the received packet size, potentially resulting in
an out-of-bound read access
CVE-2022-21722
it is possible that certain incoming RTP/RTCP packets can
potentially cause out-of-bound read access. This issue affects
all users that use PJMEDIA and accept incoming RTP/RTCP.
CVE-2022-21723
Parsing an incoming SIP message that contains a malformed
multipart can potentially cause out-of-bound read access. This
issue affects all PJSIP users that accept SIP multipart.
CVE-2022-23608
When in a dialog set (or forking) scenario, a hash key shared by
multiple UAC dialogs can potentially be prematurely freed when one
of the dialogs is destroyed . The issue may cause a dialog set to
be registered in the hash table multiple times (with different
hash keys) leading to undefined behavior such as dialog list
collision which eventually leading to endless loop
CVE-2022-24754
There is a stack-buffer overflow vulnerability which only impacts
PJSIP users who accept hashed digest credentials (credentials with
data_type `PJSIP_CRED_DATA_DIGEST`).
CVE-2022-24764
A stack buffer overflow vulnerability that affects PJSUA2 users
or users that call the API `pjmedia_sdp_print(),
pjmedia_sdp_media_print()`
For Debian 9 stretch, these problems have been fixed in version
2.5.5~dfsg-6+deb9u3.
We recommend that you upgrade your pjproject packages.
For the detailed security status of pjproject please refer to
its security tracker page at:
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
