Debian Long Term Support / LTS Security Information / 2022 / Security Information -- DLA-2962-1 pjproject

Debian Security Advisory

DLA-2962-1 pjproject -- LTS security update

Date Reported:

28 Mar 2022

Affected Packages:

pjproject

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2021-32686, CVE-2021-37706, CVE-2021-41141, CVE-2021-43299, CVE-2021-43300, CVE-2021-43301, CVE-2021-43302, CVE-2021-43303, CVE-2021-43804, CVE-2021-43845, CVE-2022-21722, CVE-2022-21723, CVE-2022-23608, CVE-2022-24754, CVE-2022-24764.

More information:

Multiple security issues were discovered in pjproject, is a free and open source multimedia communication library.

• CVE-2021-32686

  A race condition between callback and destroy, due to the accepted socket having no group lock. Second, the SSL socket parent/listener may get destroyed during handshake. s. They cause crash, resulting in a denial of service.

• CVE-2021-37706

  An incoming STUN message contains an ERROR-CODE attribute, the header length is not checked before performing a subtraction operation, potentially resulting in an integer underflow scenario. This issue affects all users that use STUN. A malicious actor located within the victim’s network may forge and send a specially crafted UDP (STUN) message that could remotely execute arbitrary code on the victim’s machine

• CVE-2021-41141

  In various parts of PJSIP, when error/failure occurs, it is found that the function returns without releasing the currently held locks. This could result in a system deadlock, which cause a denial of service for the users.

• CVE-2021-43299

  Stack overflow in PJSUA API when calling pjsua_player_create. An attacker-controlled filename argument may cause a buffer overflow since it is copied to a fixed-size stack buffer without any size validation.

• CVE-2021-43300

  Stack overflow in PJSUA API when calling pjsua_recorder_create. An attacker-controlled filename argument may cause a buffer overflow since it is copied to a fixed-size stack buffer without any size validation.

• CVE-2021-43301

  Stack overflow in PJSUA API when calling pjsua_playlist_create. An attacker-controlled file_names argument may cause a buffer overflow since it is copied to a fixed-size stack buffer without any size validation.

• CVE-2021-43302

  Read out-of-bounds in PJSUA API when calling pjsua_recorder_create. An attacker-controlled filename argument may cause an out-of-bounds read when the filename is shorter than 4 characters.

• CVE-2021-43303

  Buffer overflow in PJSUA API when calling pjsua_call_dump. An attacker-controlled buffer argument may cause a buffer overflow, since supplying an output buffer smaller than 128 characters may overflow the output buffer, regardless of the maxlen argument supplied

• CVE-2021-43804

  An incoming RTCP BYE message contains a reason's length, this declared length is not checked against the actual received packet size, potentially resulting in an out-of-bound read access. A malicious actor can send a RTCP BYE message with an invalid reason length

• CVE-2021-43845

  if incoming RTCP XR message contain block, the data field is not checked against the received packet size, potentially resulting in an out-of-bound read access

• CVE-2022-21722

  it is possible that certain incoming RTP/RTCP packets can potentially cause out-of-bound read access. This issue affects all users that use PJMEDIA and accept incoming RTP/RTCP.

• CVE-2022-21723

  Parsing an incoming SIP message that contains a malformed multipart can potentially cause out-of-bound read access. This issue affects all PJSIP users that accept SIP multipart.

• CVE-2022-23608

  When in a dialog set (or forking) scenario, a hash key shared by multiple UAC dialogs can potentially be prematurely freed when one of the dialogs is destroyed . The issue may cause a dialog set to be registered in the hash table multiple times (with different hash keys) leading to undefined behavior such as dialog list collision which eventually leading to endless loop

• CVE-2022-24754

  There is a stack-buffer overflow vulnerability which only impacts PJSIP users who accept hashed digest credentials (credentials with data_type `PJSIP_CRED_DATA_DIGEST`).

• CVE-2022-24764

  A stack buffer overflow vulnerability that affects PJSUA2 users or users that call the API `pjmedia_sdp_print(), pjmedia_sdp_media_print()`

  For Debian 9 stretch, these problems have been fixed in version 2.5.5~dfsg-6+deb9u3.

  We recommend that you upgrade your pjproject packages.

  For the detailed security status of pjproject please refer to its security tracker page at: https://security-tracker.debian.org/tracker/pjproject

  Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS