Debian 10261 Published by

A pjproject security update has been released for Debian GNU/Linux 9 LTS to address multiple security issues.



DLA 2962-1: pjproject security update



- -------------------------------------------------------------------------
Debian LTS Advisory DLA-2962-1 debian-lts@lists.debian.org
  https://www.debian.org/lts/security/ Abhijith PA
March 28, 2022   https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : pjproject
Version : 2.5.5~dfsg-6+deb9u3
CVE ID : CVE-2021-32686 CVE-2021-37706 CVE-2021-41141 CVE-2021-43299
CVE-2021-43300 CVE-2021-43301 CVE-2021-43302 CVE-2021-43303
CVE-2021-43804 CVE-2021-43845 CVE-2022-21722 CVE-2022-21723
CVE-2022-23608 CVE-2022-24754 CVE-2022-24764

Multiple security issues were discovered in pjproject, is a free and
open source multimedia communication library.

CVE-2021-32686

A race condition between callback and destroy, due to the accepted
socket having no group lock. Second, the SSL socket
parent/listener may get destroyed during handshake. s. They cause
crash, resulting in a denial of service.

CVE-2021-37706

An incoming STUN message contains an ERROR-CODE attribute, the
header length is not checked before performing a subtraction
operation, potentially resulting in an integer underflow scenario.
This issue affects all users that use STUN. A malicious actor
located within the victim’s network may forge and send a specially
crafted UDP (STUN) message that could remotely execute arbitrary
code on the victim’s machine

CVE-2021-41141

In various parts of PJSIP, when error/failure occurs, it is found
that the function returns without releasing the currently held
locks. This could result in a system deadlock, which cause a
denial of service for the users.

CVE-2021-43299

Stack overflow in PJSUA API when calling pjsua_player_create. An
attacker-controlled 'filename' argument may cause a buffer
overflow since it is copied to a fixed-size stack buffer without
any size validation.

CVE-2021-43300

Stack overflow in PJSUA API when calling pjsua_recorder_create. An
attacker-controlled 'filename' argument may cause a buffer
overflow since it is copied to a fixed-size stack buffer without
any size validation.

CVE-2021-43301

Stack overflow in PJSUA API when calling pjsua_playlist_create. An
attacker-controlled 'file_names' argument may cause a buffer
overflow since it is copied to a fixed-size stack buffer without
any size validation.

CVE-2021-43302

Read out-of-bounds in PJSUA API when calling
pjsua_recorder_create. An attacker-controlled 'filename' argument
may cause an out-of-bounds read when the filename is shorter than
4 characters.

CVE-2021-43303

Buffer overflow in PJSUA API when calling pjsua_call_dump. An
attacker-controlled 'buffer' argument may cause a buffer overflow,
since supplying an output buffer smaller than 128 characters may
overflow the output buffer, regardless of the 'maxlen' argument
supplied

CVE-2021-43804

An incoming RTCP BYE message contains a reason's length, this
declared length is not checked against the actual received packet
size, potentially resulting in an out-of-bound read access. A
malicious actor can send a RTCP BYE message with an invalid reason
length

CVE-2021-43845

if incoming RTCP XR message contain block, the data field is not
checked against the received packet size, potentially resulting in
an out-of-bound read access

CVE-2022-21722

it is possible that certain incoming RTP/RTCP packets can
potentially cause out-of-bound read access. This issue affects
all users that use PJMEDIA and accept incoming RTP/RTCP.

CVE-2022-21723

Parsing an incoming SIP message that contains a malformed
multipart can potentially cause out-of-bound read access. This
issue affects all PJSIP users that accept SIP multipart.

CVE-2022-23608

When in a dialog set (or forking) scenario, a hash key shared by
multiple UAC dialogs can potentially be prematurely freed when one
of the dialogs is destroyed . The issue may cause a dialog set to
be registered in the hash table multiple times (with different
hash keys) leading to undefined behavior such as dialog list
collision which eventually leading to endless loop

CVE-2022-24754

There is a stack-buffer overflow vulnerability which only impacts
PJSIP users who accept hashed digest credentials (credentials with
data_type `PJSIP_CRED_DATA_DIGEST`).

CVE-2022-24764

A stack buffer overflow vulnerability that affects PJSUA2 users
or users that call the API `pjmedia_sdp_print(),
pjmedia_sdp_media_print()`

For Debian 9 stretch, these problems have been fixed in version
2.5.5~dfsg-6+deb9u3.

We recommend that you upgrade your pjproject packages.

For the detailed security status of pjproject please refer to
its security tracker page at:
  https://security-tracker.debian.org/tracker/pjproject

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at:   https://wiki.debian.org/LTS