Hello, we upgraded to 2.5.5~dfsg-6+deb9u3 and we're seeing crashes in Asterisk. It seems the patch for CVE-2022-23608 is faulty. In your patch, the hash table key is assigned twice in hunk #2 but not in hunk #4. Please see attached patch CVE-2022-23608_fixed.patch.
Thanks for your effort. Regards, Bastian On Mon, Mar 28, 2022 at 4:59 PM Abhijith PA <abhij...@debian.org> wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > - ------------------------------------------------------------------------- > Debian LTS Advisory DLA-2962-1 debian-lts@lists.debian.org > https://www.debian.org/lts/security/ Abhijith PA > March 28, 2022 https://wiki.debian.org/LTS > - ------------------------------------------------------------------------- > > Package : pjproject > Version : 2.5.5~dfsg-6+deb9u3 > CVE ID : CVE-2021-32686 CVE-2021-37706 CVE-2021-41141 CVE-2021-43299 > CVE-2021-43300 CVE-2021-43301 CVE-2021-43302 CVE-2021-43303 > CVE-2021-43804 CVE-2021-43845 CVE-2022-21722 CVE-2022-21723 > CVE-2022-23608 CVE-2022-24754 CVE-2022-24764 > > Multiple security issues were discovered in pjproject, is a free and > open source multimedia communication library. > > CVE-2021-32686 > > A race condition between callback and destroy, due to the accepted > socket having no group lock. Second, the SSL socket > parent/listener may get destroyed during handshake. s. They cause > crash, resulting in a denial of service. > > CVE-2021-37706 > > An incoming STUN message contains an ERROR-CODE attribute, the > header length is not checked before performing a subtraction > operation, potentially resulting in an integer underflow scenario. > This issue affects all users that use STUN. A malicious actor > located within the victim’s network may forge and send a specially > crafted UDP (STUN) message that could remotely execute arbitrary > code on the victim’s machine > > CVE-2021-41141 > > In various parts of PJSIP, when error/failure occurs, it is found > that the function returns without releasing the currently held > locks. This could result in a system deadlock, which cause a > denial of service for the users. > > CVE-2021-43299 > > Stack overflow in PJSUA API when calling pjsua_player_create. An > attacker-controlled 'filename' argument may cause a buffer > overflow since it is copied to a fixed-size stack buffer without > any size validation. > > CVE-2021-43300 > > Stack overflow in PJSUA API when calling pjsua_recorder_create. An > attacker-controlled 'filename' argument may cause a buffer > overflow since it is copied to a fixed-size stack buffer without > any size validation. > > CVE-2021-43301 > > Stack overflow in PJSUA API when calling pjsua_playlist_create. An > attacker-controlled 'file_names' argument may cause a buffer > overflow since it is copied to a fixed-size stack buffer without > any size validation. > > CVE-2021-43302 > > Read out-of-bounds in PJSUA API when calling > pjsua_recorder_create. An attacker-controlled 'filename' argument > may cause an out-of-bounds read when the filename is shorter than > 4 characters. > > CVE-2021-43303 > > Buffer overflow in PJSUA API when calling pjsua_call_dump. An > attacker-controlled 'buffer' argument may cause a buffer overflow, > since supplying an output buffer smaller than 128 characters may > overflow the output buffer, regardless of the 'maxlen' argument > supplied > > CVE-2021-43804 > > An incoming RTCP BYE message contains a reason's length, this > declared length is not checked against the actual received packet > size, potentially resulting in an out-of-bound read access. A > malicious actor can send a RTCP BYE message with an invalid reason > length > > CVE-2021-43845 > > if incoming RTCP XR message contain block, the data field is not > checked against the received packet size, potentially resulting in > an out-of-bound read access > > CVE-2022-21722 > > it is possible that certain incoming RTP/RTCP packets can > potentially cause out-of-bound read access. This issue affects > all users that use PJMEDIA and accept incoming RTP/RTCP. > > CVE-2022-21723 > > Parsing an incoming SIP message that contains a malformed > multipart can potentially cause out-of-bound read access. This > issue affects all PJSIP users that accept SIP multipart. > > CVE-2022-23608 > > When in a dialog set (or forking) scenario, a hash key shared by > multiple UAC dialogs can potentially be prematurely freed when one > of the dialogs is destroyed . The issue may cause a dialog set to > be registered in the hash table multiple times (with different > hash keys) leading to undefined behavior such as dialog list > collision which eventually leading to endless loop > > CVE-2022-24754 > > There is a stack-buffer overflow vulnerability which only impacts > PJSIP users who accept hashed digest credentials (credentials with > data_type `PJSIP_CRED_DATA_DIGEST`). > > CVE-2022-24764 > > A stack buffer overflow vulnerability that affects PJSUA2 users > or users that call the API `pjmedia_sdp_print(), > pjmedia_sdp_media_print()` > > For Debian 9 stretch, these problems have been fixed in version > 2.5.5~dfsg-6+deb9u3. > > We recommend that you upgrade your pjproject packages. > > For the detailed security status of pjproject please refer to > its security tracker page at: > https://security-tracker.debian.org/tracker/pjproject > > Further information about Debian LTS security advisories, how to apply > these updates to your system and frequently asked questions can be > found at: https://wiki.debian.org/LTS > -----BEGIN PGP SIGNATURE----- > > iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAmJBxNgACgkQhj1N8u2c > KO811w//eACT9HmMad2WGodOhdDVqFB0FVdmWOs/k9zaqm8T4H7yYjRMZmbSXvPD > WyPPqmuWbXEg2BLEtI3Xupdu1b4bUrvGt4S64dyRJOI/nBGHb7u6XFtSciHttjPc > gOl9GZjOpV8TBJcVBRxbEtJkws+blJfWuPlXbswWlFjejDlrueCNqqBeHAnDY+8r > zJ0DCEgsPGyG0LqoONSaprdkAE7JAQa2WINPuatB1jY4vlYX7DyKJA2k1GNCLydM > hehNIl1ovuxrkCJwDFhi/kaaXCDHSYC2KyKgE8NJDV8dZ7Vlx5hVsns//i1fm+5x > HDNUPd4MXhRvlo2ngEXZDIF9m4yankO27JJnjZ+HInT8JCy9PC4nQBm428suZDTN > 1ENjzNTPZfR7FX51SSr/yGb1TX2+ZRyhcCHcEQYNYdaSVAjLAez3BSgTvbz+WCGL > AUP8aA5w42knattXYm3p6aimWvDIuVxNZDrPVsaSF3uukwkHZS1GpzhUNCaPaqTn > kNaIJ5j0R0wnTdV+T0N6I7Xhfg8zmgyGnkjhXTg+GMA5IdFAsJjsZ9SoC57x+vOt > qP0V1+qChV8NBoZ+tx1YC4KhLBv1hBdSaezpEbOZXqnRkrtxfwguTjknNMtrqoIB > i2B8y+qtFE8GqDWUoWWjs3JTH9aMEpE4rzDfzeHNUoJo8Ni7zh8= > =kyBI > -----END PGP SIGNATURE----- >
CVE-2022-23608.patch
Description: Binary data
CVE-2022-23608_fixed.patch
Description: Binary data
