Bug#1017004: closed by Debian FTP Masters <ftpmaster at ftp-master.debian.org> (reply to Jonas Smedegaard <dr at jones.dk>) (Bug#1017004: fixed in asterisk 1:20.0.1~dfsg+~cs6.12.40431414-1)
Jonas Smedegaard
jonas at jones.dk
Fri Dec 9 14:59:47 GMT 2022
Hi Salvatore,
Quoting Salvatore Bonaccorso (2022-12-09 15:15:26)
> This issue does not appear to be fixed with the
> 1:20.0.1~dfsg+~cs6.12.40431414-1 . could you double-check again?
First of all: Thanks a lot for doublechecking!
I did not test the bug nor the bugfix - I only traced reports across
projects when I closed this bug.
If you reopen similarly based only on tracing reports across projects,
then I suspect the (sub)issue really is Asterisk project failing to
prominently reference CVE or GHSA issue hints in their bug closure.
The issue tracked here - unless I am mistaken - is CVE-2022-31031, also
reported as GHSA-26j7-ww69-c4qj against PJSIP project, and (referencing
only GHSA identifiers, and only in patch content not commit header)
PJSIP project fix is here:
https://github.com/pjsip/pjproject/commit/450baca
Asterisk inclusion of the PJSIP fix is here:
https://github.com/asterisk/asterisk/commit/702f400
Debian inclusion of Asterisk inclusion of PJSIP fix is here:
https://salsa.debian.org/pkg-voip-team/asterisk/-/blob/debian/1%2520.0.1_dfsg+_cs6.12.40431414-1/third-party/pjproject/patches/0201-potential-stack-buffer-overflow-when-parsing-message-as-a-STUN-client.patch
I have now double-checked that during build the configure target has
succesfully applied the STUN-related patch, and that the file
third-party/pjproject/source/pjlib-util/src/pjlib-util/stun_simple.c
contains the newly introduced string "attr_max_cnt" unique to the PJSIP
bugfix.
I (still) consider this issue fixed, but will leave this bugreport open
awaiting your further assesment.
Thanks,
- Jonas
--
* Jonas Smedegaard - idealist & Internet-arkitekt
* Tlf.: +45 40843136 Website: http://dr.jones.dk/
* Sponsorship: https://ko-fi.com/drjones
[x] quote me freely [ ] ask before reusing [ ] keep private
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-voip-maintainers/attachments/20221209/4d21ae6c/attachment.sig>
More information about the Pkg-voip-maintainers
mailing list