Bug#1014976: asterisk: CVE-2022-24764 CVE-2022-24763 CVE-2022-24786 CVE-2022-24792 CVE-2022-24793
Moritz Mühlenhoff
jmm at inutil.org
Fri Jul 15 16:23:36 BST 2022
Source: asterisk
X-Debbugs-CC: team at security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerabilities were published for asterisk.
CVE-2022-24764[0]:
| PJSIP is a free and open source multimedia communication library
| written in C. Versions 2.12 and prior contain a stack buffer overflow
| vulnerability that affects PJSUA2 users or users that call the API
| `pjmedia_sdp_print(), pjmedia_sdp_media_print()`. Applications that do
| not use PJSUA2 and do not directly call `pjmedia_sdp_print()` or
| `pjmedia_sdp_media_print()` should not be affected. A patch is
| available on the `master` branch of the `pjsip/pjproject` GitHub
| repository. There are currently no known workarounds.
https://github.com/pjsip/pjproject/security/advisories/GHSA-f5qg-pqcg-765m
https://github.com/pjsip/pjproject/commit/560a1346f87aabe126509bb24930106dea292b00
CVE-2022-24763[1]:
| PJSIP is a free and open source multimedia communication library
| written in the C language. Versions 2.12 and prior contain a denial-
| of-service vulnerability that affects PJSIP users that consume PJSIP's
| XML parsing in their apps. Users are advised to update. There are no
| known workarounds.
https://github.com/pjsip/pjproject/security/advisories/GHSA-5x45-qp78-g4p4
https://github.com/pjsip/pjproject/commit/856f87c2e97a27b256482dbe0d748b1194355a21
CVE-2022-24786[2]:
| PJSIP is a free and open source multimedia communication library
| written in C. PJSIP versions 2.12 and prior do not parse incoming RTCP
| feedback RPSI (Reference Picture Selection Indication) packet, but any
| app that directly uses pjmedia_rtcp_fb_parse_rpsi() will be affected.
| A patch is available in the `master` branch of the `pjsip/pjproject`
| GitHub repository. There are currently no known workarounds.
https://github.com/pjsip/pjproject/security/advisories/GHSA-vhxv-phmx-g52q
https://github.com/pjsip/pjproject/commit/11559e49e65bdf00922ad5ae28913ec6a198d508
CVE-2022-24792[3]:
| PJSIP is a free and open source multimedia communication library
| written in C. A denial-of-service vulnerability affects applications
| on a 32-bit systems that use PJSIP versions 2.12 and prior to
| play/read invalid WAV files. The vulnerability occurs when reading WAV
| file data chunks with length greater than 31-bit integers. The
| vulnerability does not affect 64-bit apps and should not affect apps
| that only plays trusted WAV files. A patch is available on the
| `master` branch of the `pjsip/project` GitHub repository. As a
| workaround, apps can reject a WAV file received from an unknown source
| or validate the file first.
https://github.com/pjsip/pjproject/security/advisories/GHSA-rwgw-vwxg-q799
https://github.com/pjsip/pjproject/commit/947bc1ee6d05be10204b918df75a503415fd3213
CVE-2022-24793[4]:
| PJSIP is a free and open source multimedia communication library
| written in C. A buffer overflow vulnerability in versions 2.12 and
| prior affects applications that uses PJSIP DNS resolution. It doesn't
| affect PJSIP users who utilize an external resolver. A patch is
| available in the `master` branch of the `pjsip/pjproject` GitHub
| repository. A workaround is to disable DNS resolution in PJSIP config
| (by setting `nameserver_count` to zero) or use an external resolver
| instead.
https://github.com/pjsip/pjproject/security/advisories/GHSA-p6g5-v97c-w5q4
https://github.com/pjsip/pjproject/commit/9fae8f43accef8ea65d4a8ae9cdf297c46cfe29a
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-24764
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24764
[1] https://security-tracker.debian.org/tracker/CVE-2022-24763
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24763
[2] https://security-tracker.debian.org/tracker/CVE-2022-24786
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24786
[3] https://security-tracker.debian.org/tracker/CVE-2022-24792
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24792
[4] https://security-tracker.debian.org/tracker/CVE-2022-24793
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24793
Please adjust the affected versions in the BTS as needed.
More information about the Pkg-voip-maintainers
mailing list