Bug#1014998: ring: CVE-2021-32686 CVE-2021-37706 CVE-2022-21723 CVE-2022-23608 CVE-2021-43299 CVE-2021-43300 CVE-2021-43301 CVE-2021-43302 CVE-2021-43303 CVE-2021-43804 CVE-2021-43845 CVE-2022-21722 CVE-2022-24754 CVE-2022-24763 CVE-2022-24764 CVE-2022-24793

Moritz Mühlenhoff jmm at inutil.org
Fri Jul 15 23:24:34 BST 2022


Source: ring
X-Debbugs-CC: team at security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerabilities were published for ring.

CVE-2021-32686[0]:
| PJSIP is a free and open source multimedia communication library
| written in C language implementing standard based protocols such as
| SIP, SDP, RTP, STUN, TURN, and ICE. In PJSIP before version 2.11.1,
| there are a couple of issues found in the SSL socket. First, a race
| condition between callback and destroy, due to the accepted socket
| having no group lock. Second, the SSL socket parent/listener may get
| destroyed during handshake. Both issues were reported to happen
| intermittently in heavy load TLS connections. They cause a crash,
| resulting in a denial of service. These are fixed in version 2.11.1.

https://downloads.asterisk.org/pub/security/AST-2021-009.html
https://github.com/pjsip/pjproject/security/advisories/GHSA-cv8x-p47p-99wr
https://github.com/pjsip/pjproject/commit/d5f95aa066f878b0aef6a64e60b61e8626e664cd
https://github.com/pjsip/pjproject/pull/2716

CVE-2021-37706[1]:
| PJSIP is a free and open source multimedia communication library
| written in C language implementing standard based protocols such as
| SIP, SDP, RTP, STUN, TURN, and ICE. In affected versions if the
| incoming STUN message contains an ERROR-CODE attribute, the header
| length is not checked before performing a subtraction operation,
| potentially resulting in an integer underflow scenario. This issue
| affects all users that use STUN. A malicious actor located within the
| victim’s network may forge and send a specially crafted UDP
| (STUN) message that could remotely execute arbitrary code on the
| victim’s machine. Users are advised to upgrade as soon as
| possible. There are no known workarounds.

https://issues.asterisk.org/jira/browse/ASTERISK-29945
https://downloads.asterisk.org/pub/security/AST-2022-004.html
https://github.com/pjsip/pjproject/security/advisories/GHSA-2qpg-f6wf-w984
https://github.com/pjsip/pjproject/commit/15663e3f37091069b8c98a7fce680dc04bc8e865

CVE-2022-21723[2]:
| PJSIP is a free and open source multimedia communication library
| written in C language implementing standard based protocols such as
| SIP, SDP, RTP, STUN, TURN, and ICE. In versions 2.11.1 and prior,
| parsing an incoming SIP message that contains a malformed multipart
| can potentially cause out-of-bound read access. This issue affects all
| PJSIP users that accept SIP multipart. The patch is available as
| commit in the `master` branch. There are no known workarounds.

https://issues.asterisk.org/jira/browse/ASTERISK-29945
https://downloads.asterisk.org/pub/security/AST-2022-006.html
https://github.com/pjsip/pjproject/security/advisories/GHSA-7fw8-54cv-r7pm
https://github.com/pjsip/pjproject/commit/077b465c33f0aec05a49cd2ca456f9a1b112e896

CVE-2022-23608[3]:
| PJSIP is a free and open source multimedia communication library
| written in C language implementing standard based protocols such as
| SIP, SDP, RTP, STUN, TURN, and ICE. In versions up to and including
| 2.11.1 when in a dialog set (or forking) scenario, a hash key shared
| by multiple UAC dialogs can potentially be prematurely freed when one
| of the dialogs is destroyed . The issue may cause a dialog set to be
| registered in the hash table multiple times (with different hash keys)
| leading to undefined behavior such as dialog list collision which
| eventually leading to endless loop. A patch is available in commit
| db3235953baa56d2fb0e276ca510fefca751643f which will be included in the
| next release. There are no known workarounds for this issue.

https://issues.asterisk.org/jira/browse/ASTERISK-29945
https://downloads.asterisk.org/pub/security/AST-2022-005.html
https://github.com/pjsip/pjproject/security/advisories/GHSA-ffff-m5fm-qm62
https://github.com/pjsip/pjproject/commit/db3235953baa56d2fb0e276ca510fefca751643f

CVE-2021-43299[4]:
| Stack overflow in PJSUA API when calling pjsua_player_create. An
| attacker-controlled 'filename' argument may cause a buffer overflow
| since it is copied to a fixed-size stack buffer without any size
| validation.

https://github.com/pjsip/pjproject/security/advisories/GHSA-qcvw-h34v-c7r9
https://github.com/pjsip/pjproject/commit/d979253c924a686fa511d705be1f3ad0c5b20337

CVE-2021-43300[5]:
| Stack overflow in PJSUA API when calling pjsua_recorder_create. An
| attacker-controlled 'filename' argument may cause a buffer overflow
| since it is copied to a fixed-size stack buffer without any size
| validation.

https://github.com/pjsip/pjproject/security/advisories/GHSA-qcvw-h34v-c7r9
https://github.com/pjsip/pjproject/commit/d979253c924a686fa511d705be1f3ad0c5b20337

CVE-2021-43301[6]:
| Stack overflow in PJSUA API when calling pjsua_playlist_create. An
| attacker-controlled 'file_names' argument may cause a buffer overflow
| since it is copied to a fixed-size stack buffer without any size
| validation.

https://github.com/pjsip/pjproject/security/advisories/GHSA-qcvw-h34v-c7r9
https://github.com/pjsip/pjproject/commit/d979253c924a686fa511d705be1f3ad0c5b20337

CVE-2021-43302[7]:
| Read out-of-bounds in PJSUA API when calling pjsua_recorder_create. An
| attacker-controlled 'filename' argument may cause an out-of-bounds
| read when the filename is shorter than 4 characters.

https://github.com/pjsip/pjproject/security/advisories/GHSA-qcvw-h34v-c7r9
https://github.com/pjsip/pjproject/commit/d979253c924a686fa511d705be1f3ad0c5b20337

CVE-2021-43303[8]:
| Buffer overflow in PJSUA API when calling pjsua_call_dump. An
| attacker-controlled 'buffer' argument may cause a buffer overflow,
| since supplying an output buffer smaller than 128 characters may
| overflow the output buffer, regardless of the 'maxlen' argument
| supplied

https://github.com/pjsip/pjproject/security/advisories/GHSA-qcvw-h34v-c7r9
https://github.com/pjsip/pjproject/commit/d979253c924a686fa511d705be1f3ad0c5b20337

CVE-2021-43804[9]:
| PJSIP is a free and open source multimedia communication library
| written in C language implementing standard based protocols such as
| SIP, SDP, RTP, STUN, TURN, and ICE. In affected versions if the
| incoming RTCP BYE message contains a reason's length, this declared
| length is not checked against the actual received packet size,
| potentially resulting in an out-of-bound read access. This issue
| affects all users that use PJMEDIA and RTCP. A malicious actor can
| send a RTCP BYE message with an invalid reason length. Users are
| advised to upgrade as soon as possible. There are no known
| workarounds.

https://github.com/pjsip/pjproject/security/advisories/GHSA-3qx3-cg72-wrh9
https://github.com/pjsip/pjproject/commit/8b621f192cae14456ee0b0ade52ce6c6f258af1e

CVE-2021-43845[10]:
| PJSIP is a free and open source multimedia communication library. In
| version 2.11.1 and prior, if incoming RTCP XR message contain block,
| the data field is not checked against the received packet size,
| potentially resulting in an out-of-bound read access. This affects all
| users that use PJMEDIA and RTCP XR. A malicious actor can send a RTCP
| XR message with an invalid packet size.

https://github.com/pjsip/pjproject/security/advisories/GHSA-r374-qrwv-86hh
https://github.com/pjsip/pjproject/commit/f74c1fc22b760d2a24369aa72c74c4a9ab985859
https://github.com/pjsip/pjproject/pull/2924

CVE-2022-21722[11]:
| PJSIP is a free and open source multimedia communication library
| written in C language implementing standard based protocols such as
| SIP, SDP, RTP, STUN, TURN, and ICE. In version 2.11.1 and prior, there
| are various cases where it is possible that certain incoming RTP/RTCP
| packets can potentially cause out-of-bound read access. This issue
| affects all users that use PJMEDIA and accept incoming RTP/RTCP. A
| patch is available as a commit in the `master` branch. There are no
| known workarounds.

https://github.com/pjsip/pjproject/security/advisories/GHSA-m66q-q64c-hv36
https://github.com/pjsip/pjproject/commit/22af44e68a0c7d190ac1e25075e1382f77e9397a

CVE-2022-24754[12]:
| PJSIP is a free and open source multimedia communication library
| written in C language. In versions prior to and including 2.12 PJSIP
| there is a stack-buffer overflow vulnerability which only impacts
| PJSIP users who accept hashed digest credentials (credentials with
| data_type `PJSIP_CRED_DATA_DIGEST`). This issue has been patched in
| the master branch of the PJSIP repository and will be included with
| the next release. Users unable to upgrade need to check that the
| hashed digest data length must be equal to `PJSIP_MD5STRLEN` before
| passing to PJSIP.

https://github.com/pjsip/pjproject/security/advisories/GHSA-73f7-48m9-w662
https://github.com/pjsip/pjproject/commit/d27f79da11df7bc8bb56c2f291d71e54df8d2c47

CVE-2022-24763[13]:
| PJSIP is a free and open source multimedia communication library
| written in the C language. Versions 2.12 and prior contain a denial-
| of-service vulnerability that affects PJSIP users that consume PJSIP's
| XML parsing in their apps. Users are advised to update. There are no
| known workarounds.

https://github.com/pjsip/pjproject/security/advisories/GHSA-5x45-qp78-g4p4
https://github.com/pjsip/pjproject/commit/856f87c2e97a27b256482dbe0d748b1194355a21

CVE-2022-24764[14]:
| PJSIP is a free and open source multimedia communication library
| written in C. Versions 2.12 and prior contain a stack buffer overflow
| vulnerability that affects PJSUA2 users or users that call the API
| `pjmedia_sdp_print(), pjmedia_sdp_media_print()`. Applications that do
| not use PJSUA2 and do not directly call `pjmedia_sdp_print()` or
| `pjmedia_sdp_media_print()` should not be affected. A patch is
| available on the `master` branch of the `pjsip/pjproject` GitHub
| repository. There are currently no known workarounds.

https://github.com/pjsip/pjproject/security/advisories/GHSA-f5qg-pqcg-765m
https://github.com/pjsip/pjproject/commit/560a1346f87aabe126509bb24930106dea292b00

CVE-2022-24793[15]:
| PJSIP is a free and open source multimedia communication library
| written in C. A buffer overflow vulnerability in versions 2.12 and
| prior affects applications that uses PJSIP DNS resolution. It doesn't
| affect PJSIP users who utilize an external resolver. A patch is
| available in the `master` branch of the `pjsip/pjproject` GitHub
| repository. A workaround is to disable DNS resolution in PJSIP config
| (by setting `nameserver_count` to zero) or use an external resolver
| instead.

https://github.com/pjsip/pjproject/security/advisories/GHSA-p6g5-v97c-w5q4
https://github.com/pjsip/pjproject/commit/9fae8f43accef8ea65d4a8ae9cdf297c46cfe29a

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2021-32686
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32686
[1] https://security-tracker.debian.org/tracker/CVE-2021-37706
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37706
[2] https://security-tracker.debian.org/tracker/CVE-2022-21723
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21723
[3] https://security-tracker.debian.org/tracker/CVE-2022-23608
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23608
[4] https://security-tracker.debian.org/tracker/CVE-2021-43299
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43299
[5] https://security-tracker.debian.org/tracker/CVE-2021-43300
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43300
[6] https://security-tracker.debian.org/tracker/CVE-2021-43301
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43301
[7] https://security-tracker.debian.org/tracker/CVE-2021-43302
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43302
[8] https://security-tracker.debian.org/tracker/CVE-2021-43303
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43303
[9] https://security-tracker.debian.org/tracker/CVE-2021-43804
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43804
[10] https://security-tracker.debian.org/tracker/CVE-2021-43845
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43845
[11] https://security-tracker.debian.org/tracker/CVE-2022-21722
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21722
[12] https://security-tracker.debian.org/tracker/CVE-2022-24754
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24754
[13] https://security-tracker.debian.org/tracker/CVE-2022-24763
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24763
[14] https://security-tracker.debian.org/tracker/CVE-2022-24764
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24764
[15] https://security-tracker.debian.org/tracker/CVE-2022-24793
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24793

Please adjust the affected versions in the BTS as needed.



More information about the Pkg-voip-maintainers mailing list