Bug#1032092: asterisk: CVE-2022-23537 CVE-2022-23547 CVE-2022-39269

Faidon Liambotis paravoid at debian.org
Mon Aug 7 13:51:54 BST 2023


Dear maintainer, security team,

(See #1036697 for a similar bug with an almost equivalent response)

The changelog for the asterisk 1:20.4.0~dfsg+~cs6.13.40431414-1 upload
dated 2023-08-04, currently in unstable, mentions:
>    + fixate component pjproject at upstream release 2.13.1

The sources seem to indeed indicate that the version shipped for
pjproject (aka PJSIP) is 2.13.1, which seems to have resolved the
vulnerabilities listed below. 

Specifically:

On Mon, Feb 27, 2023 at 08:48:36PM +0100, Moritz Mühlenhoff wrote:
> CVE-2022-23537[0]:
> | PJSIP is a free and open source multimedia communication library
> | written in C language implementing standard based protocols such as
> | SIP, SDP, RTP, STUN, TURN, and ICE. Buffer overread is possible when
> | parsing a specially crafted STUN message with unknown attribute. The
> | vulnerability affects applications that uses STUN including PJNATH and
> | PJSUA-LIB. The patch is available as a commit in the master branch
> | (2.13.1).
> 
> https://github.com/pjsip/pjproject/security/advisories/GHSA-9pfh-r8x4-w26w
> https://github.com/pjsip/pjproject/commit/d8440f4d711a654b511f50f79c0445b26f9dd1e1

Upstream says "Patched versions: 2.13.1" in the GitHub GHSA URL above.

> CVE-2022-23547[1]:
> | PJSIP is a free and open source multimedia communication library
> | written in C language implementing standard based protocols such as
> | SIP, SDP, RTP, STUN, TURN, and ICE. This issue is similar to
> | GHSA-9pfh-r8x4-w26w. Possible buffer overread when parsing a certain
> | STUN message. The vulnerability affects applications that uses STUN
> | including PJNATH and PJSUA-LIB. The patch is available as commit in
> | the master branch.
> 
> https://github.com/pjsip/pjproject/security/advisories/GHSA-cxwq-5g9x-x7fr
> https://github.com/pjsip/pjproject/commit/bc4812d31a67d5e2f973fbfaf950d6118226cf36

Upstream says "Patched versions: 2.13.1" in the GitHub GHSA URL above.

> CVE-2022-39269[2]:
> | PJSIP is a free and open source multimedia communication library
> | written in C. When processing certain packets, PJSIP may incorrectly
> | switch from using SRTP media transport to using basic RTP upon SRTP
> | restart, causing the media to be sent insecurely. The vulnerability
> | impacts all PJSIP users that use SRTP. The patch is available as
> | commit d2acb9a in the master branch of the project and will be
> | included in version 2.13. Users are advised to manually patch or to
> | upgrade. There are no known workarounds for this vulnerability.
> 
> https://github.com/pjsip/pjproject/security/advisories/GHSA-wx5m-cj97-4wwg
> https://github.com/pjsip/pjproject/commit/d2acb9af4e27b5ba75d658690406cec9c274c5cc

Upstream says "Patched versions: 2.13" in the GitHub GHSA URL above.

> If you fix the vulnerabilities please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
>
> [...]
>
> Please adjust the affected versions in the BTS as needed.

As I'm neither the maintainer nor in the security team, I'm leaving
these actions to you. Hopefully simple enough, once you confirm my
findings :)

Regards,
Faidon



More information about the Pkg-voip-maintainers mailing list