Bug#1057379: ring: please apply patch to fix CVE-2021-37706

Gianfranco Costamagna locutusofborg at debian.org
Mon Dec 4 09:31:26 GMT 2023 

Package: ring
Version: 20230922.0~ds2-1
Severity: important
Tags: patch

Dear Maintainer,

In Ubuntu, the attached patch was applied to achieve the following:

   * SECURITY UPDATE: Remote Code Execution
     - debian/patches/CVE-2021-37706.patch: fixed a RCE in PJSIP module
     - CVE-2021-37706


Thanks for considering the patch.

*** /tmp/tmpqqf2a9ke/ring_20230922.0~ds2-1ubuntu1.debdiff
diff -Nru ring-20230922.0~ds2/debian/patches/CVE-2021-37706.patch ring-20230922.0~ds2/debian/patches/CVE-2021-37706.patch
--- ring-20230922.0~ds2/debian/patches/CVE-2021-37706.patch	1970-01-01 01:00:00.000000000 +0100
+++ ring-20230922.0~ds2/debian/patches/CVE-2021-37706.patch	2023-12-04 10:22:49.000000000 +0100
@@ -0,0 +1,20 @@
+commit 15663e3f37091069b8c98a7fce680dc04bc8e865
+Author: sauwming <ming at teluu.com>
+Date:   Tue Aug 10 11:53:25 2021 +0800
+
+    Merge pull request from GHSA-2qpg-f6wf-w984
+
+Index: ./daemon/contrib/tarballs-unpacked/pjproject-97f45c2040c2b0cf6f3349a365b0e900a2267333.tar.gz/pjproject-97f45c2040c2b0cf6f3349a365b0e900a2267333/pjnath/src/pjnath/stun_msg.c
+===================================================================
+--- ring-20190215.1.f152c98~ds1.orig/daemon/contrib/tarballs-unpacked/pjproject-2.8.tar.gz/pjproject-2.8/pjnath/src/pjnath/stun_msg.c	2023-04-16 11:27:08.746997850 +0200
++++ ./daemon/contrib/tarballs-unpacked/pjproject-97f45c2040c2b0cf6f3349a365b0e900a2267333.tar.gz/pjproject-97f45c2040c2b0cf6f3349a365b0e900a2267333/pjnath/src/pjnath/stun_msg.c	2023-04-16 11:27:08.746997850 +0200
+@@ -1767,6 +1767,9 @@
+     /* Get pointer to the string in the message */
+     value.ptr = ((char*)buf + ATTR_HDR_LEN + 4);
+     value.slen = attr->hdr.length - 4;
++    /* Make sure the length is never negative */
++    if (value.slen < 0)
++    	value.slen = 0;
+
+     /* Copy the string to the attribute */
+     pj_strdup(pool, &attr->reason, &value);
diff -Nru ring-20230922.0~ds2/debian/patches/series ring-20230922.0~ds2/debian/patches/series
--- ring-20230922.0~ds2/debian/patches/series	2023-10-21 19:04:56.000000000 +0200
+++ ring-20230922.0~ds2/debian/patches/series	2023-12-04 10:20:40.000000000 +0100
@@ -3,3 +3,4 @@
  2000-jsoncpp-rename.patch
  2010-dont-force-build-pkgs.patch
  2020-system-md4c-tidy.patch
+CVE-2021-37706.patch
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-voip-maintainers/attachments/20231204/9b39fc2b/attachment.sig>

More information about the Pkg-voip-maintainers mailing list