[SECURITY] [DLA 2962-1] pjproject security update

---

Debian LTS Advisory DLA-2962-1 [email protected]
https://www.debian.org/lts/security/ Abhijith PA
March 28, 2022 https://wiki.debian.org/LTS

---

Package : pjproject
Version : 2.5.5~dfsg-6+deb9u3
CVE ID : CVE-2021-32686 CVE-2021-37706 CVE-2021-41141 CVE-2021-43299
CVE-2021-43300 CVE-2021-43301 CVE-2021-43302 CVE-2021-43303
CVE-2021-43804 CVE-2021-43845 CVE-2022-21722 CVE-2022-21723
CVE-2022-23608 CVE-2022-24754 CVE-2022-24764

Multiple security issues were discovered in pjproject, is a free and
open source multimedia communication library.

CVE-2021-32686

A race condition between callback and destroy, due to the accepted 
socket having no group lock. Second, the SSL socket 
parent/listener may get destroyed during handshake. s. They cause 
crash, resulting in a denial of service. 

CVE-2021-37706

An incoming STUN message contains an ERROR-CODE attribute, the 
header length is not checked before performing a subtraction 
operation, potentially resulting in an integer underflow scenario. 
This issue affects all users that use STUN. A malicious actor 
located within the victim’s network may forge and send a specially 
crafted UDP (STUN) message that could remotely execute arbitrary 
code on the victim’s machine

CVE-2021-41141

In various parts of PJSIP, when error/failure occurs, it is found 
that the function returns without releasing the currently held 
locks. This could result in a system deadlock, which cause a 
denial of service for the users.

CVE-2021-43299

Stack overflow in PJSUA API when calling pjsua_player_create. An 
attacker-controlled 'filename' argument may cause a buffer 
overflow since it is copied to a fixed-size stack buffer without 
any size validation.

CVE-2021-43300

Stack overflow in PJSUA API when calling pjsua_recorder_create. An 
attacker-controlled 'filename' argument may cause a buffer 
overflow since it is copied to a fixed-size stack buffer without 
any size validation.

CVE-2021-43301

Stack overflow in PJSUA API when calling pjsua_playlist_create. An 
attacker-controlled 'file_names' argument may cause a buffer 
overflow since it is copied to a fixed-size stack buffer without 
any size validation.

CVE-2021-43302

Read out-of-bounds in PJSUA API when calling 
pjsua_recorder_create. An attacker-controlled 'filename' argument 
may cause an out-of-bounds read when the filename is shorter than 
4 characters.

CVE-2021-43303

Buffer overflow in PJSUA API when calling pjsua_call_dump. An 
attacker-controlled 'buffer' argument may cause a buffer overflow, 
since supplying an output buffer smaller than 128 characters may 
overflow the output buffer, regardless of the 'maxlen' argument 
supplied

CVE-2021-43804

An incoming RTCP BYE message contains a reason's length, this 
declared length is not checked against the actual received packet 
size, potentially resulting in an out-of-bound read access. A 
malicious actor can send a RTCP BYE message with an invalid reason 
length

CVE-2021-43845

if incoming RTCP XR message contain block, the data field is not 
checked against the received packet size, potentially resulting in 
an out-of-bound read access

CVE-2022-21722

it is possible that certain incoming RTP/RTCP packets can 
potentially cause out-of-bound read access. This issue affects 
all users that use PJMEDIA and accept incoming RTP/RTCP.

CVE-2022-21723

Parsing an incoming SIP message that contains a malformed 
multipart can potentially cause out-of-bound read access. This 
issue affects all PJSIP users that accept SIP multipart.

CVE-2022-23608

When in a dialog set (or forking) scenario, a hash key shared by 
multiple UAC dialogs can potentially be prematurely freed when one 
of the dialogs is destroyed . The issue may cause a dialog set to 
be registered in the hash table multiple times (with different 
hash keys) leading to undefined behavior such as dialog list 
collision which eventually leading to endless loop

CVE-2022-24754

There is a stack-buffer overflow vulnerability which only impacts 
PJSIP users who accept hashed digest credentials (credentials with 
data_type `PJSIP_CRED_DATA_DIGEST`).

CVE-2022-24764

 A stack buffer overflow vulnerability that affects PJSUA2 users 
 or users that call the API `pjmedia_sdp_print(), 
 pjmedia_sdp_media_print()`

For Debian 9 stretch, these problems have been fixed in version
2.5.5~dfsg-6+deb9u3.

We recommend that you upgrade your pjproject packages.

For the detailed security status of pjproject please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/pjproject

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS