pjproject package is vulnerable to CVE-2021-21375 and CVE-2020-15260

DoneSubmitted by Mark H Weaver.
Details
4 participants
  • Leo Famulari
  • Léo Le Bouter
  • Ludovic Courtès
  • Mark H Weaver
Owner
unassigned
Severity
normal
M
M
Mark H Weaver wrote on 14 Mar 22:35 +0100
(address . bug-guix@gnu.org)(name . Léo Le Bouter)(address . lle-bout@zaclys.net)
87a6r5s9j4.fsf@netris.org
I'm forwarding this to bug-guix@gnu.org so that it won't be forgotten.
Mark
-------------------- Start of forwarded message --------------------Subject: pjproject package is vulnerable to CVE-2021-21375 and CVE-2020-15260From: Léo Le Bouter <lle-bout@zaclys.net>To: guix-devel@gnu.orgDate: Thu, 11 Mar 2021 03:30:42 +0100
CVE-2021-21375 00:15PJSIP is a free and open source multimedia communication librarywritten in C language implementing standard based protocols such asSIP, SDP, RTP, STUN, TURN, and ICE. In PJSIP version 2.10 and earlier,after an initial INVITE has been sent, when two 183 responses arereceived, with the first one causing negotiation failure, a crash willoccur. This results in a denial of service.
CVE-2020-15260 00:15PJSIP is a free and open source multimedia communication librarywritten in C language implementing standard based protocols such asSIP, SDP, RTP, STUN, TURN, and ICE. In version 2.10 and earlier, PJSIPtransport can be reused if they have the same IP address + port +protocol. However, this is insufficient for secure transport since itlacks remote hostname authentication. Suppose we have created a TLSconnection to `sip.foo.com`, which has an IP address `100.1.1.1`. If wewant to create a TLS connection to another hostname, say `sip.bar.com`,which has the same IP address, then it will reuse that existingconnection, even though `100.1.1.1` does not have certificate toauthenticate as `sip.bar.com`. The vulnerability allows for an insecureinteraction without user awareness. It affects users who need access toconnections to different destinations that translate to the sameaddress, and allows man-in-the-middle attack if attacker can route aconnection to another destination such as in the case of DNS spoofing.
Upstream has not made a release yet, I advise we wait for a release ontheir end then upgrade. To be monitored.
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBJgNIACgkQRaix6GvNEKYxFw/9H/2BJfiCi6twICf11VD7movJWgvtCQdUT5Ck0wGyUGmS3y/BZjqRm8RkTegKFZLDYSva4un+yHayfSVjNtUpqxD7ndqcybypPmEkBbDHvWpon74ERAU0ARWFMHIUAhILJ0U477fYNHT8VljuYV1lrQAVgP/ci7XppMkQ+n2xQf2pm21SyDKt/DfXgSRf4gwU9ogySUWJh9U5Dnf7/msE4MGQyY1WwmifBfDjkqkin8tugyG8k2+IatZjcr7BUvVRQiIp3i0z0oc+MXf8ShSk4FYqQrr+TuTO69WkydpykgxAUAngDIcEZx+W2sVelSpXZfy8sfVoWcWOiXoe5KZdDPUa1oQK60gH9WY119dCF/VSAnjBdXVjrRYh0VNMLz72iT6xpVo0OJ6UBl1qEahD/3PXqIB2pyHEjZ6RORCetjhSBmPtHUVg03YpotF/aBkx6Fqu1Ij+IyXNMxtxd3EcjnOMx7ACixGWh5rDxWIrLgMT0SXBclw/kIson+fUZ6k9245RGDwzUzeWyvI/+D12wNgQl91LOgjeYgiFhKrOith1r0AqfUxMOru/JybuxwqQMkZvU7Er9DRpD+E5NU1JGHAWPXdK9Dp4y8canddi6e0pzvGZyg7oKNKGLgD0AUp+UqNRsUWGXWbaVDiRsMDLNfjLWnziK04mInqHbF3QodA==RLmN-----END PGP SIGNATURE-----
-------------------- End of forwarded message --------------------
L
L
Ludovic Courtès wrote on 15 Mar 14:43 +0100
control message for bug #47143
(address . control@debbugs.gnu.org)
87pn00h6sa.fsf@gnu.org
tags 47143 + securityquit
L
L
Leo Famulari wrote on 24 Mar 05:06 +0100
(no subject)
(address . control@debbugs.gnu.org)
YFq6wUqi070//Gk+@jasmine.lan
block 47297 with 47140block 47297 with 47141block 47297 with 47142block 47297 with 47143block 47297 with 47144
L
L
Léo Le Bouter wrote on 5 Apr 23:01 +0200
pjproject package is vulnerable to CVE-2021-21375 and CVE-2020-15260
(address . 47143-done@debbugs.gnu.org)
eb9440ae24c7f5db8707dd123a234b6effb99a3a.camel@zaclys.net
upstream released 2.11 which fixed the issue.
Update to 2.11 pushed as 45136b3673bcdba21fa0d1fd6edb3d388a645fcc
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBrep0ACgkQRaix6GvNEKbpQg//fqm0XezwpgoijePIlCPt5bLJCJhdtskIGjwHLKJ4qUpLkCp4olz4e+k0MgFpamaN14MscMClGA3z296L7rLxbxb6ZwccOephiYbA/7JHMwu01WJ7n0Hqxe8yaMRuk4qBiKoccrXO04/76sCAzaZJzsV4lXMIWApxd5JGWh1DY2LBA0sHA9qjdnw8aoG1QVCHdy3Vgs4CJCNEvvbOQukO8V5KVKhTa5IdKfCQwNm1IYmX5+RmJ12E1Ce1Vs83jWFSl1yfUTThlTBCLiHBE7l4EYE/3bnlLxEd55p6952NIDNRNRwuQbpE/2Yknd/aQPPVgREVeBxEydvRxU1jHJWuORqjKfUeb0IXcDPBpETpVU8X8FwIeoVXhu4adS9tXumKJ3BG7JXfcCsSgiSENsxIeKcrATDV/HMYTLm4ouQEm7L6BzEz2201xDzqT9+7ioJY9vuy/bTJQx//zzoFUpJXYm1aa5OT0m8/zG59ONMM0OnltIcOLMluf7Rwd89pCNfYuq+Up9mAl9cssdvfXiRtf7XyPobaL+XLNX6lnDH7ys1zPf3dmQticze82LgdEFmNmC+jmtH39og23wQSi55jYNbeElkghfVkbVJtR7tf2yKHAl2NIMI1CJVKkkb9rBkJJVBM17CVGYpLW9kSTiOBcZ/z4HgvfAwRw5y7IGyLmXs==YXjl-----END PGP SIGNATURE-----

Closed
?
Your comment

Commenting via the web interface is currently disabled.

To comment on this conversation send email to 47143@debbugs.gnu.org