pjproject package is vulnerable to CVE-2021-21375 and CVE-2020-15260

DoneSubmitted by Mark H Weaver.
Details
4 participants
  • Leo Famulari
  • Léo Le Bouter
  • Ludovic Courtès
  • Mark H Weaver
Owner
unassigned
Severity
normal
M
M
Mark H Weaver wrote on 14 Mar 2021 22:35
(address . bug-guix@gnu.org)(name . Léo Le Bouter)(address . lle-bout@zaclys.net)
87a6r5s9j4.fsf@netris.org
I'm forwarding this to bug-guix@gnu.org so that it won't be forgotten.

Mark

-------------------- Start of forwarded message --------------------
Subject: pjproject package is vulnerable to CVE-2021-21375 and CVE-2020-15260
From: Léo Le Bouter <lle-bout@zaclys.net>
To: guix-devel@gnu.org
Date: Thu, 11 Mar 2021 03:30:42 +0100
CVE-2021-21375 00:15
PJSIP is a free and open source multimedia communication library
written in C language implementing standard based protocols such as
SIP, SDP, RTP, STUN, TURN, and ICE. In PJSIP version 2.10 and earlier,
after an initial INVITE has been sent, when two 183 responses are
received, with the first one causing negotiation failure, a crash will
occur. This results in a denial of service.

CVE-2020-15260 00:15
PJSIP is a free and open source multimedia communication library
written in C language implementing standard based protocols such as
SIP, SDP, RTP, STUN, TURN, and ICE. In version 2.10 and earlier, PJSIP
transport can be reused if they have the same IP address + port +
protocol. However, this is insufficient for secure transport since it
lacks remote hostname authentication. Suppose we have created a TLS
connection to `sip.foo.com`, which has an IP address `100.1.1.1`. If we
want to create a TLS connection to another hostname, say `sip.bar.com`,
which has the same IP address, then it will reuse that existing
connection, even though `100.1.1.1` does not have certificate to
authenticate as `sip.bar.com`. The vulnerability allows for an insecure
interaction without user awareness. It affects users who need access to
connections to different destinations that translate to the same
address, and allows man-in-the-middle attack if attacker can route a
connection to another destination such as in the case of DNS spoofing.

Upstream has not made a release yet, I advise we wait for a release on
their end then upgrade. To be monitored.
-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBJgNIACgkQRaix6GvN
EKYxFw/9H/2BJfiCi6twICf11VD7movJWgvtCQdUT5Ck0wGyUGmS3y/BZjqRm8Rk
TegKFZLDYSva4un+yHayfSVjNtUpqxD7ndqcybypPmEkBbDHvWpon74ERAU0ARWF
MHIUAhILJ0U477fYNHT8VljuYV1lrQAVgP/ci7XppMkQ+n2xQf2pm21SyDKt/DfX
gSRf4gwU9ogySUWJh9U5Dnf7/msE4MGQyY1WwmifBfDjkqkin8tugyG8k2+IatZj
cr7BUvVRQiIp3i0z0oc+MXf8ShSk4FYqQrr+TuTO69WkydpykgxAUAngDIcEZx+W
2sVelSpXZfy8sfVoWcWOiXoe5KZdDPUa1oQK60gH9WY119dCF/VSAnjBdXVjrRYh
0VNMLz72iT6xpVo0OJ6UBl1qEahD/3PXqIB2pyHEjZ6RORCetjhSBmPtHUVg03Yp
otF/aBkx6Fqu1Ij+IyXNMxtxd3EcjnOMx7ACixGWh5rDxWIrLgMT0SXBclw/kIso
n+fUZ6k9245RGDwzUzeWyvI/+D12wNgQl91LOgjeYgiFhKrOith1r0AqfUxMOru/
JybuxwqQMkZvU7Er9DRpD+E5NU1JGHAWPXdK9Dp4y8canddi6e0pzvGZyg7oKNKG
LgD0AUp+UqNRsUWGXWbaVDiRsMDLNfjLWnziK04mInqHbF3QodA=
=RLmN
-----END PGP SIGNATURE-----

-------------------- End of forwarded message --------------------
L
L
Ludovic Courtès wrote on 15 Mar 2021 14:43
control message for bug #47143
(address . control@debbugs.gnu.org)
87pn00h6sa.fsf@gnu.org
tags 47143 + security
quit
L
L
Leo Famulari wrote on 24 Mar 2021 05:06
(no subject)
(address . control@debbugs.gnu.org)
YFq6wUqi070//Gk+@jasmine.lan
block 47297 with 47140
block 47297 with 47141
block 47297 with 47142
block 47297 with 47143
block 47297 with 47144
L
L
Léo Le Bouter wrote on 5 Apr 2021 23:01
pjproject package is vulnerable to CVE-2021-21375 and CVE-2020-15260
(address . 47143-done@debbugs.gnu.org)
eb9440ae24c7f5db8707dd123a234b6effb99a3a.camel@zaclys.net
upstream released 2.11 which fixed the issue.

Update to 2.11 pushed as 45136b3673bcdba21fa0d1fd6edb3d388a645fcc
-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBrep0ACgkQRaix6GvN
EKbpQg//fqm0XezwpgoijePIlCPt5bLJCJhdtskIGjwHLKJ4qUpLkCp4olz4e+k0
MgFpamaN14MscMClGA3z296L7rLxbxb6ZwccOephiYbA/7JHMwu01WJ7n0Hqxe8y
aMRuk4qBiKoccrXO04/76sCAzaZJzsV4lXMIWApxd5JGWh1DY2LBA0sHA9qjdnw8
aoG1QVCHdy3Vgs4CJCNEvvbOQukO8V5KVKhTa5IdKfCQwNm1IYmX5+RmJ12E1Ce1
Vs83jWFSl1yfUTThlTBCLiHBE7l4EYE/3bnlLxEd55p6952NIDNRNRwuQbpE/2Yk
nd/aQPPVgREVeBxEydvRxU1jHJWuORqjKfUeb0IXcDPBpETpVU8X8FwIeoVXhu4a
dS9tXumKJ3BG7JXfcCsSgiSENsxIeKcrATDV/HMYTLm4ouQEm7L6BzEz2201xDzq
T9+7ioJY9vuy/bTJQx//zzoFUpJXYm1aa5OT0m8/zG59ONMM0OnltIcOLMluf7Rw
d89pCNfYuq+Up9mAl9cssdvfXiRtf7XyPobaL+XLNX6lnDH7ys1zPf3dmQticze8
2LgdEFmNmC+jmtH39og23wQSi55jYNbeElkghfVkbVJtR7tf2yKHAl2NIMI1CJVK
kkb9rBkJJVBM17CVGYpLW9kSTiOBcZ/z4HgvfAwRw5y7IGyLmXs=
=YXjl
-----END PGP SIGNATURE-----


Closed
?
Your comment

This issue is archived.

To comment on this conversation send email to 47143@debbugs.gnu.org