Package: ring Version: 20230922.0~ds2-1 Severity: important Tags: patch
Dear Maintainer, In Ubuntu, the attached patch was applied to achieve the following: * SECURITY UPDATE: Remote Code Execution - debian/patches/CVE-2021-37706.patch: fixed a RCE in PJSIP module - CVE-2021-37706 Thanks for considering the patch. *** /tmp/tmpqqf2a9ke/ring_20230922.0~ds2-1ubuntu1.debdiff diff -Nru ring-20230922.0~ds2/debian/patches/CVE-2021-37706.patch ring-20230922.0~ds2/debian/patches/CVE-2021-37706.patch --- ring-20230922.0~ds2/debian/patches/CVE-2021-37706.patch 1970-01-01 01:00:00.000000000 +0100 +++ ring-20230922.0~ds2/debian/patches/CVE-2021-37706.patch 2023-12-04 10:22:49.000000000 +0100 @@ -0,0 +1,20 @@ +commit 15663e3f37091069b8c98a7fce680dc04bc8e865 +Author: sauwming <m...@teluu.com> +Date: Tue Aug 10 11:53:25 2021 +0800 + + Merge pull request from GHSA-2qpg-f6wf-w984 + +Index: ./daemon/contrib/tarballs-unpacked/pjproject-97f45c2040c2b0cf6f3349a365b0e900a2267333.tar.gz/pjproject-97f45c2040c2b0cf6f3349a365b0e900a2267333/pjnath/src/pjnath/stun_msg.c +=================================================================== +--- ring-20190215.1.f152c98~ds1.orig/daemon/contrib/tarballs-unpacked/pjproject-2.8.tar.gz/pjproject-2.8/pjnath/src/pjnath/stun_msg.c 2023-04-16 11:27:08.746997850 +0200 ++++ ./daemon/contrib/tarballs-unpacked/pjproject-97f45c2040c2b0cf6f3349a365b0e900a2267333.tar.gz/pjproject-97f45c2040c2b0cf6f3349a365b0e900a2267333/pjnath/src/pjnath/stun_msg.c 2023-04-16 11:27:08.746997850 +0200 +@@ -1767,6 +1767,9 @@ + /* Get pointer to the string in the message */ + value.ptr = ((char*)buf + ATTR_HDR_LEN + 4); + value.slen = attr->hdr.length - 4; ++ /* Make sure the length is never negative */ ++ if (value.slen < 0) ++ value.slen = 0; + + /* Copy the string to the attribute */ + pj_strdup(pool, &attr->reason, &value); diff -Nru ring-20230922.0~ds2/debian/patches/series ring-20230922.0~ds2/debian/patches/series --- ring-20230922.0~ds2/debian/patches/series 2023-10-21 19:04:56.000000000 +0200 +++ ring-20230922.0~ds2/debian/patches/series 2023-12-04 10:20:40.000000000 +0100 @@ -3,3 +3,4 @@ 2000-jsoncpp-rename.patch 2010-dont-force-build-pkgs.patch 2020-system-md4c-tidy.patch +CVE-2021-37706.patch
OpenPGP_signature.asc
Description: OpenPGP digital signature