Source: ring X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security
Hi, The following vulnerabilities were published for ring. CVE-2021-32686[0]: | PJSIP is a free and open source multimedia communication library | written in C language implementing standard based protocols such as | SIP, SDP, RTP, STUN, TURN, and ICE. In PJSIP before version 2.11.1, | there are a couple of issues found in the SSL socket. First, a race | condition between callback and destroy, due to the accepted socket | having no group lock. Second, the SSL socket parent/listener may get | destroyed during handshake. Both issues were reported to happen | intermittently in heavy load TLS connections. They cause a crash, | resulting in a denial of service. These are fixed in version 2.11.1. https://downloads.asterisk.org/pub/security/AST-2021-009.html https://github.com/pjsip/pjproject/security/advisories/GHSA-cv8x-p47p-99wr https://github.com/pjsip/pjproject/commit/d5f95aa066f878b0aef6a64e60b61e8626e664cd https://github.com/pjsip/pjproject/pull/2716 CVE-2021-37706[1]: | PJSIP is a free and open source multimedia communication library | written in C language implementing standard based protocols such as | SIP, SDP, RTP, STUN, TURN, and ICE. In affected versions if the | incoming STUN message contains an ERROR-CODE attribute, the header | length is not checked before performing a subtraction operation, | potentially resulting in an integer underflow scenario. This issue | affects all users that use STUN. A malicious actor located within the | victim’s network may forge and send a specially crafted UDP | (STUN) message that could remotely execute arbitrary code on the | victim’s machine. Users are advised to upgrade as soon as | possible. There are no known workarounds. https://issues.asterisk.org/jira/browse/ASTERISK-29945 https://downloads.asterisk.org/pub/security/AST-2022-004.html https://github.com/pjsip/pjproject/security/advisories/GHSA-2qpg-f6wf-w984 https://github.com/pjsip/pjproject/commit/15663e3f37091069b8c98a7fce680dc04bc8e865 CVE-2022-21723[2]: | PJSIP is a free and open source multimedia communication library | written in C language implementing standard based protocols such as | SIP, SDP, RTP, STUN, TURN, and ICE. In versions 2.11.1 and prior, | parsing an incoming SIP message that contains a malformed multipart | can potentially cause out-of-bound read access. This issue affects all | PJSIP users that accept SIP multipart. The patch is available as | commit in the `master` branch. There are no known workarounds. https://issues.asterisk.org/jira/browse/ASTERISK-29945 https://downloads.asterisk.org/pub/security/AST-2022-006.html https://github.com/pjsip/pjproject/security/advisories/GHSA-7fw8-54cv-r7pm https://github.com/pjsip/pjproject/commit/077b465c33f0aec05a49cd2ca456f9a1b112e896 CVE-2022-23608[3]: | PJSIP is a free and open source multimedia communication library | written in C language implementing standard based protocols such as | SIP, SDP, RTP, STUN, TURN, and ICE. In versions up to and including | 2.11.1 when in a dialog set (or forking) scenario, a hash key shared | by multiple UAC dialogs can potentially be prematurely freed when one | of the dialogs is destroyed . The issue may cause a dialog set to be | registered in the hash table multiple times (with different hash keys) | leading to undefined behavior such as dialog list collision which | eventually leading to endless loop. A patch is available in commit | db3235953baa56d2fb0e276ca510fefca751643f which will be included in the | next release. There are no known workarounds for this issue. https://issues.asterisk.org/jira/browse/ASTERISK-29945 https://downloads.asterisk.org/pub/security/AST-2022-005.html https://github.com/pjsip/pjproject/security/advisories/GHSA-ffff-m5fm-qm62 https://github.com/pjsip/pjproject/commit/db3235953baa56d2fb0e276ca510fefca751643f CVE-2021-43299[4]: | Stack overflow in PJSUA API when calling pjsua_player_create. An | attacker-controlled 'filename' argument may cause a buffer overflow | since it is copied to a fixed-size stack buffer without any size | validation. https://github.com/pjsip/pjproject/security/advisories/GHSA-qcvw-h34v-c7r9 https://github.com/pjsip/pjproject/commit/d979253c924a686fa511d705be1f3ad0c5b20337 CVE-2021-43300[5]: | Stack overflow in PJSUA API when calling pjsua_recorder_create. An | attacker-controlled 'filename' argument may cause a buffer overflow | since it is copied to a fixed-size stack buffer without any size | validation. https://github.com/pjsip/pjproject/security/advisories/GHSA-qcvw-h34v-c7r9 https://github.com/pjsip/pjproject/commit/d979253c924a686fa511d705be1f3ad0c5b20337 CVE-2021-43301[6]: | Stack overflow in PJSUA API when calling pjsua_playlist_create. An | attacker-controlled 'file_names' argument may cause a buffer overflow | since it is copied to a fixed-size stack buffer without any size | validation. https://github.com/pjsip/pjproject/security/advisories/GHSA-qcvw-h34v-c7r9 https://github.com/pjsip/pjproject/commit/d979253c924a686fa511d705be1f3ad0c5b20337 CVE-2021-43302[7]: | Read out-of-bounds in PJSUA API when calling pjsua_recorder_create. An | attacker-controlled 'filename' argument may cause an out-of-bounds | read when the filename is shorter than 4 characters. https://github.com/pjsip/pjproject/security/advisories/GHSA-qcvw-h34v-c7r9 https://github.com/pjsip/pjproject/commit/d979253c924a686fa511d705be1f3ad0c5b20337 CVE-2021-43303[8]: | Buffer overflow in PJSUA API when calling pjsua_call_dump. An | attacker-controlled 'buffer' argument may cause a buffer overflow, | since supplying an output buffer smaller than 128 characters may | overflow the output buffer, regardless of the 'maxlen' argument | supplied https://github.com/pjsip/pjproject/security/advisories/GHSA-qcvw-h34v-c7r9 https://github.com/pjsip/pjproject/commit/d979253c924a686fa511d705be1f3ad0c5b20337 CVE-2021-43804[9]: | PJSIP is a free and open source multimedia communication library | written in C language implementing standard based protocols such as | SIP, SDP, RTP, STUN, TURN, and ICE. In affected versions if the | incoming RTCP BYE message contains a reason's length, this declared | length is not checked against the actual received packet size, | potentially resulting in an out-of-bound read access. This issue | affects all users that use PJMEDIA and RTCP. A malicious actor can | send a RTCP BYE message with an invalid reason length. Users are | advised to upgrade as soon as possible. There are no known | workarounds. https://github.com/pjsip/pjproject/security/advisories/GHSA-3qx3-cg72-wrh9 https://github.com/pjsip/pjproject/commit/8b621f192cae14456ee0b0ade52ce6c6f258af1e CVE-2021-43845[10]: | PJSIP is a free and open source multimedia communication library. In | version 2.11.1 and prior, if incoming RTCP XR message contain block, | the data field is not checked against the received packet size, | potentially resulting in an out-of-bound read access. This affects all | users that use PJMEDIA and RTCP XR. A malicious actor can send a RTCP | XR message with an invalid packet size. https://github.com/pjsip/pjproject/security/advisories/GHSA-r374-qrwv-86hh https://github.com/pjsip/pjproject/commit/f74c1fc22b760d2a24369aa72c74c4a9ab985859 https://github.com/pjsip/pjproject/pull/2924 CVE-2022-21722[11]: | PJSIP is a free and open source multimedia communication library | written in C language implementing standard based protocols such as | SIP, SDP, RTP, STUN, TURN, and ICE. In version 2.11.1 and prior, there | are various cases where it is possible that certain incoming RTP/RTCP | packets can potentially cause out-of-bound read access. This issue | affects all users that use PJMEDIA and accept incoming RTP/RTCP. A | patch is available as a commit in the `master` branch. There are no | known workarounds. https://github.com/pjsip/pjproject/security/advisories/GHSA-m66q-q64c-hv36 https://github.com/pjsip/pjproject/commit/22af44e68a0c7d190ac1e25075e1382f77e9397a CVE-2022-24754[12]: | PJSIP is a free and open source multimedia communication library | written in C language. In versions prior to and including 2.12 PJSIP | there is a stack-buffer overflow vulnerability which only impacts | PJSIP users who accept hashed digest credentials (credentials with | data_type `PJSIP_CRED_DATA_DIGEST`). This issue has been patched in | the master branch of the PJSIP repository and will be included with | the next release. Users unable to upgrade need to check that the | hashed digest data length must be equal to `PJSIP_MD5STRLEN` before | passing to PJSIP. https://github.com/pjsip/pjproject/security/advisories/GHSA-73f7-48m9-w662 https://github.com/pjsip/pjproject/commit/d27f79da11df7bc8bb56c2f291d71e54df8d2c47 CVE-2022-24763[13]: | PJSIP is a free and open source multimedia communication library | written in the C language. Versions 2.12 and prior contain a denial- | of-service vulnerability that affects PJSIP users that consume PJSIP's | XML parsing in their apps. Users are advised to update. There are no | known workarounds. https://github.com/pjsip/pjproject/security/advisories/GHSA-5x45-qp78-g4p4 https://github.com/pjsip/pjproject/commit/856f87c2e97a27b256482dbe0d748b1194355a21 CVE-2022-24764[14]: | PJSIP is a free and open source multimedia communication library | written in C. Versions 2.12 and prior contain a stack buffer overflow | vulnerability that affects PJSUA2 users or users that call the API | `pjmedia_sdp_print(), pjmedia_sdp_media_print()`. Applications that do | not use PJSUA2 and do not directly call `pjmedia_sdp_print()` or | `pjmedia_sdp_media_print()` should not be affected. A patch is | available on the `master` branch of the `pjsip/pjproject` GitHub | repository. There are currently no known workarounds. https://github.com/pjsip/pjproject/security/advisories/GHSA-f5qg-pqcg-765m https://github.com/pjsip/pjproject/commit/560a1346f87aabe126509bb24930106dea292b00 CVE-2022-24793[15]: | PJSIP is a free and open source multimedia communication library | written in C. A buffer overflow vulnerability in versions 2.12 and | prior affects applications that uses PJSIP DNS resolution. It doesn't | affect PJSIP users who utilize an external resolver. A patch is | available in the `master` branch of the `pjsip/pjproject` GitHub | repository. A workaround is to disable DNS resolution in PJSIP config | (by setting `nameserver_count` to zero) or use an external resolver | instead. https://github.com/pjsip/pjproject/security/advisories/GHSA-p6g5-v97c-w5q4 https://github.com/pjsip/pjproject/commit/9fae8f43accef8ea65d4a8ae9cdf297c46cfe29a If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-32686 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32686 [1] https://security-tracker.debian.org/tracker/CVE-2021-37706 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37706 [2] https://security-tracker.debian.org/tracker/CVE-2022-21723 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21723 [3] https://security-tracker.debian.org/tracker/CVE-2022-23608 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23608 [4] https://security-tracker.debian.org/tracker/CVE-2021-43299 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43299 [5] https://security-tracker.debian.org/tracker/CVE-2021-43300 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43300 [6] https://security-tracker.debian.org/tracker/CVE-2021-43301 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43301 [7] https://security-tracker.debian.org/tracker/CVE-2021-43302 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43302 [8] https://security-tracker.debian.org/tracker/CVE-2021-43303 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43303 [9] https://security-tracker.debian.org/tracker/CVE-2021-43804 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43804 [10] https://security-tracker.debian.org/tracker/CVE-2021-43845 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43845 [11] https://security-tracker.debian.org/tracker/CVE-2022-21722 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21722 [12] https://security-tracker.debian.org/tracker/CVE-2022-24754 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24754 [13] https://security-tracker.debian.org/tracker/CVE-2022-24763 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24763 [14] https://security-tracker.debian.org/tracker/CVE-2022-24764 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24764 [15] https://security-tracker.debian.org/tracker/CVE-2022-24793 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24793 Please adjust the affected versions in the BTS as needed.