Headline
CVE-2022-39269: Merge pull request from GHSA-wx5m-cj97-4wwg · pjsip/pjproject@d2acb9a
PJSIP is a free and open source multimedia communication library written in C. When processing certain packets, PJSIP may incorrectly switch from using SRTP media transport to using basic RTP upon SRTP restart, causing the media to be sent insecurely. The vulnerability impacts all PJSIP users that use SRTP. The patch is available as commit d2acb9a in the master branch of the project and will be included in version 2.13. Users are advised to manually patch or to upgrade. There are no known workarounds for this vulnerability.
@@ -1531,13 +1531,14 @@ static void srtp_rtp_cb(pjmedia_tp_cb_param *param)
pjmedia_srtp_crypto tx, rx;
pj_status_t status;
tx = srtp->tx_policy;
rx = srtp->rx_policy;
/* Stop SRTP first, otherwise srtp_start() will maintain current
* roll-over counter.
*/
pjmedia_transport_srtp_stop((pjmedia_transport*)srtp);
tx = srtp->tx_policy;
rx = srtp->rx_policy;
status = pjmedia_transport_srtp_start((pjmedia_transport*)srtp,
&tx, &rx);
if (status != PJ_SUCCESS) {
Related news
Debian Linux Security Advisory 5358-1 - Multiple security vulnerabilities have been discovered in Asterisk, an Open Source Private Branch Exchange. Buffer overflows and other programming errors could be exploited for launching a denial of service attack or the execution of arbitrary code.
Gentoo Linux Security Advisory 202210-37 - Multiple vulnerabilities have been found in PJSIP, the worst of which could result in arbitrary code execution. Versions less than 2.12.1 are affected.