Headline
CVE-2022-24754: Use PJ_ASSERT_RETURN() on pjsip_auth_create_digest() and pjsua_init_t… · pjsip/pjproject@d27f79d
PJSIP is a free and open source multimedia communication library written in C language. In versions prior to and including 2.12 PJSIP there is a stack-buffer overflow vulnerability which only impacts PJSIP users who accept hashed digest credentials (credentials with data_type PJSIP_CRED_DATA_DIGEST). This issue has been patched in the master branch of the PJSIP repository and will be included with the next release. Users unable to upgrade need to check that the hashed digest data length must be equal to PJSIP_MD5STRLEN before passing to PJSIP.
@@ -160,15 +160,15 @@ static void digestNtoStr(const unsigned char digest[], int n, char *output) * Create response digest based on the parameters and store the * digest ASCII in 'result’. */ PJ_DEF(void) pjsip_auth_create_digest( pj_str_t *result, const pj_str_t *nonce, const pj_str_t *nc, const pj_str_t *cnonce, const pj_str_t *qop, const pj_str_t *uri, const pj_str_t *realm, const pjsip_cred_info *cred_info, const pj_str_t *method) PJ_DEF(pj_status_t) pjsip_auth_create_digest( pj_str_t *result, const pj_str_t *nonce, const pj_str_t *nc, const pj_str_t *cnonce, const pj_str_t *qop, const pj_str_t *uri, const pj_str_t *realm, const pjsip_cred_info *cred_info, const pj_str_t *method) { char ha1[PJSIP_MD5STRLEN]; char ha2[PJSIP_MD5STRLEN]; @@ -194,10 +194,18 @@ PJ_DEF(void) pjsip_auth_create_digest( pj_str_t *result, digestNtoStr(digest, 16, ha1);
} else if ((cred_info->data_type & PASSWD_MASK) == PJSIP_CRED_DATA_DIGEST) { pj_assert(cred_info->data.slen == 32); if (cred_info->data.slen != 32) { pj_assert(!"Invalid cred_info data length"); pj_bzero(result->ptr, result->slen); result->slen = 0; return PJ_EINVAL; } pj_memcpy( ha1, cred_info->data.ptr, cred_info->data.slen ); } else { pj_assert(!"Invalid data_type"); pj_bzero(result->ptr, result->slen); result->slen = 0; return PJ_EINVAL; }
AUTH_TRACE_((THIS_FILE, " ha1=%.32s", ha1)); @@ -245,14 +253,15 @@ PJ_DEF(void) pjsip_auth_create_digest( pj_str_t *result,
AUTH_TRACE_((THIS_FILE, " digest=%.32s", result->ptr)); AUTH_TRACE_((THIS_FILE, “Digest created”)); return PJ_SUCCESS; }
/* * Create response SHA-256 digest based on the parameters and store the * digest ASCII in 'result’. */ PJ_DEF(void) pjsip_auth_create_digestSHA256(pj_str_t *result, PJ_DEF(pj_status_t) pjsip_auth_create_digestSHA256(pj_str_t *result, const pj_str_t *nonce, const pj_str_t *nc, const pj_str_t *cnonce, @@ -291,10 +300,18 @@ PJ_DEF(void) pjsip_auth_create_digestSHA256(pj_str_t *result,
} else if ((cred_info->data_type & PASSWD_MASK) == PJSIP_CRED_DATA_DIGEST) { pj_assert(cred_info->data.slen == 32); if (cred_info->data.slen != 64) { pj_assert(!"Invalid cred_info data length"); pj_bzero(result->ptr, result->slen); result->slen = 0; return PJ_EINVAL; } pj_memcpy( ha1, cred_info->data.ptr, cred_info->data.slen ); } else { pj_assert(!"Invalid data_type"); pj_bzero(result->ptr, result->slen); result->slen = 0; return PJ_EINVAL; }
AUTH_TRACE_((THIS_FILE, " ha1=%.64s", ha1)); @@ -354,6 +371,7 @@ PJ_DEF(void) pjsip_auth_create_digestSHA256(pj_str_t *result, PJ_UNUSED_ARG(cred_info); PJ_UNUSED_ARG(method); #endif return PJ_SUCCESS; }
@@ -408,6 +426,7 @@ static pj_status_t respond_digest( pj_pool_t *pool, { const pj_str_t pjsip_AKAv1_MD5_STR = { "AKAv1-MD5", 9 }; pj_bool_t algo_sha256 = PJ_FALSE; pj_status_t status = PJ_SUCCESS;
/* Check if algo is sha256 */ #if PJSIP_AUTH_HAS_DIGEST_SHA256 @@ -452,14 +471,14 @@ static pj_status_t respond_digest( pj_pool_t *pool, else { /* Convert digest to string and store in chal->response. */ if (algo_sha256) { pjsip_auth_create_digestSHA256( status = pjsip_auth_create_digestSHA256( &cred->response, &cred->nonce, NULL, NULL, NULL, uri, &chal->realm, cred_info, method); } else { pjsip_auth_create_digest( &cred->response, &cred->nonce, NULL, NULL, NULL, uri, &chal->realm, cred_info, method); status = pjsip_auth_create_digest( &cred->response, &cred->nonce, NULL, NULL, NULL, uri, &chal->realm, cred_info, method); } }
@@ -486,18 +505,18 @@ static pj_status_t respond_digest( pj_pool_t *pool, else { /* Convert digest to string and store in chal->response. */ if (algo_sha256) { pjsip_auth_create_digestSHA256( status = pjsip_auth_create_digestSHA256( &cred->response, &cred->nonce, &cred->nc, &cred->cnonce, &pjsip_AUTH_STR, uri, &chal->realm, cred_info, method); } else { pjsip_auth_create_digest( &cred->response, &cred->nonce, &cred->nc, &cred->cnonce, &pjsip_AUTH_STR, uri, &chal->realm, cred_info, method); status = pjsip_auth_create_digest( &cred->response, &cred->nonce, &cred->nc, &cred->cnonce, &pjsip_AUTH_STR, uri, &chal->realm, cred_info, method); } }
@@ -508,7 +527,7 @@ static pj_status_t respond_digest( pj_pool_t *pool, return PJSIP_EINVALIDQOP; }
return PJ_SUCCESS; return status; }
#if defined(PJSIP_AUTH_QOP_SUPPORT) && PJSIP_AUTH_QOP_SUPPORT!=0
Related news
Ubuntu Security Notice 6422-2 - It was discovered that Ring incorrectly handled certain inputs. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to execute arbitrary code. It was discovered that Ring incorrectly handled certain inputs. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to cause a denial of service.
Ubuntu Security Notice 6422-1 - It was discovered that Ring incorrectly handled certain inputs. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to execute arbitrary code. It was discovered that Ring incorrectly handled certain inputs. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS.
Gentoo Linux Security Advisory 202210-37 - Multiple vulnerabilities have been found in PJSIP, the worst of which could result in arbitrary code execution. Versions less than 2.12.1 are affected.