Headline
CVE-2021-43302
Read out-of-bounds in PJSUA API when calling pjsua_recorder_create. An attacker-controlled ‘filename’ argument may cause an out-of-bounds read when the filename is shorter than 4 characters.
Buffers used in PJSIP typically have limited sizes, especially the ones allocated in the stack or supplied by the application, however in several places, we do not check if our usage can exceed the sizes.
Impact
This could cause buffer overflow and impact applications who use the following APIs:
- pjsua_player_create(filename, …)
- pjsua_recorder_create(filename, …)
- pjmedia_wav_playlist_create(…, file_list, …)
In all the above APIs, issues could arise if applications supply filenames longer than the internal buffers’ sizes. Specific for pjsua_recorder_create(), out-of-bounds read can also happen if app supplies a small filename (shorter than 4 chars).
The issue also affects applications that call:
- pjsua_call_dump(…, buffer, maxlen)
and supply buffer that is too short.
Patches
The patch is available as commit d979253 in the master branch.
Workarounds
A workaround is for the applications to check the parameters’ length (i.e. the filenames and the buffer) before calling the above APIs.
Credits
Thanks to Uriya Yavnieli of the JFrog Security research team for the report.
For more information
If you have any questions or comments about this advisory:
Email us at [email protected]
Related news
Ubuntu Security Notice 6422-2 - It was discovered that Ring incorrectly handled certain inputs. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to execute arbitrary code. It was discovered that Ring incorrectly handled certain inputs. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to cause a denial of service.
Ubuntu Security Notice 6422-1 - It was discovered that Ring incorrectly handled certain inputs. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to execute arbitrary code. It was discovered that Ring incorrectly handled certain inputs. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS.
Debian Linux Security Advisory 5285-1 - Multiple security vulnerabilities have been found in Asterisk, an Open Source Private Branch Exchange. Buffer overflows and other programming errors could be exploited for information disclosure or the execution of arbitrary code.