Headline
CVE-2022-24793: Merge pull request from GHSA-p6g5-v97c-w5q4 · pjsip/pjproject@9fae8f4
PJSIP is a free and open source multimedia communication library written in C. A buffer overflow vulnerability in versions 2.12 and prior affects applications that uses PJSIP DNS resolution. It doesn’t affect PJSIP users who utilize an external resolver. A patch is available in the master branch of the pjsip/pjproject GitHub repository. A workaround is to disable DNS resolution in PJSIP config (by setting nameserver_count to zero) or use an external resolver instead.
@@ -159,8 +159,13 @@ static pj_status_t get_name_len(int rec_counter, const pj_uint8_t *pkt,
} else {
unsigned label_len = *p;
/* Check that label length is valid */
if (pkt+label_len > max)
/* Check that label length is valid.
* Each label consists of an octet length (of size 1) followed
* by the octet of the specified length (label_len). Then it
* must be followed by either another label’s octet length or
* a zero length octet (that terminates the sequence).
*/
if (p+1+label_len+1 > max)
return PJLIB_UTIL_EDNSINNAMEPTR;
p += (label_len + 1);
@@ -170,9 +175,6 @@ static pj_status_t get_name_len(int rec_counter, const pj_uint8_t *pkt,
++label_len;
*name_len += label_len;
if (p >= max)
return PJLIB_UTIL_EDNSINSIZE;
}
}
++p;
@@ -222,8 +224,13 @@ static pj_status_t get_name(int rec_counter, const pj_uint8_t *pkt,
} else {
unsigned label_len = *p;
/* Check that label length is valid */
if (pkt+label_len > max)
/* Check that label length is valid.
* Each label consists of an octet length (of size 1) followed
* by the octet of the specified length (label_len). Then it
* must be followed by either another label’s octet length or
* a zero length octet (that terminates the sequence).
*/
if (p+1+label_len+1 > max)
return PJLIB_UTIL_EDNSINNAMEPTR;
pj_memcpy(name->ptr + name->slen, p+1, label_len);
@@ -234,9 +241,6 @@ static pj_status_t get_name(int rec_counter, const pj_uint8_t *pkt,
*(name->ptr + name->slen) = '.’;
++name->slen;
}
if (p >= max)
return PJLIB_UTIL_EDNSINSIZE;
}
}
@@ -269,6 +273,10 @@ static pj_status_t parse_query(pj_dns_parsed_query *q, pj_pool_t *pool,
p = (start + name_part_len);
/* Check the size can accomodate next few fields. */
if (p + 4 > max)
return PJLIB_UTIL_EDNSINSIZE;
/* Get the type */
pj_memcpy(&q->type, p, 2);
q->type = pj_ntohs(q->type);
Related news
Ubuntu Security Notice 6422-2 - It was discovered that Ring incorrectly handled certain inputs. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to execute arbitrary code. It was discovered that Ring incorrectly handled certain inputs. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to cause a denial of service.
Ubuntu Security Notice 6422-1 - It was discovered that Ring incorrectly handled certain inputs. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to execute arbitrary code. It was discovered that Ring incorrectly handled certain inputs. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS.
Debian Linux Security Advisory 5438-1 - A flaw was found in Asterisk, an Open Source Private Branch Exchange. A buffer overflow vulnerability affects users that use PJSIP DNS resolver. This vulnerability is related to CVE-2022-24793. The difference is that this issue is in parsing the query record parse_query(), while the issue in CVE-2022-24793 is in parse_rr(). A workaround is to disable DNS resolution in PJSIP config (by setting nameserver_count to zero) or use an external resolver implementation instead.
Debian Linux Security Advisory 5285-1 - Multiple security vulnerabilities have been found in Asterisk, an Open Source Private Branch Exchange. Buffer overflows and other programming errors could be exploited for information disclosure or the execution of arbitrary code.
Gentoo Linux Security Advisory 202210-37 - Multiple vulnerabilities have been found in PJSIP, the worst of which could result in arbitrary code execution. Versions less than 2.12.1 are affected.