Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-24754: Use PJ_ASSERT_RETURN() on pjsip_auth_create_digest() and pjsua_init_t… · pjsip/pjproject@d27f79d

PJSIP is a free and open source multimedia communication library written in C language. In versions prior to and including 2.12 PJSIP there is a stack-buffer overflow vulnerability which only impacts PJSIP users who accept hashed digest credentials (credentials with data_type PJSIP_CRED_DATA_DIGEST). This issue has been patched in the master branch of the PJSIP repository and will be included with the next release. Users unable to upgrade need to check that the hashed digest data length must be equal to PJSIP_MD5STRLEN before passing to PJSIP.

CVE
Open in Source
#vulnerability#js

@@ -160,15 +160,15 @@ static void digestNtoStr(const unsigned char digest[], int n, char *output) * Create response digest based on the parameters and store the * digest ASCII in 'result’. */ PJ_DEF(void) pjsip_auth_create_digest( pj_str_t *result, const pj_str_t *nonce, const pj_str_t *nc, const pj_str_t *cnonce, const pj_str_t *qop, const pj_str_t *uri, const pj_str_t *realm, const pjsip_cred_info *cred_info, const pj_str_t *method) PJ_DEF(pj_status_t) pjsip_auth_create_digest( pj_str_t *result, const pj_str_t *nonce, const pj_str_t *nc, const pj_str_t *cnonce, const pj_str_t *qop, const pj_str_t *uri, const pj_str_t *realm, const pjsip_cred_info *cred_info, const pj_str_t *method) { char ha1[PJSIP_MD5STRLEN]; char ha2[PJSIP_MD5STRLEN]; @@ -194,10 +194,18 @@ PJ_DEF(void) pjsip_auth_create_digest( pj_str_t *result, digestNtoStr(digest, 16, ha1);
} else if ((cred_info->data_type & PASSWD_MASK) == PJSIP_CRED_DATA_DIGEST) { pj_assert(cred_info->data.slen == 32); if (cred_info->data.slen != 32) { pj_assert(!"Invalid cred_info data length"); pj_bzero(result->ptr, result->slen); result->slen = 0; return PJ_EINVAL; } pj_memcpy( ha1, cred_info->data.ptr, cred_info->data.slen ); } else { pj_assert(!"Invalid data_type"); pj_bzero(result->ptr, result->slen); result->slen = 0; return PJ_EINVAL; }
AUTH_TRACE_((THIS_FILE, " ha1=%.32s", ha1)); @@ -245,14 +253,15 @@ PJ_DEF(void) pjsip_auth_create_digest( pj_str_t *result,
AUTH_TRACE_((THIS_FILE, " digest=%.32s", result->ptr)); AUTH_TRACE_((THIS_FILE, “Digest created”)); return PJ_SUCCESS; }

/* * Create response SHA-256 digest based on the parameters and store the * digest ASCII in 'result’. */ PJ_DEF(void) pjsip_auth_create_digestSHA256(pj_str_t *result, PJ_DEF(pj_status_t) pjsip_auth_create_digestSHA256(pj_str_t *result, const pj_str_t *nonce, const pj_str_t *nc, const pj_str_t *cnonce, @@ -291,10 +300,18 @@ PJ_DEF(void) pjsip_auth_create_digestSHA256(pj_str_t *result,
} else if ((cred_info->data_type & PASSWD_MASK) == PJSIP_CRED_DATA_DIGEST) { pj_assert(cred_info->data.slen == 32); if (cred_info->data.slen != 64) { pj_assert(!"Invalid cred_info data length"); pj_bzero(result->ptr, result->slen); result->slen = 0; return PJ_EINVAL; } pj_memcpy( ha1, cred_info->data.ptr, cred_info->data.slen ); } else { pj_assert(!"Invalid data_type"); pj_bzero(result->ptr, result->slen); result->slen = 0; return PJ_EINVAL; }
AUTH_TRACE_((THIS_FILE, " ha1=%.64s", ha1)); @@ -354,6 +371,7 @@ PJ_DEF(void) pjsip_auth_create_digestSHA256(pj_str_t *result, PJ_UNUSED_ARG(cred_info); PJ_UNUSED_ARG(method); #endif return PJ_SUCCESS; }

@@ -408,6 +426,7 @@ static pj_status_t respond_digest( pj_pool_t *pool, { const pj_str_t pjsip_AKAv1_MD5_STR = { "AKAv1-MD5", 9 }; pj_bool_t algo_sha256 = PJ_FALSE; pj_status_t status = PJ_SUCCESS;
/* Check if algo is sha256 */ #if PJSIP_AUTH_HAS_DIGEST_SHA256 @@ -452,14 +471,14 @@ static pj_status_t respond_digest( pj_pool_t *pool, else { /* Convert digest to string and store in chal->response. */ if (algo_sha256) { pjsip_auth_create_digestSHA256( status = pjsip_auth_create_digestSHA256( &cred->response, &cred->nonce, NULL, NULL, NULL, uri, &chal->realm, cred_info, method); } else { pjsip_auth_create_digest( &cred->response, &cred->nonce, NULL, NULL, NULL, uri, &chal->realm, cred_info, method); status = pjsip_auth_create_digest( &cred->response, &cred->nonce, NULL, NULL, NULL, uri, &chal->realm, cred_info, method); } }
@@ -486,18 +505,18 @@ static pj_status_t respond_digest( pj_pool_t *pool, else { /* Convert digest to string and store in chal->response. */ if (algo_sha256) { pjsip_auth_create_digestSHA256( status = pjsip_auth_create_digestSHA256( &cred->response, &cred->nonce, &cred->nc, &cred->cnonce, &pjsip_AUTH_STR, uri, &chal->realm, cred_info, method); } else { pjsip_auth_create_digest( &cred->response, &cred->nonce, &cred->nc, &cred->cnonce, &pjsip_AUTH_STR, uri, &chal->realm, cred_info, method); status = pjsip_auth_create_digest( &cred->response, &cred->nonce, &cred->nc, &cred->cnonce, &pjsip_AUTH_STR, uri, &chal->realm, cred_info, method); } }
@@ -508,7 +527,7 @@ static pj_status_t respond_digest( pj_pool_t *pool, return PJSIP_EINVALIDQOP; }
return PJ_SUCCESS; return status; }
#if defined(PJSIP_AUTH_QOP_SUPPORT) && PJSIP_AUTH_QOP_SUPPORT!=0

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE