Headline
CVE-2022-31003: Merge pull request from GHSA-8w5j-6g2j-pxcp · freeswitch/sofia-sip@907f2ac
Sofia-SIP is an open-source Session Initiation Protocol (SIP) User-Agent library. Prior to version 1.13.8, when parsing each line of a sdp message, rest = record + 2 will access the memory behind \0 and cause an out-of-bounds write. An attacker can send a message with evil sdp to FreeSWITCH, causing a crash or more serious consequence, such as remote code execution. Version 1.13.8 contains a patch for this issue.
@@ -396,6 +396,10 @@ static void parse_message(sdp_parser_t *p)
record = next(&message, CRLF, strip)) {
field = record[0];
if (strlen(record) < 2) {
return;
}
rest = record + 2; rest += strspn(rest, strip);
if (record[1] != ‘=’) {
@@ -1763,6 +1767,10 @@ static void parse_descs(sdp_parser_t *p,
record = next(&message, CRLF, strip)) {
char field = record[0];
if (strlen(record) < 2) {
return;
}
rest = record + 2; rest += strspn(rest, strip);
if (record[1] == ‘=’) switch (field) {
Related news
Debian Linux Security Advisory 5410-1 - Multiple security issues were discovered in Sofia-SIP, a SIP User-Agent library, which could result in denial of service.
Ubuntu Security Notice 5932-1 - It was discovered that Sofia-SIP incorrectly handled specially crafted SDP packets. A remote attacker could use this issue to cause applications using Sofia-SIP to crash, leading to a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 16.04 ESM, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS and Ubuntu 22.04 LTS. It was discovered that Sofia-SIP incorrectly handled specially crafted UDP packets. A remote attacker could use this issue to cause applications using Sofia-SIP to crash, leading to a denial of service.