Debian Bug report logs -
#863901
pjproject: CVE-2017-9372: AST-2017-002: Buffer Overrun in PJSIP transaction layer
Reported by: Bernhard Schmidt <berni@debian.org>
Date: Thu, 1 Jun 2017 19:06:02 UTC
Severity: critical
Tags: patch, security, upstream
Found in versions pjproject/2.1.0.0.ast20130823-1, pjproject/2.5.5~dfsg-5
Fixed in versions pjproject/2.5.5~dfsg-6, pjproject/2.1.0.0.ast20130823-1+deb8u1
Done: Bernhard Schmidt <berni@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>:
Bug#863901; Package src:pjproject.
(Thu, 01 Jun 2017 19:06:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Bernhard Schmidt <berni@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>.
(Thu, 01 Jun 2017 19:06:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: src:pjproject
Version: 2.5.5~dfsg-5
Severity: critical
Tags: security patch
The following security advisory has been announced by the Asterisk project
for the third party pjproject library. A patch is available.
Asterisk Project Security Advisory - AST-2017-002
Product Asterisk
Summary Buffer Overrun in PJSIP transaction layer
Nature of Advisory Buffer Overrun/Crash
Susceptibility Remote Unauthenticated Sessions
Severity Critical
Exploits Known No
Reported On 12 April, 2017
Reported By Sandro Gauci
Posted On
Last Updated On April 13, 2017
Advisory Contact Mark Michelson <mark DOT michelson AT digium DOT
com>
CVE Name
Description A remote crash can be triggered by sending a SIP packet to
Asterisk with a specially crafted CSeq header and a Via
header with no branch parameter. The issue is that the
PJSIP RFC 2543 transaction key generation algorithm does
not allocate a large enough buffer. By overrunning the
buffer, the memory allocation table becomes corrupted,
leading to an eventual crash.
This issue is in PJSIP, and so the issue can be fixed
without performing an upgrade of Asterisk at all. However,
we are releasing a new version of Asterisk with the bundled
PJProject updated to include the fix.
If you are running Asterisk with chan_sip, this issue does
not affect you.
Resolution A patch created by the Asterisk team has been submitted and
accepted by the PJProject maintainers.
Affected Versions
Product Release
Series
Asterisk Open Source 11.x Unaffected
Asterisk Open Source 13.x All versions
Asterisk Open Source 14.x All versions
Certified Asterisk 13.13 All versions
Corrected In
Product Release
Asterisk Open Source 13.15.1, 14.4.1
Certified Asterisk 13.13-cert4
Patches
SVN URL Revision
Links https://issues.asterisk.org/jira/browse/ASTERISK-26938
Asterisk Project Security Advisories are posted at
http://www.asterisk.org/security
This document may be superseded by later versions; if so, the latest
version will be posted at
http://downloads.digium.com/pub/security/AST-2017-002.pdf and
http://downloads.digium.com/pub/security/AST-2017-002.html
Revision History
Date Editor Revisions Made
12 April, 2017 Mark Michelson Initial report created
Asterisk Project Security Advisory - AST-2017-002
Copyright (c) 2017 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.
Reply sent
to Bernhard Schmidt <berni@debian.org>:
You have taken responsibility.
(Fri, 02 Jun 2017 09:06:16 GMT) (full text, mbox, link).
Notification sent
to Bernhard Schmidt <berni@debian.org>:
Bug acknowledged by developer.
(Fri, 02 Jun 2017 09:06:16 GMT) (full text, mbox, link).
Message #10 received at 863901-close@bugs.debian.org (full text, mbox, reply):
Source: pjproject
Source-Version: 2.5.5~dfsg-6
We believe that the bug you reported is fixed in the latest version of
pjproject, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 863901@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Bernhard Schmidt <berni@debian.org> (supplier of updated pjproject package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 02 Jun 2017 08:59:42 +0200
Source: pjproject
Binary: libpjlib-util2 libpjmedia-audiodev2 libpjmedia-codec2 libpjmedia-videodev2 libpjmedia2 libpjnath4 libpjsip-simple2 libpjsip-ua2 libpjsip2 libpjsua2 libpjsua2-2v5 libpj2 libpjproject-dev python-pjproject
Architecture: source
Version: 2.5.5~dfsg-6
Distribution: unstable
Urgency: high
Maintainer: Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>
Changed-By: Bernhard Schmidt <berni@debian.org>
Description:
libpj2 - PJ Project - PJProject core libraries
libpjlib-util2 - PJ Project - helper utilities
libpjmedia-audiodev2 - PJ Project - Audio devices
libpjmedia-codec2 - PJ Project - Multimedia codecs handling
libpjmedia-videodev2 - SIP handling library - video devices
libpjmedia2 - PJ Project - VoIP media
libpjnath4 - PJ Project - NAT handling
libpjproject-dev - PJ Project - development headers
libpjsip-simple2 - PJ Project - SIP SIMPLE instant messaging
libpjsip-ua2 - SIP handling library - SIP user agent library
libpjsip2 - PJ Project - SIP handling library
libpjsua2 - PJ Project - Basic VoIP client library
libpjsua2-2v5 - PJ Project - Basic VoIP client library
python-pjproject - PJ Project - Python bindings
Closes: 863901 863902
Changes:
pjproject (2.5.5~dfsg-6) unstable; urgency=high
.
[ Tzafrir Cohen ]
* add security patches published by the Asterisk project
- AST-2017-002: Buffer Overrun in PJSIP transaction layer
(Closes: #863901)
- AST-2017-003: Crash in PJSIP multi-part body parser
(Closes: #863902)
Checksums-Sha1:
dd7c583a88dfeb98292ec7b9cfc07b40b5d37648 3306 pjproject_2.5.5~dfsg-6.dsc
aa0367ef2d2fddf62a5533d9a8d410c5b450f028 43188 pjproject_2.5.5~dfsg-6.debian.tar.xz
66350916ee0b4b1da023bc758069bd52e639c6cb 22024 pjproject_2.5.5~dfsg-6_amd64.buildinfo
Checksums-Sha256:
a7df9e73b4688b373d4397c1d0f440264671209e0127a8bce8d9309d14b8b476 3306 pjproject_2.5.5~dfsg-6.dsc
5cf61b65d7e9920a6c60d8e12934c20a395ad860e12f79f4e60ff70e3895053e 43188 pjproject_2.5.5~dfsg-6.debian.tar.xz
827b52f95ef7ebacc3965e23d4aabf4bd8ea649b988b44eb243a2c2ecdc83ca5 22024 pjproject_2.5.5~dfsg-6_amd64.buildinfo
Files:
d0579bf71839c0c2091d1feaddb54f2c 3306 comm optional pjproject_2.5.5~dfsg-6.dsc
84b4b9b6f47fb692f4f87110f3ca1118 43188 comm optional pjproject_2.5.5~dfsg-6.debian.tar.xz
e4685696584e16a441249d18e0a1302d 22024 comm optional pjproject_2.5.5~dfsg-6_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJFBAEBCAAvFiEE1uAexRal3873GVbTd1B55bhQvJMFAlkxF1sRHGJlcm5pQGRl
Ymlhbi5vcmcACgkQd1B55bhQvJP3Jg/8DRXGgUOBcqVkRD2dKsGIEKE+kFHngUN2
VEg7dm8V0nl5r+SqxmPxBEcdn95Ipj9DUIktW3wtaYW+fdKxNQmHt+k3bVADNqTA
PIN5IRbhXOohe7OFIbT6dQ5x7wYGxUhJqmLMF7bhlTZsMxiFRVnDFgrr+KWQzZ6Q
KFikDGLPZhWBY/KG1XITPJxCuIWTuEKvPzLQ3Icjj1W8SjmtnUhUVaQspnqG9FgH
PD15RIamZbFzlAtk76NJ8R/dCmoggc1LYBazfX085xJtLr7V914MBbGHGSqVRokp
JvZZyJwzJS9nFmAmzOyjBZGjmvNCaqcrMmOXN73wEnrBLD/6qcgy+PFkxXuzTO5C
K5mTSFfkkEVutF6hFJjsMI40OSTIwhYIZ6yTkdGLurVQDiXYOkfklZn7yWkXJWhB
e422kkef71W2lLxqf4gbgkIn+dyzCAkIBsfSoyofNu6wLtqOIzhhyjPyN2FXU68B
XIecoMUOiV+CrsYoLaqkyWtVxSgyAB8+Om864fO5PF7R3g4YzR9HSsYA5W2htfQw
iIOEjvcM7iofVVrfhO/CmYLMGbteH39yrlV3NOx88PPtj4BQnKeghmwdYrf2XqFC
HjCi+lfjK/1J/KgYE2ouPpG1sWiEuj8ypiHZBZsgWmdWQjxntGJ0jDd1vZR/TgYi
Mt7ZCjTTUQY=
=NB97
-----END PGP SIGNATURE-----
Added tag(s) upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Fri, 02 Jun 2017 10:48:02 GMT) (full text, mbox, link).
Changed Bug title to 'pjproject: CVE-2017-9372: AST-2017-002: Buffer Overrun in PJSIP transaction layer' from 'AST-2017-002: Buffer Overrun in PJSIP transaction layer'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Fri, 02 Jun 2017 12:21:04 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 16 Jul 2017 07:25:33 GMT) (full text, mbox, link).
Bug unarchived.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Thu, 10 Aug 2017 03:39:02 GMT) (full text, mbox, link).
Marked as found in versions pjproject/2.1.0.0.ast20130823-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Thu, 10 Aug 2017 03:39:03 GMT) (full text, mbox, link).
Marked as fixed in versions pjproject/2.1.0.0.ast20130823-1+deb8u1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Thu, 10 Aug 2017 03:39:04 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Thu, 07 Sep 2017 07:24:43 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:58:18 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon