| Summary: | pjproject: Race condition in SSL socket server (CVE-2021-32686) | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | Jani Välimaa <jani.valimaa> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | andrewsfarm, jani.valimaa, mageia, sysadmin-bugs, tarazed25 |
| Version: | 8 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://github.com/pjsip/pjproject/security/advisories/GHSA-cv8x-p47p-99wr | ||
| Whiteboard: | MGA8-64-OK | ||
| Source RPM: | pjproject-2.10-5.2.mga8.src.rpm | CVE: | |
| Status comment: | |||
|
Description
Jani Välimaa
2021-08-01 11:32:00 CEST
Fixed in cauldron with pjproject-2.11.1-1.mga9. Cauldron's jami-daemon bundles pjproject 2.11. It's now fixed and bundled pjproject is updated to 2.11.1. Mga8's jami-daemon uses system pjproject ATM.
Nicolas Lécureuil
2021-08-01 20:48:56 CEST
CC:
(none) =>
mageia patch for this CVE added in mga8 package
src:
- pjproject-2.10-5.3.mga8CC:
(none) =>
jani.valimaa libpjproject2-2.10-5.3.mga8 pjsua-2.10-5.3.mga8 libpjproject-devel-2.10-5.3.mga8 from pjproject-2.10-5.3.mga8.src.rpm mga8, x64 The vulnerability assigned to CVE-2021-32686 is noted as difficult to exploit and no PoC is available. The packages provide support for PJSIP which implements SIP, SDP, RTP, STUN and ICE. No idea how to go about testing them. $ urpmq --whatrequires lib64pjproject2 | sort -u lib64jami9 lib64pjproject2 lib64pjproject-devel pjsua A recursive search turns up more jami components, which seems to be a GNOME project, formerly GNU Ring. Running pjsua at the cli shows: +=============================================================================+ | Call Commands: | Buddy, IM & Presence: | Account: | | | | | | m Make new call | +b Add new buddy .| +a Add new accnt | | M Make multiple calls | -b Delete buddy | -a Delete accnt. | | a Answer call | i Send IM | !a Modify accnt. | ...... You have 0 active call >>> q ...... 14:17:02.073 sip_endpoint.c .Endpoint 0x1a4cce8 destroyed 14:17:02.073 pjsua_core.c .PJSUA state changed: CLOSING --> NULL 14:17:02.073 pjsua_core.c .PJSUA destroyed... Manual at https://www.pjsip.org/pjsua.htm Updated the three packages using qarepo/MageiaUpdate. $ pjsua ...... You have 0 active call >>> m (You currently have 0 calls) Buddy list: -none- Choices: 0 For current dialog. -1 All 0 buddies in buddy list [1 - 0] Select from buddy list URL An URL <Enter> Empty input (or 'q') to cancel Make call: No buddies online so that is as far as this goes. The trace does shows: openat(AT_FDCWD, "/lib64/libpjsua.so.2", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/lib64/libpjsip-simple.so.2", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/lib64/libpjsip.so.2", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/lib64/libpjmedia.so.2", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/lib64/libpjlib-util.so.2", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/lib64/libpj.so.2", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/lib64/libpjsip-ua.so.2", O_RDONLY|O_CLOEXEC) = 3 .... but no sign of pjproject. Going to have to leave it there. Cannot say definitely that it is working but it appears to be. Giving it a tentative OK. CC:
(none) =>
tarazed25 Validating. Keywords:
(none) =>
validated_update
Thomas Backlund
2021-12-19 12:41:12 CET
Keywords:
(none) =>
advisory An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0559.html Resolution:
(none) =>
FIXED Upstream advisory: https://github.com/pjsip/pjproject/security/advisories/GHSA-cv8x-p47p-99wr |