Bug 21505 - pjproject new security issues CVE-2017-9359 and CVE-2017-9372
Summary: pjproject new security issues CVE-2017-9359 and CVE-2017-9372
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA5TOO MGA5-32-OK MGA5-64-OK MGA6-3...
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2017-08-12 02:52 CEST by David Walser
Modified: 2017-10-18 22:20 CEST (History)
8 users (show)

See Also:
Source RPM: pjproject-2.5.5-4.mga6.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2017-08-12 02:52:06 CEST
Debian has issued an advisory on August 10:
https://www.debian.org/security/2017/dsa-3933

The upstream advisories are here:
http://downloads.asterisk.org/pub/security/AST-2017-002.html
http://downloads.asterisk.org/pub/security/AST-2017-003.html

Our asterisk package in Mageia 5 is not affected.

As for prproject itself, Mageia 5 and Mageia 6 are also affected.
David Walser 2017-08-12 02:52:21 CEST

CC: (none) => geiger.david68210, mageia
Whiteboard: (none) => MGA6TOO, MGA5TOO

Comment 1 David GEIGER 2017-08-12 09:58:50 CEST
Fixed for Cauldron, mga6 and also mga5!
Comment 2 David Walser 2017-08-12 15:36:39 CEST
Advisory:
========================

Updated pjproject packages fix security vulnerabilities:

Two vulnerabilities were found in the PJSIP/PJProject communication library,
which may result in denial of service (CVE-2017-9359, CVE-2017-9372).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9359
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9372
http://downloads.asterisk.org/pub/security/AST-2017-002.html
http://downloads.asterisk.org/pub/security/AST-2017-003.html
https://www.debian.org/security/2017/dsa-3933
========================

Updated packages in core/updates_testing:
========================
libpjproject2-2.3-1.1.mga5
libpjproject-devel-2.3-1.1.mga5
libpjproject2-2.5.5-4.1.mga6
libpjproject-devel-2.5.5-4.1.mga6
pjsua-2.5.5-4.1.mga6
python-pjsua-2.5.5-4.1.mga6

from SRPMS:
pjproject-2.3-1.1.mga5.src.rpm
pjproject-2.5.5-4.1.mga6.src.rpm

Whiteboard: MGA6TOO, MGA5TOO => MGA5TOO
Version: Cauldron => 6
Assignee: alien => qa-bugs

Comment 3 Herman Viaene 2017-08-13 12:03:57 CEST
MGA5-32 on Asus A6000VM Xfce
No installation issues
Trying to find out dependencies:
# urpmq --whatrequires-recursive libpjproject2
libpjproject-devel
libpjproject-devel
libpjproject2
libpjproject2
libsflphone1
sflphone-common
sflphone-gnome
sflphone-gnome-plugins
sflphone-kde
sflphone-kde-devel

So installed sflphone-kde. As I have a VOIP connection, tried to create an account with my parameters. But this gives "Status invalid". Firewall is open.
Trace does not show any call to libpjproject2, but nothing seems broken.

CC: (none) => herman.viaene

Comment 4 PC LX 2017-08-19 20:55:32 CEST
To test I installed sflphone-kde since it uses the lib64pjproject2 package.

After installing and configuring a iptel.org account, I made several outgoing (e.g. sip:music@iptel.org) and incoming test calls. All test I tried worked without issues.

I don't normally use sflphone-kde or lib64pjproject2 so I don't know if there are any regressions (e.g. slow(er) connection, audio/video quality).

System: Mageia 5, x86_64, Intel CPU, Plasma, nVidia GPU using proprietary driver nvidia340.

# uname -a
Linux marte 4.4.82-desktop-1.mga5 #1 SMP Sun Aug 13 18:03:58 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
$ lspcidrake | grep -i audio                                                                                                                                   
snd_hda_intel   : NVIDIA Corporation|High Definition Audio Controller [MULTIMEDIA_AUDIO_DEV] (rev: a1)
snd_hda_intel   : Intel Corporation|82801JI (ICH10 Family) HD Audio Controller [MULTIMEDIA_AUDIO_DEV]
# urpmi sflphone-kde
<...>
(media "Core Release")
  lib64ccrtp2                    2.1.1        1.mga5        x86_64  
  lib64dbus-c++1_0               0.9.0        7.mga5        x86_64  
  lib64ilbc0                     1.1.1        5.mga5        x86_64  
  lib64sflphone1                 1.4.1        3.mga5        x86_64  
  lib64ucommon7                  6.3.0        1.mga5        x86_64  
  lib64zrtpcpp4                  4.3.1        1.mga5        x86_64  
  sflphone-common                1.4.1        3.mga5        x86_64  
  sflphone-kde                   1.4.1        3.mga5        x86_64  
(media "Core Updates Testing")
  lib64pjproject2                2.3          1.1.mga5      x86_64  
<...>

Whiteboard: MGA5TOO => MGA5TOO MGA5-64-OK
CC: (none) => mageia

Lewis Smith 2017-08-20 10:11:11 CEST

CC: (none) => lewyssmith
Whiteboard: MGA5TOO MGA5-64-OK => MGA5TOO MGA5-64-OK advisory

Comment 5 Herman Viaene 2017-09-01 10:58:27 CEST
MGA6-32 on Asus A6000VM MATE
No installation issues.
# urpmq --whatrequires-recursive libpjproject2
libpjproject-devel
libpjproject-devel
libpjproject2
libpjproject2
libring-devel
libring0
pjsua
pjsua
python-pjsua
python-pjsua
ring-client-gnome
ring-daemon
ring-kde

So I installed ring-kde, which draws in ringdaemon package.
But I run into all sorts of problems, the daemon was not running after installation, and is not recognized by systemctl.
Started it manually from CLI.
Start then ring-kde, but as soon as I want it to configure my existing SIP account, it crashes. Segmentation fault.
Apparently installing libpjproject does not break anything else.
Comment 6 Lewis Smith 2017-09-01 22:27:41 CEST
M6/64 preamble

From Herman's application list, 'pjsua' looks best; and is anyway part of the update:
"pjsua is an open source command line SIP user agent (softphone)
that is used as the reference implementation for PJSIP, PJNATH, and PJMEDIA.
Despite its simple command line appearance, it does pack many features!"

Current issued versions:
- lib64pjproject2-2.5.5-4.mga6
- pjsua-2.5.5-4.mga6
Installing pjsua also pulls in lib64pjproject2. No man page; for info:
 $ pjsua --help
or better:
 http://www.pjsip.org/pjsua.htm

Set up an account (thanks PC_LX for the pointer) chez www.iptel.org . Need to figure out now how to use it...
Comment 7 PC LX 2017-09-03 11:23:55 CEST
The site https://freephonebox.net/ may be of use for testing incoming calls.
Comment 8 Lewis Smith 2017-09-04 21:19:03 CEST
Floundering M6/64

(In reply to PC LX from comment #7)
> The site https://freephonebox.net/ may be of use for testing incoming calls.
Thanks. This looks handy.

IF I knew how to drive pjsua. I tried making a call from this URL to myself; freephonebox said 'dialing' and there things sat. Firing up pjsua:
 $ pjsua
20:38:23.963   pjsua_core.c !.pjsua version 2.5.5 for Linux-4.9.43/x86_64/glibc-2.22 initialized
20:38:24.120         main.c  Ready: Success
>>>>
Account list:
  [ 0] <sip:192.168.0.10:5060>: does not register
       Online status: Online
 *[ 1] <sip:192.168.0.10:5060;transport=TCP>: does not register
       Online status: Online
Buddy list:
 -none-
then
Comment 9 Lewis Smith 2017-09-04 21:34:36 CEST
--->
a full screen of possible commands, of which: a  Answer call
then "You have 0 active call" and its prompt. Tried:
>>> a
No pending incoming call
>>> m           [make a call]
(You currently have 0 calls)
Buddy list:
 -none-
Choices:
   0         For current dialog.
  -1         All 0 buddies in buddy list
  [1 - 0]    Select from buddy list
  URL        An URL
  <Enter>    Empty input (or 'q') to cancel
Make call: sip:music@iptel.org
20:56:47.902    pjsua_aud.c  ..Error retrieving default audio device parameters: Unable to find default audio device (PJMEDIA_EAUD_NODEFDEV) [status=420006]

 $ pavucontrol
said "Line out plugged in" & "Headphones unplugged", although they were connected, and work for audio output. But there is some ambiguity about my 3 mini-jack sound sockets v 2 headphone plugs, I admit.

I do not know whether you have to create an account for your SIP provider (here iptel.org). pjsua has plenty of information, but nothing to put it into context. I searched 'how to use softphones' in vain: they all said what it was, roughly, with an impressive lack of 'how to use'. This is going to drag, I fear.
Comment 10 Samuel Verschelde 2017-09-06 15:05:05 CEST
Moving "advisory" from whiteboard to keywords.

Whiteboard: MGA5TOO MGA5-64-OK advisory => MGA5TOO MGA5-64-OK
Keywords: (none) => advisory

Comment 11 William Kenney 2017-10-11 23:48:04 CEST
In VirtualBox, M5.1, KDE, 32-bit

Package(s) under test:
libpjproject2 libpjproject-devel

default install of libpjproject2 & libpjproject-devel

[root@localhost wilcal]# urpmi libpjproject2
Package libpjproject2-2.3-1.mga5.i586 is already installed
[root@localhost wilcal]# urpmi libpjproject-devel
Package libpjproject-devel-2.3-1.mga5.i586 is already installed

Installs without error

install libpjproject2 & libpjproject-devel from updates_testing

[root@localhost wilcal]# urpmi libpjproject2
Package libpjproject2-2.3-1.1.mga5.i586 is already installed
[root@localhost wilcal]# urpmi libpjproject-devel
Package libpjproject-devel-2.3-1.1.mga5.i586 is already installed

Updates install without error

CC: (none) => wilcal.int

William Kenney 2017-10-11 23:48:22 CEST

Whiteboard: MGA5TOO MGA5-64-OK => MGA5TOO MGA5-32-OK MGA5-64-OK

Comment 12 William Kenney 2017-10-12 00:00:48 CEST
In VirtualBox, M6, Plasma, 32-bit

Package(s) under test:
libpjproject2 libpjproject-devel

default install of libpjproject2 & libpjproject-devel

[root@localhost wilcal]# urpmi libpjproject2
Package libpjproject2-2.5.5-4.mga6.i586 is already installed
[root@localhost wilcal]# urpmi libpjproject-devel
Package libpjproject-devel-2.5.5-4.mga6.i586 is already installed

Installs without error

install libpjproject2 & libpjproject-devel from updates_testing

[root@localhost wilcal]# urpmi libpjproject2
Package libpjproject2-2.5.5-4.1.mga6.i586 is already installed
[root@localhost wilcal]# urpmi libpjproject-devel
Package libpjproject-devel-2.5.5-4.1.mga6.i586 is already installed

Updates install without error
William Kenney 2017-10-12 00:01:17 CEST

Whiteboard: MGA5TOO MGA5-32-OK MGA5-64-OK => MGA5TOO MGA5-32-OK MGA5-64-OK MGA6-32-OK

Comment 13 William Kenney 2017-10-12 00:11:16 CEST
In VirtualBox, M6, Plasma, 64-bit

Package(s) under test:
lib64pjproject2 lib64pjproject-devel

default install of lib64pjproject2 & lib64pjproject-devel

[root@localhost wilcal]# urpmi lib64pjproject2
Package lib64pjproject2-2.5.5-4.mga6.x86_64 is already installed
[root@localhost wilcal]# urpmi lib64pjproject-devel
Package lib64pjproject-devel-2.5.5-4.mga6.x86_64 is already installed

Installs without error

install lib64pjproject2 & lib64pjproject-devel from updates_testing

[root@localhost wilcal]# urpmi lib64pjproject2
Package lib64pjproject2-2.5.5-4.1.mga6.x86_64 is already installed
[root@localhost wilcal]# urpmi lib64pjproject-devel
Package lib64pjproject-devel-2.5.5-4.1.mga6.x86_64 is already installed

Updates install without error
William Kenney 2017-10-12 00:11:42 CEST

Whiteboard: MGA5TOO MGA5-32-OK MGA5-64-OK MGA6-32-OK => MGA5TOO MGA5-32-OK MGA5-64-OK MGA6-32-OK MGA6-64-OK

Comment 14 Lewis Smith 2017-10-12 21:18:20 CEST
Thanks Bill for your patient update run-throughs.
Validating by common consent.

CC: (none) => sysadmin-bugs
Keywords: (none) => validated_update

Comment 15 Dave Hodgins 2017-10-14 01:11:52 CEST
Closing as Mageia robot failed to do so due to lack of permissions, which has
now been fixed.

Resolution: (none) => FIXED
Status: NEW => RESOLVED
CC: (none) => davidwhodgins

Comment 16 Mageia Robot 2017-10-18 22:20:21 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2017-0368.html

Note You need to log in before you can comment on or make changes to this bug.