Bug 28998 - pjproject new security issues CVE-2020-15260 (mga8) and CVE-2021-21375 (mga7 and mga8)
Summary: pjproject new security issues CVE-2020-15260 (mga8) and CVE-2021-21375 (mga7 ...
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7TOO MGA7-64-OK MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2021-05-28 22:59 CEST by David Walser
Modified: 2021-07-10 22:02 CEST (History)
7 users (show)

See Also:
Source RPM: pjproject-2.10-5.mga8.src.rpm
CVE: CVE-2020-15260, CVE-2021-21375
Status comment:


Attachments

Description David Walser 2021-05-28 22:59:35 CEST
Debian-LTS has issued an advisory on April 23:
https://www.debian.org/lts/security/2021/dla-2636

The issue is fixed upstream in 2.11:
https://github.com/pjsip/pjproject/security/advisories/GHSA-hvq6-f89p-frvp

Mageia 7 and Mageia 8 are also affected.
David Walser 2021-05-28 23:00:25 CEST

Status comment: (none) => Fixed upstream in 2.11
CC: (none) => geiger.david68210, jani.valimaa
Whiteboard: (none) => MGA8TOO, MGA7TOO

Comment 1 David Walser 2021-05-28 23:10:36 CEST
Debian-LTS has issued an advisory for ring-daemon on May 23:
https://www.debian.org/lts/security/2021/dla-2665

It had a bundled copy of pjproject.  I think this was renamed in Mageia 8?
Comment 2 Lewis Smith 2021-05-29 21:24:47 CEST
No current registered maintainer, so assigning globally. I was going to CC Jani as having done all recent updates, but that is already done!

Assignee: bugsquad => pkg-bugs

Comment 3 David Walser 2021-06-01 04:17:43 CEST
pjproject-2.11-1.mga9 uploaded for Cauldron by Jani.

Version: Cauldron => 8
Whiteboard: MGA8TOO, MGA7TOO => MGA7TOO

Comment 4 Nicolas Salguero 2021-06-02 13:35:44 CEST
Hi,

For Mageia 8, I added an upstream patch for that CVE and pushed pjproject-2.10-5.1.mga8 to the BS.

Best regards,

Nico.

CC: (none) => nicolas.salguero

Comment 5 David Walser 2021-06-02 23:08:25 CEST
We have 2.7.2 in Mageia 7, so Debian's patch for 2.5.5 might work for us.

What's the status of ring-daemon?

Uploaded packages for Mageia 8:
libpjproject2-2.10-5.1.mga8
pjsua-2.10-5.1.mga8
libpjproject-devel-2.10-5.1.mga8

from pjproject-2.10-5.1.mga8.src.rpm
Comment 6 David Walser 2021-06-28 20:32:23 CEST
ring-daemon was replaced by jami-daemon in Mageia 8.  Both are built against our system pjproject library.
Comment 7 David Walser 2021-06-28 20:37:23 CEST
Advisory:
========================

Updated pjproject packages fix security vulnerability:

An issue has been found in pjproject. Due to bad handling of two consecutive
crafted answers to an INVITE, the attacker is able to crash the server
resulting in a denial of service (CVE-2021-21375).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21375
https://github.com/pjsip/pjproject/security/advisories/GHSA-hvq6-f89p-frvp
https://www.debian.org/lts/security/2021/dla-2636
========================

Updated packages in core/updates_testing:
========================
libpjproject2-2.7.2-1.1.mga7
libpjproject-devel-2.7.2-1.1.mga7
pjsua-2.7.2-1.1.mga7
python2-pjsua-2.7.2-1.1.mga7
libpjproject2-2.10-5.1.mga8
pjsua-2.10-5.1.mga8
libpjproject-devel-2.10-5.1.mga8

from SRPMS:
pjproject-2.7.2-1.1.mga7.src.rpm
pjproject-2.10-5.1.mga8.src.rpm

Assignee: pkg-bugs => qa-bugs
Status comment: Fixed upstream in 2.11 => (none)

Comment 8 David Walser 2021-07-01 00:08:42 CEST
The Debian bug also references another CVE, CVE-2020-15260:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=986815

I've included the patch for that in the Mageia 8 build.  I'm not sure that the Mageia 7 version is vulnerable.  The code's different enough, it's not obvious how it would apply.

Mageia 8 advisory below (Mageia 7 one can remain as in Comment 7).

Advisory (Mageia 8):
========================

Updated pjproject packages fix security vulnerability:

Currently, PJSIP transport can be reused if they have the same IP address
+ port + protocol. However, this is insufficient for secure transport since
it lacks remote hostname authentication. The vulnerability allows for an
insecure interaction without user awareness. It affects users who need access
to connections to different destinations that translate to the same address,
and allows man-in-the-middle attack if attacker can route a connection to
another destination such as in the case of DNS spoofing (CVE-2020-15260).

An issue has been found in pjproject. Due to bad handling of two consecutive
crafted answers to an INVITE, the attacker is able to crash the server
resulting in a denial of service (CVE-2021-21375).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15260
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21375
https://github.com/pjsip/pjproject/security/advisories/GHSA-8hcp-hm38-mfph
https://github.com/pjsip/pjproject/security/advisories/GHSA-hvq6-f89p-frvp
https://www.debian.org/lts/security/2021/dla-2636
========================

Updated packages in core/updates_testing:
========================
libpjproject2-2.10-5.2.mga8
pjsua-2.10-5.2.mga8
libpjproject-devel-2.10-5.2.mga8

from pjproject-2.10-5.2.mga8.src.rpm
Comment 9 Herman Viaene 2021-07-06 11:53:35 CEST
MGA7-64 Plasma on Lenovo B50
No installation issues.Installs cleanly
Ref  bug 21505 for testing.
As I have a VOIP connection with my ISP, trying to get to grips with psjua, but running into sound problem.
Found www.pjsip.org/psjua.htm#invoking as info
$ pjsua sip:<miISPaddress>
11:04:16.190           pjsua_core.c !.pjsua version 2.7.2 for Linux-5.10.45/x86_64/glibc-2.29 initialized
11:04:16.195                 main.c  Ready: Success
11:04:16.195            pjsua_aud.c  ..Error retrieving default audio device parameters: Unable to find default audio device (PJMEDIA_EAUD_NODEFDEV) [status=420006]
When I try any command to make a call, all abort on this sound error.
other command: dump configuration

>>> dc
11:24:05.135     pjsua_app_legacy.c  Dumping configuration (393 bytes):
#
# Logging options:
#
--log-level 5
--app-log-level 4

#
# Network settings:
#
--local-port 5060

#
# Media settings:
#
--snd-auto-close 1
#using default --clock-rate 16000
#using default --quality 8
#using default --ec-tail 200
#using default --ilbc-mode 30
--rtp-port 4000

#
# User agent:
#
--max-calls 4

#
# Buddies:
#
--add-buddy sip:<myISPaddress>

#
# SIP extensions:
#
--use-timer 1

When I do
$ pjsua --null-audio sip:<myISPaddress>
......
You have 1 active call
Current call id=0 to sip:<myISPaddress> [CALLING]
>>> 11:29:54.757            pjsua_app.c !.....Call 0 is DISCONNECTED [reason=407 (Proxy Authentication Required)]
That result seems OK since I did not pass user/password in the command....

Trying
$ pjsua --null-audio --id sip:<myname>@v<myISPaddress> --registrar sip:<myISPaddress> --realm * --username <myname> --password <secret>

I have to male sure the pwd is an empty folder, otherwise the command seems to pickup the first file in it for some config settings.
Then I get
11:45:07.616           pjsua_core.c !.pjsua version 2.7.2 for Linux-5.10.45/x86_64/glibc-2.29 initialized
11:45:07.636            pjsua_app.c  .Turning sound device -99 -99 ON
11:45:07.636                 main.c  Ready: Success
>>>>
Account list:
etc .... and at the end>>> 11:45:07.655            pjsua_acc.c !....IP address change detected for account 2 (192.168.2.5:5060 --> 213.219.165.75:62345). Updating registration (using method 4)
11:45:07.672            pjsua_acc.c  ....SIP registration failed, status=603 (Decline)
which I woud accept a valid result, since I do noet expet the ISP to honour registrations from any outside source.
OK unless someone else objects.

Whiteboard: MGA7TOO => MGA7TOO MGA7-64-OK
CC: (none) => herman.viaene

Comment 10 Herman Viaene 2021-07-10 15:21:30 CEST
MGA8-64 Plasma on Lenovo B50
No installation issues.Installs cleanly.
Repeated tests as in Comment 9 above with same results.
OK then.

Whiteboard: MGA7TOO MGA7-64-OK => MGA7TOO MGA7-64-OK MGA8-64-OK

Comment 11 Thomas Andrews 2021-07-10 15:51:21 CEST
Validating. Advisories in Comment 7 and Comment 8.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Comment 12 Aurelien Oudelet 2021-07-10 20:14:51 CEST
2 advisories pushed.

Keywords: (none) => advisory
CC: (none) => ouaurelien
Status comment: (none) => CVE-2020-15260 for Mageia 8
Summary: pjproject new security issue CVE-2021-21375 => pjproject new security issues CVE-2020-15260 (mga8) and CVE-2021-21375 (mga7 and mga8)
CVE: (none) => CVE-2020-15260, CVE-2021-21375

David Walser 2021-07-10 20:17:50 CEST

Status comment: CVE-2020-15260 for Mageia 8 => (none)

Comment 13 Mageia Robot 2021-07-10 22:01:59 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0336.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 14 Mageia Robot 2021-07-10 22:02:01 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0337.html

Note You need to log in before you can comment on or make changes to this bug.