pjproject 2.11 or lower affected. Fixed in 2.11.1. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32686
Fixed in cauldron with pjproject-2.11.1-1.mga9.
Cauldron's jami-daemon bundles pjproject 2.11. It's now fixed and bundled pjproject is updated to 2.11.1. Mga8's jami-daemon uses system pjproject ATM.
CC: (none) => mageiaAssignee: bugsquad => jani.valimaa
patch for this CVE added in mga8 package src: - pjproject-2.10-5.3.mga8
CC: (none) => jani.valimaaAssignee: jani.valimaa => qa-bugs
libpjproject2-2.10-5.3.mga8 pjsua-2.10-5.3.mga8 libpjproject-devel-2.10-5.3.mga8 from pjproject-2.10-5.3.mga8.src.rpm
mga8, x64 The vulnerability assigned to CVE-2021-32686 is noted as difficult to exploit and no PoC is available. The packages provide support for PJSIP which implements SIP, SDP, RTP, STUN and ICE. No idea how to go about testing them. $ urpmq --whatrequires lib64pjproject2 | sort -u lib64jami9 lib64pjproject2 lib64pjproject-devel pjsua A recursive search turns up more jami components, which seems to be a GNOME project, formerly GNU Ring. Running pjsua at the cli shows: +=============================================================================+ | Call Commands: | Buddy, IM & Presence: | Account: | | | | | | m Make new call | +b Add new buddy .| +a Add new accnt | | M Make multiple calls | -b Delete buddy | -a Delete accnt. | | a Answer call | i Send IM | !a Modify accnt. | ...... You have 0 active call >>> q ...... 14:17:02.073 sip_endpoint.c .Endpoint 0x1a4cce8 destroyed 14:17:02.073 pjsua_core.c .PJSUA state changed: CLOSING --> NULL 14:17:02.073 pjsua_core.c .PJSUA destroyed... Manual at https://www.pjsip.org/pjsua.htm Updated the three packages using qarepo/MageiaUpdate. $ pjsua ...... You have 0 active call >>> m (You currently have 0 calls) Buddy list: -none- Choices: 0 For current dialog. -1 All 0 buddies in buddy list [1 - 0] Select from buddy list URL An URL <Enter> Empty input (or 'q') to cancel Make call: No buddies online so that is as far as this goes. The trace does shows: openat(AT_FDCWD, "/lib64/libpjsua.so.2", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/lib64/libpjsip-simple.so.2", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/lib64/libpjsip.so.2", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/lib64/libpjmedia.so.2", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/lib64/libpjlib-util.so.2", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/lib64/libpj.so.2", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/lib64/libpjsip-ua.so.2", O_RDONLY|O_CLOEXEC) = 3 .... but no sign of pjproject. Going to have to leave it there. Cannot say definitely that it is working but it appears to be. Giving it a tentative OK.
CC: (none) => tarazed25Whiteboard: (none) => MGA8-64-OK
Validating.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0559.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED
Upstream advisory: https://github.com/pjsip/pjproject/security/advisories/GHSA-cv8x-p47p-99wr