| Summary: | ASTERISK-29580: codec_opus: Version of included libopus? | ||
| Reporter: | Alexander Traud (traud) | Labels: | |
| Date Opened: | 2021-08-16 02:55:37 | Date Closed: | |
| Priority: | Major | Regression? | |
| Status: | Open/New | Components: | Codecs/codec_opus |
| Versions: | 13.38.2 16.20.0 17.9.3 18.6.0 | Frequency of Occurrence | |
| Related Issues: | |||
| Environment: | Attachments: | ||
| Description: | Because an outdated library could contain a security issue, I am asking to display the version of the bundled library, for example, at the start of Asterisk (or even better via a command on the command-line interface; CLI). Actually, there have been security issues in the Opus Codec library, [in the past …|https://www.opus-codec.org/news/]
Actually, actually, this issue rose from a different perspective, classifying this issue not as a feature request but a software bug. Although, I was able to overwrite it via the configuration file {{codecs.conf}}, I do not consider that an easy workaround – therefore, the severity Major. Anyway, depending on the actual cause, it could be anything from a feature request to a security bug. While debugging (another case with) the [ToC byte|https://tools.ietf.org/html/rfc6716#section-3.1] in the RTP media stream of the audio codec Opus Codec, I noticed, the Digium/Sangoma module sends Super Wideband (swb) although the caller stated to support just Wideband (wb) in its SDP. This codec module is closed source and comes with a bundled libopus. That codec module has not been updated since the [year 2017|https://downloads.digium.com/pub/telephony/codec_opus/]. Therefore, the bundled libopus cannot be the [current version 1.3.1|https://archive.mozilla.org/pub/opus/]. I cross-checked with ‘my’ open-source Opus Codec module, which can be linked to any libopus. I went for an older version of libopus and was able to duplicate the symptom. Therefore, I guess, the cause is the old bundled libopus. I know, this was reported back in the year 2019 [already|https://community.asterisk.org/t/81919]. However, because that did not create an issue report here in Jira, I guess, that report was classified not as software bug but feature request. Because of those two reasons, I would like to know the version of the bundled libopus, to double-check (if there is a security concern and/or whether the outdated libopus might cause my interoperability issue). | ||
| Comments: | By: Asterisk Team (asteriskteam) 2021-08-16 02:55:41.542-0500 Thanks for creating a report! The issue has entered the triage process. That means the issue will wait in this status until a Bug Marshal has an opportunity to review the issue. Once the issue has been reviewed you will receive comments regarding the next steps towards resolution. Please note that log messages and other files should not be sent to the Sangoma Asterisk Team unless explicitly asked for. All files should be placed on this issue in a sanitized fashion as needed. A good first step is for you to review the [Asterisk Issue Guidelines|https://wiki.asterisk.org/wiki/display/AST/Asterisk+Issue+Guidelines] if you haven't already. The guidelines detail what is expected from an Asterisk issue report. Then, if you are submitting a patch, please review the [Patch Contribution Process|https://wiki.asterisk.org/wiki/display/AST/Patch+Contribution+Process]. Please note that once your issue enters an open state it has been accepted. As Asterisk is an open source project there is no guarantee or timeframe on when your issue will be looked into. If you need expedient resolution you will need to find and pay a suitable developer. Asking for an update on your issue will not yield any progress on it and will not result in a response. All updates are posted to the issue when they occur. Please note that by submitting data, code, or documentation to Sangoma through JIRA, you accept the Terms of Use present at [https://www.asterisk.org/terms-of-use/|https://www.asterisk.org/terms-of-use/]. By: Joshua C. Colp (jcolp) 2021-08-16 04:45:28.718-0500 The version in it for libopus is 1.2.1 while opusfile is 0.9. I have updated the internal issue accordingly. By: Alexander Traud (traud) 2021-08-16 07:20:54.694-0500 Not aware of any security issues with libopus 1.2.1 or opusfile 0.9. :) Consequently, this here is just an interoperability issue report. | ||