ASTERISK-29945: pjproject: Security fixes for things

[Home]

Summary: ASTERISK-29945: pjproject: Security fixes for things

Reporter: Kevin Harwell (kharwell) Labels: security

Date Opened: 2022-03-03 12:19:30.000-0600 Date Closed: 2022-03-04 12:35:26.000-0600

Priority: Blocker Regression? No

Status: Closed/Complete Components: pjproject/pjsip

Versions: 16.24.0 18.10.0 19.2.0 Frequency of
Occurrence

Related
Issues:

Environment: Attachments:

Description: With the release of pjproject 2.12 there were some security fixes included. Most of these don't affect us, but a few do:

https://github.com/pjsip/pjproject/security/advisories/GHSA-2qpg-f6wf-w984
https://github.com/pjsip/pjproject/security/advisories/GHSA-ffff-m5fm-qm62
https://github.com/pjsip/pjproject/security/advisories/GHSA-7fw8-54cv-r7pm

Backport these patches into current bundled.

Comments: By: Asterisk Team (asteriskteam) 2022-03-03 12:19:30.940-0600

This issue has been automatically restricted and set to a blocker due to being a security type issue. If this is not a security vulnerability issue it will be moved to the appropriate issue type when triaged.

Please DO NOT put a code review up for this change at this time. Attach any applicable patches to this issue.
By: Kevin Harwell (kharwell) 2022-03-03 15:19:12.024-0600

--As stated in the description the patches have been included and released in pjproject 2.12. The next release of Asterisk is planned to include bundled pjproject 2.12, thus these patched only need to go into the previous release branches: 16.24, 18.10, 19.2, and 16.8-cert.--

Scratch that folks wanted them in mainline branches too
By: Friendly Automation (friendly-automation) 2022-03-04 12:35:28.457-0600

Change 18133 merged by Kevin Harwell:
AST-2022-004: pjproject - possible integer underflow on STUN message

[https://gerrit.asterisk.org/c/asterisk/+/18133|https://gerrit.asterisk.org/c/asterisk/+/18133]
By: Friendly Automation (friendly-automation) 2022-03-04 12:35:42.474-0600

Change 18165 merged by Kevin Harwell:
AST-2022-004: pjproject - possible integer underflow on STUN message

[https://gerrit.asterisk.org/c/asterisk/+/18165|https://gerrit.asterisk.org/c/asterisk/+/18165]
By: Friendly Automation (friendly-automation) 2022-03-04 12:36:01.921-0600

Change 18166 merged by Kevin Harwell:
AST-2022-004: pjproject - possible integer underflow on STUN message

[https://gerrit.asterisk.org/c/asterisk/+/18166|https://gerrit.asterisk.org/c/asterisk/+/18166]
By: Friendly Automation (friendly-automation) 2022-03-04 12:38:02.143-0600

Change 18168 merged by Kevin Harwell:
AST-2022-004: pjproject - possible integer underflow on STUN message

[https://gerrit.asterisk.org/c/asterisk/+/18168|https://gerrit.asterisk.org/c/asterisk/+/18168]
By: Friendly Automation (friendly-automation) 2022-03-04 12:38:38.904-0600

Change 18167 merged by Kevin Harwell:
AST-2022-004: pjproject - possible integer underflow on STUN message

[https://gerrit.asterisk.org/c/asterisk/+/18167|https://gerrit.asterisk.org/c/asterisk/+/18167]
By: Friendly Automation (friendly-automation) 2022-03-04 12:39:13.383-0600

Change 18134 merged by Kevin Harwell:
AST-2022-004: pjproject - possible integer underflow on STUN message

[https://gerrit.asterisk.org/c/asterisk/+/18134|https://gerrit.asterisk.org/c/asterisk/+/18134]
By: Friendly Automation (friendly-automation) 2022-03-04 12:40:23.680-0600

Change 18169 merged by Kevin Harwell:
AST-2022-004: pjproject - possible integer underflow on STUN message

[https://gerrit.asterisk.org/c/asterisk/+/18169|https://gerrit.asterisk.org/c/asterisk/+/18169]
By: Friendly Automation (friendly-automation) 2022-03-04 12:41:41.722-0600

Change 18135 merged by Kevin Harwell:
AST-2022-004: pjproject - possible integer underflow on STUN message

[https://gerrit.asterisk.org/c/asterisk/+/18135|https://gerrit.asterisk.org/c/asterisk/+/18135]
By: Friendly Automation (friendly-automation) 2022-03-04 12:42:56.955-0600

Change 18171 merged by Kevin Harwell:
AST-2022-005: pjproject - undefined behavior after freeing a dialog set

[https://gerrit.asterisk.org/c/asterisk/+/18171|https://gerrit.asterisk.org/c/asterisk/+/18171]
By: Friendly Automation (friendly-automation) 2022-03-04 12:43:58.884-0600

Change 18172 merged by Kevin Harwell:
AST-2022-005: pjproject - undefined behavior after freeing a dialog set

[https://gerrit.asterisk.org/c/asterisk/+/18172|https://gerrit.asterisk.org/c/asterisk/+/18172]
By: Friendly Automation (friendly-automation) 2022-03-04 12:44:18.971-0600

Change 18136 merged by Kevin Harwell:
AST-2022-005: pjproject - undefined behavior after freeing a dialog set

[https://gerrit.asterisk.org/c/asterisk/+/18136|https://gerrit.asterisk.org/c/asterisk/+/18136]
By: Friendly Automation (friendly-automation) 2022-03-04 12:44:58.195-0600

Change 18173 merged by Kevin Harwell:
AST-2022-005: pjproject - undefined behavior after freeing a dialog set

[https://gerrit.asterisk.org/c/asterisk/+/18173|https://gerrit.asterisk.org/c/asterisk/+/18173]
By: Friendly Automation (friendly-automation) 2022-03-04 12:45:26.731-0600

Change 18174 merged by Kevin Harwell:
AST-2022-005: pjproject - undefined behavior after freeing a dialog set

[https://gerrit.asterisk.org/c/asterisk/+/18174|https://gerrit.asterisk.org/c/asterisk/+/18174]
By: Friendly Automation (friendly-automation) 2022-03-04 12:45:37.226-0600

Change 18137 merged by Kevin Harwell:
AST-2022-005: pjproject - undefined behavior after freeing a dialog set

[https://gerrit.asterisk.org/c/asterisk/+/18137|https://gerrit.asterisk.org/c/asterisk/+/18137]
By: Friendly Automation (friendly-automation) 2022-03-04 12:46:04.460-0600

Change 18175 merged by Kevin Harwell:
AST-2022-005: pjproject - undefined behavior after freeing a dialog set

[https://gerrit.asterisk.org/c/asterisk/+/18175|https://gerrit.asterisk.org/c/asterisk/+/18175]
By: Friendly Automation (friendly-automation) 2022-03-04 12:46:31.589-0600

Change 18138 merged by Kevin Harwell:
AST-2022-005: pjproject - undefined behavior after freeing a dialog set

[https://gerrit.asterisk.org/c/asterisk/+/18138|https://gerrit.asterisk.org/c/asterisk/+/18138]
By: Friendly Automation (friendly-automation) 2022-03-04 12:47:22.921-0600

Change 18176 merged by Kevin Harwell:
AST-2022-006: pjproject - unconstrained malformed multipart SIP message

[https://gerrit.asterisk.org/c/asterisk/+/18176|https://gerrit.asterisk.org/c/asterisk/+/18176]
By: Friendly Automation (friendly-automation) 2022-03-04 12:47:49.371-0600

Change 18177 merged by Kevin Harwell:
AST-2022-006: pjproject - unconstrained malformed multipart SIP message

[https://gerrit.asterisk.org/c/asterisk/+/18177|https://gerrit.asterisk.org/c/asterisk/+/18177]
By: Friendly Automation (friendly-automation) 2022-03-04 12:47:57.794-0600

Change 18139 merged by Kevin Harwell:
AST-2022-006: pjproject - unconstrained malformed multipart SIP message

[https://gerrit.asterisk.org/c/asterisk/+/18139|https://gerrit.asterisk.org/c/asterisk/+/18139]
By: Friendly Automation (friendly-automation) 2022-03-04 12:48:20.523-0600

Change 18178 merged by Kevin Harwell:
AST-2022-006: pjproject - unconstrained malformed multipart SIP message

[https://gerrit.asterisk.org/c/asterisk/+/18178|https://gerrit.asterisk.org/c/asterisk/+/18178]
By: Friendly Automation (friendly-automation) 2022-03-04 12:48:46.499-0600

Change 18179 merged by Kevin Harwell:
AST-2022-006: pjproject - unconstrained malformed multipart SIP message

[https://gerrit.asterisk.org/c/asterisk/+/18179|https://gerrit.asterisk.org/c/asterisk/+/18179]
By: Friendly Automation (friendly-automation) 2022-03-04 12:48:59.449-0600

Change 18180 merged by Kevin Harwell:
AST-2022-006: pjproject - unconstrained malformed multipart SIP message

[https://gerrit.asterisk.org/c/asterisk/+/18180|https://gerrit.asterisk.org/c/asterisk/+/18180]
By: Friendly Automation (friendly-automation) 2022-03-04 12:49:19.872-0600

Change 18200 merged by Kevin Harwell:
AST-2022-006: pjproject - unconstrained malformed multipart SIP message

[https://gerrit.asterisk.org/c/asterisk/+/18200|https://gerrit.asterisk.org/c/asterisk/+/18200]
By: Friendly Automation (friendly-automation) 2022-03-04 12:49:28.687-0600

Change 18181 merged by Kevin Harwell:
AST-2022-006: pjproject - unconstrained malformed multipart SIP message

[https://gerrit.asterisk.org/c/asterisk/+/18181|https://gerrit.asterisk.org/c/asterisk/+/18181]
By: Friendly Automation (friendly-automation) 2022-03-04 13:07:23.384-0600

Change 18201 merged by Kevin Harwell:
AST-2022-005: pjproject - undefined behavior after freeing a dialog set

[https://gerrit.asterisk.org/c/asterisk/+/18201|https://gerrit.asterisk.org/c/asterisk/+/18201]