* [Buildroot] [PATCH 1/1] package/libpjsip: fix CVE-2022-235{3,4}7
@ 2023-02-26 13:55 Fabrice Fontaine
2023-02-27 14:47 ` [Buildroot] [PATCH 1/1] package/libpjsip: fix CVE-2022-235{3, 4}7 Peter Korsgaard
2023-03-15 6:18 ` Peter Korsgaard
0 siblings, 2 replies; 3+ messages in thread
From: Fabrice Fontaine @ 2023-02-26 13:55 UTC (permalink / raw)
To: buildroot; +Cc: Luca Ceresoli, Fabrice Fontaine
https://github.com/pjsip/pjproject/security/advisories/GHSA-9pfh-r8x4-w26w
https://github.com/pjsip/pjproject/security/advisories/GHSA-cxwq-5g9x-x7fr
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
...ull-request-from-GHSA-9pfh-r8x4-w26w.patch | 99 +++++++++++++++++++
package/libpjsip/libpjsip.mk | 6 ++
2 files changed, 105 insertions(+)
create mode 100644 package/libpjsip/0001-Merge-pull-request-from-GHSA-9pfh-r8x4-w26w.patch
diff --git a/package/libpjsip/0001-Merge-pull-request-from-GHSA-9pfh-r8x4-w26w.patch b/package/libpjsip/0001-Merge-pull-request-from-GHSA-9pfh-r8x4-w26w.patch
new file mode 100644
index 0000000000..01e1878189
--- /dev/null
+++ b/package/libpjsip/0001-Merge-pull-request-from-GHSA-9pfh-r8x4-w26w.patch
@@ -0,0 +1,99 @@
+From d8440f4d711a654b511f50f79c0445b26f9dd1e1 Mon Sep 17 00:00:00 2001
+From: Nanang Izzuddin <nanang@teluu.com>
+Date: Tue, 20 Dec 2022 11:39:12 +0700
+Subject: [PATCH] Merge pull request from GHSA-9pfh-r8x4-w26w
+
+* Fix buffer overread in STUN message decoder
+
+* Updates based on comments
+
+[Retrieved from:
+https://github.com/pjsip/pjproject/commit/d8440f4d711a654b511f50f79c0445b26f9dd1e1]
+Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
+---
+ pjnath/include/pjnath/stun_msg.h | 4 ++++
+ pjnath/src/pjnath/stun_msg.c | 14 +++++++++++---
+ 2 files changed, 15 insertions(+), 3 deletions(-)
+
+diff --git a/pjnath/include/pjnath/stun_msg.h b/pjnath/include/pjnath/stun_msg.h
+index b52f95c586..e49f096f3a 100644
+--- a/pjnath/include/pjnath/stun_msg.h
++++ b/pjnath/include/pjnath/stun_msg.h
+@@ -442,6 +442,7 @@ typedef enum pj_stun_status
+
+ \endverbatim
+ */
++#pragma pack(1)
+ typedef struct pj_stun_msg_hdr
+ {
+ /**
+@@ -473,6 +474,7 @@ typedef struct pj_stun_msg_hdr
+ pj_uint8_t tsx_id[12];
+
+ } pj_stun_msg_hdr;
++#pragma pack()
+
+
+ /**
+@@ -490,6 +492,7 @@ typedef struct pj_stun_msg_hdr
+
+ \endverbatim
+ */
++#pragma pack(1)
+ typedef struct pj_stun_attr_hdr
+ {
+ /**
+@@ -506,6 +509,7 @@ typedef struct pj_stun_attr_hdr
+ pj_uint16_t length;
+
+ } pj_stun_attr_hdr;
++#pragma pack()
+
+
+ /**
+diff --git a/pjnath/src/pjnath/stun_msg.c b/pjnath/src/pjnath/stun_msg.c
+index 3def6b3eac..e904a0ba47 100644
+--- a/pjnath/src/pjnath/stun_msg.c
++++ b/pjnath/src/pjnath/stun_msg.c
+@@ -746,7 +746,7 @@ PJ_DEF(int) pj_stun_set_padding_char(int chr)
+
+ #define INIT_ATTR(a,t,l) (a)->hdr.type=(pj_uint16_t)(t), \
+ (a)->hdr.length=(pj_uint16_t)(l)
+-#define ATTR_HDR_LEN 4
++#define ATTR_HDR_LEN sizeof(pj_stun_attr_hdr)
+
+ static pj_uint16_t GETVAL16H(const pj_uint8_t *buf, unsigned pos)
+ {
+@@ -2327,6 +2327,14 @@ PJ_DEF(pj_status_t) pj_stun_msg_decode(pj_pool_t *pool,
+ status = pj_stun_msg_check(pdu, pdu_len, options);
+ if (status != PJ_SUCCESS)
+ return status;
++ } else {
++ /* For safety, verify packet length at least */
++ pj_uint32_t msg_len = GETVAL16H(pdu, 2) + 20;
++ if (msg_len > pdu_len ||
++ ((options & PJ_STUN_IS_DATAGRAM) && msg_len != pdu_len))
++ {
++ return PJNATH_EINSTUNMSGLEN;
++ }
+ }
+
+ /* Create the message, copy the header, and convert to host byte order */
+@@ -2345,7 +2353,7 @@ PJ_DEF(pj_status_t) pj_stun_msg_decode(pj_pool_t *pool,
+ p_response = NULL;
+
+ /* Parse attributes */
+- while (pdu_len >= 4) {
++ while (pdu_len >= ATTR_HDR_LEN) {
+ unsigned attr_type, attr_val_len;
+ const struct attr_desc *adesc;
+
+@@ -2357,7 +2365,7 @@ PJ_DEF(pj_status_t) pj_stun_msg_decode(pj_pool_t *pool,
+ attr_val_len = (attr_val_len + 3) & (~3);
+
+ /* Check length */
+- if (pdu_len < attr_val_len) {
++ if (pdu_len < attr_val_len + ATTR_HDR_LEN) {
+ pj_str_t err_msg;
+ char err_msg_buf[80];
+
diff --git a/package/libpjsip/libpjsip.mk b/package/libpjsip/libpjsip.mk
index 5cc0423f5d..24db641446 100644
--- a/package/libpjsip/libpjsip.mk
+++ b/package/libpjsip/libpjsip.mk
@@ -15,6 +15,12 @@ LIBPJSIP_CPE_ID_PRODUCT = pjsip
LIBPJSIP_INSTALL_STAGING = YES
LIBPJSIP_MAKE = $(MAKE1)
+# 0001-Merge-pull-request-from-GHSA-9pfh-r8x4-w26w.patch
+LIBPJSIP_IGNORE_CVES += CVE-2022-23537
+
+# 0002-Merge-pull-request-from-GHSA-cxwq-5g9x-x7fr.patch
+LIBPJSIP_IGNORE_CVES += CVE-2022-23547
+
LIBPJSIP_CFLAGS = $(TARGET_CFLAGS) -DPJ_HAS_IPV6=1
# relocation truncated to fit: R_68K_GOT16O
--
2.39.1
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [Buildroot] [PATCH 1/1] package/libpjsip: fix CVE-2022-235{3, 4}7
2023-02-26 13:55 [Buildroot] [PATCH 1/1] package/libpjsip: fix CVE-2022-235{3,4}7 Fabrice Fontaine
@ 2023-02-27 14:47 ` Peter Korsgaard
2023-03-15 6:18 ` Peter Korsgaard
1 sibling, 0 replies; 3+ messages in thread
From: Peter Korsgaard @ 2023-02-27 14:47 UTC (permalink / raw)
To: Fabrice Fontaine; +Cc: Luca Ceresoli, buildroot
>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes:
> https://github.com/pjsip/pjproject/security/advisories/GHSA-9pfh-r8x4-w26w
> https://github.com/pjsip/pjproject/security/advisories/GHSA-cxwq-5g9x-x7fr
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
> ---
> ...ull-request-from-GHSA-9pfh-r8x4-w26w.patch | 99 +++++++++++++++++++
> package/libpjsip/libpjsip.mk | 6 ++
> 2 files changed, 105 insertions(+)
> create mode 100644 package/libpjsip/0001-Merge-pull-request-from-GHSA-9pfh-r8x4-w26w.patch
..
> +# 0001-Merge-pull-request-from-GHSA-9pfh-r8x4-w26w.patch
> +LIBPJSIP_IGNORE_CVES += CVE-2022-23537
> +
> +# 0002-Merge-pull-request-from-GHSA-cxwq-5g9x-x7fr.patch
> +LIBPJSIP_IGNORE_CVES += CVE-2022-23547
Did you forget to git add the patch for
0002-Merge-pull-request-from-GHSA-cxwq-5g9x-x7fr.patch?
--
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [Buildroot] [PATCH 1/1] package/libpjsip: fix CVE-2022-235{3, 4}7
2023-02-26 13:55 [Buildroot] [PATCH 1/1] package/libpjsip: fix CVE-2022-235{3,4}7 Fabrice Fontaine
2023-02-27 14:47 ` [Buildroot] [PATCH 1/1] package/libpjsip: fix CVE-2022-235{3, 4}7 Peter Korsgaard
@ 2023-03-15 6:18 ` Peter Korsgaard
1 sibling, 0 replies; 3+ messages in thread
From: Peter Korsgaard @ 2023-03-15 6:18 UTC (permalink / raw)
To: Fabrice Fontaine; +Cc: Luca Ceresoli, buildroot
>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes:
> https://github.com/pjsip/pjproject/security/advisories/GHSA-9pfh-r8x4-w26w
> https://github.com/pjsip/pjproject/security/advisories/GHSA-cxwq-5g9x-x7fr
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Committed to 2022.11.x and 2022.02.x, thanks.
--
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2023-03-15 6:18 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-02-26 13:55 [Buildroot] [PATCH 1/1] package/libpjsip: fix CVE-2022-235{3,4}7 Fabrice Fontaine
2023-02-27 14:47 ` [Buildroot] [PATCH 1/1] package/libpjsip: fix CVE-2022-235{3, 4}7 Peter Korsgaard
2023-03-15 6:18 ` Peter Korsgaard
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).