Difuse/telephony
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

libs/pjproject: security revision bump

Browse source 
Add patches provided by Asterisk project for pjproject. This fixes the
following vulnerabilities:

- AST-2017-002: Buffer Overrun in PJSIP transaction layer (CVE-2017-9372)
- AST-2017-003: Crash in PJSIP multi-part body parser

Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
This commit is contained in:
Sebastian Kemper 2017-07-29 13:54:21 +02:00
parent e1ce116eea
commit 7fc4844b71
3 changed files with 61 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
libs/pjproject/Makefile
View file

@ -11,7 +11,7 @@ include $(TOPDIR)/rules.mk
PKG_NAME:=pjproject PKG_NAME:=pjproject
PKG_VERSION:=2.6 PKG_VERSION:=2.6
PKG_RELEASE:=1 PKG_RELEASE:=2
PKG_SOURCE:=pjproject-$(PKG_VERSION).tar.bz2 PKG_SOURCE:=pjproject-$(PKG_VERSION).tar.bz2
PKG_SOURCE_URL:=http://www.pjsip.org/release/$(PKG_VERSION)/ PKG_SOURCE_URL:=http://www.pjsip.org/release/$(PKG_VERSION)/

36
libs/pjproject/patches/130-Parse-zero-length-multipart-body-parts-correctly.patch Normal file
View file

@ -0,0 +1,36 @@
From f0c717463d569f87a16f9b014033c8ca8939a7b4 Mon Sep 17 00:00:00 2001
From: Mark Michelson <mmichelson@digium.com>
Date: Thu, 13 Apr 2017 16:59:40 -0500
Subject: [PATCH] Parse zero-length multipart body parts correctly.
The calculation of end_body could result in a negative length being
passed to multipart_body_parse_part().
---
pjsip/src/pjsip/sip_multipart.c | 16 +++++++++-------
1 file changed, 9 insertions(+), 7 deletions(-)
--- a/pjsip/src/pjsip/sip_multipart.c
+++ b/pjsip/src/pjsip/sip_multipart.c
@@ -646,13 +646,15 @@ PJ_DEF(pjsip_msg_body*) pjsip_multipart_
end_body = curptr;
- /* The newline preceeding the delimiter is conceptually part of
- * the delimiter, so trim it from the body.
- */
- if (*(end_body-1) == '\n')
- --end_body;
- if (*(end_body-1) == '\r')
- --end_body;
+ if (end_body > start_body) {
+ /* The newline preceeding the delimiter is conceptually part of
+ * the delimiter, so trim it from the body.
+ */
+ if (*(end_body-1) == '\n')
+ --end_body;
+ if (*(end_body-1) == '\r')
+ --end_body;
+ }
/* Now that we have determined the part's boundary, parse it
* to get the header and body part of the part.

24
libs/pjproject/patches/140-Ensure-2543-transaction-key-buffer-is-large-enough.patch Normal file
View file

@ -0,0 +1,24 @@
From b5f0f8868363c482a2c4ce343e3ee6ad256b0708 Mon Sep 17 00:00:00 2001
From: Mark Michelson <mmichelson@digium.com>
Date: Thu, 13 Apr 2017 16:20:07 -0500
Subject: [PATCH] Ensure 2543 transaction key buffer is large enough.
The CSeq method length needs to be factored into the allocated buffer
length. Otherwise, the buffer may not be large enough to accommodate the
entire key.
---
pjsip/src/pjsip/sip_transaction.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/pjsip/src/pjsip/sip_transaction.c
+++ b/pjsip/src/pjsip/sip_transaction.c
@@ -288,7 +288,8 @@ static pj_status_t create_tsx_key_2543(
host = &rdata->msg_info.via->sent_by.host;
/* Calculate length required. */
- len_required = 9 + /* CSeq number */
+ len_required = method->name.slen + /* Method */
+ 9 + /* CSeq number */
rdata->msg_info.from->tag.slen + /* From tag. */
rdata->msg_info.cid->id.slen + /* Call-ID */
host->slen + /* Via host. */