libs/pjproject: security revision bump

Add patches provided by Asterisk project for pjproject. This fixes the
following vulnerabilities:

- AST-2017-002: Buffer Overrun in PJSIP transaction layer (CVE-2017-9372)
- AST-2017-003: Crash in PJSIP multi-part body parser

Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>

diff --git a/libs/pjproject/Makefile b/libs/pjproject/Makefile
index fe0909853b1205eb793d2067bfc6403bcb7694d4..0efd8fb38bfa03546cf1b85f5786a115d378952a 100644 (file)
--- a/libs/pjproject/Makefile
+++ b/libs/pjproject/Makefile
@@ -11,7 +11,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=pjproject
 PKG_VERSION:=2.6
-PKG_RELEASE:=1
+PKG_RELEASE:=2
 
 PKG_SOURCE:=pjproject-$(PKG_VERSION).tar.bz2
 PKG_SOURCE_URL:=http://www.pjsip.org/release/$(PKG_VERSION)/

diff --git a/libs/pjproject/patches/130-Parse-zero-length-multipart-body-parts-correctly.patch b/libs/pjproject/patches/130-Parse-zero-length-multipart-body-parts-correctly.patch
new file mode 100644 (file)
index 0000000..3fd2593
--- /dev/null
+++ b/libs/pjproject/patches/130-Parse-zero-length-multipart-body-parts-correctly.patch
@@ -0,0 +1,36 @@
+From f0c717463d569f87a16f9b014033c8ca8939a7b4 Mon Sep 17 00:00:00 2001
+From: Mark Michelson <mmichelson@digium.com>
+Date: Thu, 13 Apr 2017 16:59:40 -0500
+Subject: [PATCH] Parse zero-length multipart body parts correctly.
+
+The calculation of end_body could result in a negative length being
+passed to multipart_body_parse_part().
+---
+ pjsip/src/pjsip/sip_multipart.c | 16 +++++++++-------
+ 1 file changed, 9 insertions(+), 7 deletions(-)
+
+--- a/pjsip/src/pjsip/sip_multipart.c
++++ b/pjsip/src/pjsip/sip_multipart.c
+@@ -646,13 +646,15 @@ PJ_DEF(pjsip_msg_body*) pjsip_multipart_
+ 
+       end_body = curptr;
+ 
+-      /* The newline preceeding the delimiter is conceptually part of
+-       * the delimiter, so trim it from the body.
+-       */
+-      if (*(end_body-1) == '\n')
+-          --end_body;
+-      if (*(end_body-1) == '\r')
+-          --end_body;
++      if (end_body > start_body) {
++          /* The newline preceeding the delimiter is conceptually part of
++           * the delimiter, so trim it from the body.
++           */
++          if (*(end_body-1) == '\n')
++              --end_body;
++          if (*(end_body-1) == '\r')
++               --end_body;
++      }
+ 
+       /* Now that we have determined the part's boundary, parse it
+        * to get the header and body part of the part.

diff --git a/libs/pjproject/patches/140-Ensure-2543-transaction-key-buffer-is-large-enough.patch b/libs/pjproject/patches/140-Ensure-2543-transaction-key-buffer-is-large-enough.patch
new file mode 100644 (file)
index 0000000..35e8223
--- /dev/null
+++ b/libs/pjproject/patches/140-Ensure-2543-transaction-key-buffer-is-large-enough.patch
@@ -0,0 +1,24 @@
+From b5f0f8868363c482a2c4ce343e3ee6ad256b0708 Mon Sep 17 00:00:00 2001
+From: Mark Michelson <mmichelson@digium.com>
+Date: Thu, 13 Apr 2017 16:20:07 -0500
+Subject: [PATCH] Ensure 2543 transaction key buffer is large enough.
+
+The CSeq method length needs to be factored into the allocated buffer
+length. Otherwise, the buffer may not be large enough to accommodate the
+entire key.
+---
+ pjsip/src/pjsip/sip_transaction.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/pjsip/src/pjsip/sip_transaction.c
++++ b/pjsip/src/pjsip/sip_transaction.c
+@@ -288,7 +288,8 @@ static pj_status_t create_tsx_key_2543(
+     host = &rdata->msg_info.via->sent_by.host;
+ 
+     /* Calculate length required. */
+-    len_required = 9 +                            /* CSeq number */
++    len_required = method->name.slen +            /* Method */
++                 9 +                      /* CSeq number */
+                  rdata->msg_info.from->tag.slen +   /* From tag. */
+                  rdata->msg_info.cid->id.slen +    /* Call-ID */
+                  host->slen +             /* Via host. */