From 7fc4844b718e1ed4dc99ea3893f205ec5d877198 Mon Sep 17 00:00:00 2001 From: Sebastian Kemper Date: Sat, 29 Jul 2017 13:54:21 +0200 Subject: [PATCH] libs/pjproject: security revision bump Add patches provided by Asterisk project for pjproject. This fixes the following vulnerabilities: - AST-2017-002: Buffer Overrun in PJSIP transaction layer (CVE-2017-9372) - AST-2017-003: Crash in PJSIP multi-part body parser Signed-off-by: Sebastian Kemper --- libs/pjproject/Makefile | 2 +- ...ength-multipart-body-parts-correctly.patch | 36 +++++++++++++++++++ ...ansaction-key-buffer-is-large-enough.patch | 24 +++++++++++++ 3 files changed, 61 insertions(+), 1 deletion(-) create mode 100644 libs/pjproject/patches/130-Parse-zero-length-multipart-body-parts-correctly.patch create mode 100644 libs/pjproject/patches/140-Ensure-2543-transaction-key-buffer-is-large-enough.patch diff --git a/libs/pjproject/Makefile b/libs/pjproject/Makefile index fe09098..0efd8fb 100644 --- a/libs/pjproject/Makefile +++ b/libs/pjproject/Makefile @@ -11,7 +11,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=pjproject PKG_VERSION:=2.6 -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_SOURCE:=pjproject-$(PKG_VERSION).tar.bz2 PKG_SOURCE_URL:=http://www.pjsip.org/release/$(PKG_VERSION)/ diff --git a/libs/pjproject/patches/130-Parse-zero-length-multipart-body-parts-correctly.patch b/libs/pjproject/patches/130-Parse-zero-length-multipart-body-parts-correctly.patch new file mode 100644 index 0000000..3fd2593 --- /dev/null +++ b/libs/pjproject/patches/130-Parse-zero-length-multipart-body-parts-correctly.patch @@ -0,0 +1,36 @@ +From f0c717463d569f87a16f9b014033c8ca8939a7b4 Mon Sep 17 00:00:00 2001 +From: Mark Michelson +Date: Thu, 13 Apr 2017 16:59:40 -0500 +Subject: [PATCH] Parse zero-length multipart body parts correctly. + +The calculation of end_body could result in a negative length being +passed to multipart_body_parse_part(). +--- + pjsip/src/pjsip/sip_multipart.c | 16 +++++++++------- + 1 file changed, 9 insertions(+), 7 deletions(-) + +--- a/pjsip/src/pjsip/sip_multipart.c ++++ b/pjsip/src/pjsip/sip_multipart.c +@@ -646,13 +646,15 @@ PJ_DEF(pjsip_msg_body*) pjsip_multipart_ + + end_body = curptr; + +- /* The newline preceeding the delimiter is conceptually part of +- * the delimiter, so trim it from the body. +- */ +- if (*(end_body-1) == '\n') +- --end_body; +- if (*(end_body-1) == '\r') +- --end_body; ++ if (end_body > start_body) { ++ /* The newline preceeding the delimiter is conceptually part of ++ * the delimiter, so trim it from the body. ++ */ ++ if (*(end_body-1) == '\n') ++ --end_body; ++ if (*(end_body-1) == '\r') ++ --end_body; ++ } + + /* Now that we have determined the part's boundary, parse it + * to get the header and body part of the part. diff --git a/libs/pjproject/patches/140-Ensure-2543-transaction-key-buffer-is-large-enough.patch b/libs/pjproject/patches/140-Ensure-2543-transaction-key-buffer-is-large-enough.patch new file mode 100644 index 0000000..35e8223 --- /dev/null +++ b/libs/pjproject/patches/140-Ensure-2543-transaction-key-buffer-is-large-enough.patch @@ -0,0 +1,24 @@ +From b5f0f8868363c482a2c4ce343e3ee6ad256b0708 Mon Sep 17 00:00:00 2001 +From: Mark Michelson +Date: Thu, 13 Apr 2017 16:20:07 -0500 +Subject: [PATCH] Ensure 2543 transaction key buffer is large enough. + +The CSeq method length needs to be factored into the allocated buffer +length. Otherwise, the buffer may not be large enough to accommodate the +entire key. +--- + pjsip/src/pjsip/sip_transaction.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/pjsip/src/pjsip/sip_transaction.c ++++ b/pjsip/src/pjsip/sip_transaction.c +@@ -288,7 +288,8 @@ static pj_status_t create_tsx_key_2543( + host = &rdata->msg_info.via->sent_by.host; + + /* Calculate length required. */ +- len_required = 9 + /* CSeq number */ ++ len_required = method->name.slen + /* Method */ ++ 9 + /* CSeq number */ + rdata->msg_info.from->tag.slen + /* From tag. */ + rdata->msg_info.cid->id.slen + /* Call-ID */ + host->slen + /* Via host. */ -- 2.30.2