gentoo auto-resync : 05:04:2023 - 17:25:42

3 files changed, 191 insertions, 0 deletions

diff --git a/net-libs/pjproject/files/pjproject-2.13-r1-CVE-2022-23537-buffer-overread-on-STUN-error-decode.patch b/net-libs/pjproject/files/pjproject-2.13-r1-CVE-2022-23537-buffer-overread-on-STUN-error-decode.patch
new file mode 100644
index 000000000000..bfd1fc05e160
--- /dev/null
+++ b/net-libs/pjproject/files/pjproject-2.13-r1-CVE-2022-23537-buffer-overread-on-STUN-error-decode.patch
@@ -0,0 +1,95 @@
+From d8440f4d711a654b511f50f79c0445b26f9dd1e1 Mon Sep 17 00:00:00 2001
+From: Nanang Izzuddin <nanang@teluu.com>
+Date: Tue, 20 Dec 2022 11:39:12 +0700
+Subject: [PATCH] Merge pull request from GHSA-9pfh-r8x4-w26w
+
+* Fix buffer overread in STUN message decoder
+
+* Updates based on comments
+---
+ pjnath/include/pjnath/stun_msg.h |  4 ++++
+ pjnath/src/pjnath/stun_msg.c     | 14 +++++++++++---
+ 2 files changed, 15 insertions(+), 3 deletions(-)
+
+diff --git a/pjnath/include/pjnath/stun_msg.h b/pjnath/include/pjnath/stun_msg.h
+index b52f95c586..e49f096f3a 100644
+--- a/pjnath/include/pjnath/stun_msg.h
++++ b/pjnath/include/pjnath/stun_msg.h
+@@ -442,6 +442,7 @@ typedef enum pj_stun_status
+ 
+    \endverbatim
+  */
++#pragma pack(1)
+ typedef struct pj_stun_msg_hdr
+ {
+     /**
+@@ -473,6 +474,7 @@ typedef struct pj_stun_msg_hdr
+     pj_uint8_t          tsx_id[12];
+ 
+ } pj_stun_msg_hdr;
++#pragma pack()
+ 
+ 
+ /**
+@@ -490,6 +492,7 @@ typedef struct pj_stun_msg_hdr
+ 
+    \endverbatim
+  */
++#pragma pack(1)
+ typedef struct pj_stun_attr_hdr
+ {
+     /**
+@@ -506,6 +509,7 @@ typedef struct pj_stun_attr_hdr
+     pj_uint16_t         length;
+ 
+ } pj_stun_attr_hdr;
++#pragma pack()
+ 
+ 
+ /**
+diff --git a/pjnath/src/pjnath/stun_msg.c b/pjnath/src/pjnath/stun_msg.c
+index 3def6b3eac..e904a0ba47 100644
+--- a/pjnath/src/pjnath/stun_msg.c
++++ b/pjnath/src/pjnath/stun_msg.c
+@@ -746,7 +746,7 @@ PJ_DEF(int) pj_stun_set_padding_char(int chr)
+ 
+ #define INIT_ATTR(a,t,l)    (a)->hdr.type=(pj_uint16_t)(t), \
+                             (a)->hdr.length=(pj_uint16_t)(l)
+-#define ATTR_HDR_LEN        4
++#define ATTR_HDR_LEN        sizeof(pj_stun_attr_hdr)
+ 
+ static pj_uint16_t GETVAL16H(const pj_uint8_t *buf, unsigned pos)
+ {
+@@ -2327,6 +2327,14 @@ PJ_DEF(pj_status_t) pj_stun_msg_decode(pj_pool_t *pool,
+         status = pj_stun_msg_check(pdu, pdu_len, options);
+         if (status != PJ_SUCCESS)
+             return status;
++    } else {
++        /* For safety, verify packet length at least */
++        pj_uint32_t msg_len = GETVAL16H(pdu, 2) + 20;
++        if (msg_len > pdu_len ||
++            ((options & PJ_STUN_IS_DATAGRAM) && msg_len != pdu_len))
++        {
++            return PJNATH_EINSTUNMSGLEN;
++        }
+     }
+ 
+     /* Create the message, copy the header, and convert to host byte order */
+@@ -2345,7 +2353,7 @@ PJ_DEF(pj_status_t) pj_stun_msg_decode(pj_pool_t *pool,
+         p_response = NULL;
+ 
+     /* Parse attributes */
+-    while (pdu_len >= 4) {
++    while (pdu_len >= ATTR_HDR_LEN) {
+         unsigned attr_type, attr_val_len;
+         const struct attr_desc *adesc;
+ 
+@@ -2357,7 +2365,7 @@ PJ_DEF(pj_status_t) pj_stun_msg_decode(pj_pool_t *pool,
+         attr_val_len = (attr_val_len + 3) & (~3);
+ 
+         /* Check length */
+-        if (pdu_len < attr_val_len) {
++        if (pdu_len < attr_val_len + ATTR_HDR_LEN) {
+             pj_str_t err_msg;
+             char err_msg_buf[80];
+ 
diff --git a/net-libs/pjproject/files/pjproject-2.13-r1-CVE-2022-23547-buffer-overread-on-STUN-decode.patch b/net-libs/pjproject/files/pjproject-2.13-r1-CVE-2022-23547-buffer-overread-on-STUN-decode.patch
new file mode 100644
index 000000000000..499ce4373b56
--- /dev/null
+++ b/net-libs/pjproject/files/pjproject-2.13-r1-CVE-2022-23547-buffer-overread-on-STUN-decode.patch
@@ -0,0 +1,50 @@
+From bc4812d31a67d5e2f973fbfaf950d6118226cf36 Mon Sep 17 00:00:00 2001
+From: sauwming <ming@teluu.com>
+Date: Fri, 23 Dec 2022 15:05:28 +0800
+Subject: [PATCH] Merge pull request from GHSA-cxwq-5g9x-x7fr
+
+* Fixed heap buffer overflow when parsing STUN errcode attribute
+
+* Also fixed uint parsing
+---
+ pjnath/src/pjnath/stun_msg.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/pjnath/src/pjnath/stun_msg.c b/pjnath/src/pjnath/stun_msg.c
+index c6b0bdd284..b55d29849a 100644
+--- a/pjnath/src/pjnath/stun_msg.c
++++ b/pjnath/src/pjnath/stun_msg.c
+@@ -1438,12 +1438,12 @@ static pj_status_t decode_uint_attr(pj_pool_t *pool,
+     attr = PJ_POOL_ZALLOC_T(pool, pj_stun_uint_attr);
+     GETATTRHDR(buf, &attr->hdr);
+ 
+-    attr->value = GETVAL32H(buf, 4);
+-
+     /* Check that the attribute length is valid */
+     if (attr->hdr.length != 4)
+         return PJNATH_ESTUNINATTRLEN;
+ 
++    attr->value = GETVAL32H(buf, 4);
++
+     /* Done */
+     *p_attr = attr;
+ 
+@@ -1757,14 +1757,15 @@ static pj_status_t decode_errcode_attr(pj_pool_t *pool,
+     attr = PJ_POOL_ZALLOC_T(pool, pj_stun_errcode_attr);
+     GETATTRHDR(buf, &attr->hdr);
+ 
++    /* Check that the attribute length is valid */
++    if (attr->hdr.length < 4)
++        return PJNATH_ESTUNINATTRLEN;
++
+     attr->err_code = buf[6] * 100 + buf[7];
+ 
+     /* Get pointer to the string in the message */
+     value.ptr = ((char*)buf + ATTR_HDR_LEN + 4);
+     value.slen = attr->hdr.length - 4;
+-    /* Make sure the length is never negative */
+-    if (value.slen < 0)
+-        value.slen = 0;
+ 
+     /* Copy the string to the attribute */
+     pj_strdup(pool, &attr->reason, &value);
diff --git a/net-libs/pjproject/files/pjproject-2.13-r1-Make-sure-that-NOTIFY-tdata-is-set-before-sending-it_new.patch b/net-libs/pjproject/files/pjproject-2.13-r1-Make-sure-that-NOTIFY-tdata-is-set-before-sending-it_new.patch
new file mode 100644
index 000000000000..009060a124d8
--- /dev/null
+++ b/net-libs/pjproject/files/pjproject-2.13-r1-Make-sure-that-NOTIFY-tdata-is-set-before-sending-it_new.patch
@@ -0,0 +1,46 @@
+From ac685b30c17be461b2bf5b46a772ed9742b8e985 Mon Sep 17 00:00:00 2001
+From: Riza Sulistyo <trengginas@users.noreply.github.com>
+Date: Thu, 9 Feb 2023 13:19:23 +0700
+Subject: [PATCH] Make sure that NOTIFY tdata is set before sending it.
+
+---
+ pjsip/src/pjsip-simple/evsub.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/pjsip/src/pjsip-simple/evsub.c b/pjsip/src/pjsip-simple/evsub.c
+index da0a9b416..68c1d3951 100644
+--- a/pjsip/src/pjsip-simple/evsub.c
++++ b/pjsip/src/pjsip-simple/evsub.c
+@@ -2216,23 +2216,26 @@ static void on_tsx_state_uas( pjsip_evsub *sub, pjsip_transaction *tsx,
+             }
+ 
+         }  else {
+             sub->state = old_state;
+             sub->state_str = old_state_str;
+         }
+ 
+         /* Send the pending NOTIFY sent by app from inside
+          * on_rx_refresh() callback.
+          */
+-        pj_assert(sub->pending_notify);
+-        status = pjsip_evsub_send_request(sub, sub->pending_notify);
+-        sub->pending_notify = NULL;
++        //pj_assert(sub->pending_notify);
++        /* Make sure that pending_notify is set. */
++        if (sub->pending_notify) {
++            status = pjsip_evsub_send_request(sub, sub->pending_notify);
++            sub->pending_notify = NULL;
++        }
+ 
+     } else if (pjsip_method_cmp(&tsx->method, &pjsip_notify_method)==0) {
+ 
+         /* Handle authentication */
+         if (tsx->state == PJSIP_TSX_STATE_COMPLETED &&
+             (tsx->status_code==401 || tsx->status_code==407))
+         {
+             pjsip_tx_data *tdata;
+             pj_status_t status;
+             pjsip_rx_data *rdata = event->body.tsx_state.src.rdata;
+-- 
+2.39.1
+