CVE-2021-43303

Name	CVE-2021-43303
Description	Buffer overflow in PJSUA API when calling pjsua_call_dump. An attacker-controlled 'buffer' argument may cause a buffer overflow, since supplying an output buffer smaller than 128 characters may overflow the output buffer, regardless of the 'maxlen' argument supplied
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DLA-2962-1, DLA-3194-1, DLA-3549-1, DSA-5285-1
Debian Bugs	1014998

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
asterisk (PTS)	buster	1:16.2.1~dfsg-1+deb10u2	vulnerable
	buster (security)	1:16.28.0~dfsg-0+deb10u3	fixed
	bullseye	1:16.28.0~dfsg-0+deb11u2	fixed
	bullseye (security)	1:16.28.0~dfsg-0+deb11u3	fixed
	sid	1:20.4.0~dfsg+~cs6.13.40431414-2	fixed
ring (PTS)	buster	20190215.1.f152c98~ds1-1+deb10u1	vulnerable
	buster (security)	20190215.1.f152c98~ds1-1+deb10u2	fixed
	bullseye	20210112.2.b757bac~ds1-1	vulnerable
	bookworm	20230206.0~ds2-1.1	fixed
	sid, trixie	20230922.0~ds1-1	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Origin	Debian Bugs
asterisk	source	stretch	(not affected)
asterisk	source	buster	1:16.28.0~dfsg-0+deb10u1	DLA-3194-1
asterisk	source	bullseye	1:16.28.0~dfsg-0+deb11u1	DSA-5285-1
asterisk	source	(unstable)	1:18.11.1~dfsg+~cs6.10.40431413-1
pjproject	source	stretch	2.5.5~dfsg-6+deb9u3	DLA-2962-1
pjproject	source	(unstable)	(unfixed)
ring	source	buster	20190215.1.f152c98~ds1-1+deb10u2	DLA-3549-1
ring	source	(unstable)	20230206.0~ds1-1		1014998

Notes

[stretch] - asterisk <not-affected> (Vulnerable code not present)
https://github.com/pjsip/pjproject/security/advisories/GHSA-qcvw-h34v-c7r9
https://github.com/pjsip/pjproject/commit/d979253c924a686fa511d705be1f3ad0c5b20337