CVE-2022-39244

NameCVE-2022-39244
DescriptionPJSIP is a free and open source multimedia communication library written in C. In versions of PJSIP prior to 2.13 the PJSIP parser, PJMEDIA RTP decoder, and PJMEDIA SDP parser are affeced by a buffer overflow vulnerability. Users connecting to untrusted clients are at risk. This issue has been patched and is available as commit c4d3498 in the master branch and will be included in releases 2.13 and later. Users are advised to upgrade. There are no known workarounds for this issue.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-3335-1, DLA-3549-1, DSA-5358-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
asterisk (PTS)buster1:16.2.1~dfsg-1+deb10u2vulnerable
buster (security)1:16.28.0~dfsg-0+deb10u4fixed
bullseye1:16.28.0~dfsg-0+deb11u3fixed
bullseye (security)1:16.28.0~dfsg-0+deb11u4fixed
sid1:20.6.0~dfsg+~cs6.13.40431414-2fixed
ring (PTS)buster20190215.1.f152c98~ds1-1+deb10u1vulnerable
buster (security)20190215.1.f152c98~ds1-1+deb10u2fixed
bullseye20210112.2.b757bac~ds1-1vulnerable
bookworm20230206.0~ds2-1.1fixed
sid, trixie20231201.0~ds1-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
asterisksourcebuster1:16.28.0~dfsg-0+deb10u2DLA-3335-1
asterisksourcebullseye1:16.28.0~dfsg-0+deb11u2DSA-5358-1
asterisksource(unstable)1:20.0.1~dfsg+~cs6.12.40431414-1
pjprojectsource(unstable)(unfixed)
ringsourcebuster20190215.1.f152c98~ds1-1+deb10u2DLA-3549-1
ringsource(unstable)20230206.0~ds1-1

Notes

https://github.com/pjsip/pjproject/security/advisories/GHSA-fq45-m3f7-3mhj
https://github.com/pjsip/pjproject/commit/c4d34984ec92b3d5252a7d5cddd85a1d3a8001ae

Search for package or bug name: Reporting problems