Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian....@packages.debian.org
Usertags: pu
Probably a bit late, but Salvatore just suggested to handle this via PU
instead of security upload.
The attached debdiff for ring fixes CVE-2021-21375 in Buster.
The fix has been already uploaded to Stretch some time ago and nobody
complained up to now.
Thorsten
PS. In order to avoid delays, I already uploaded the package ...
diff -Nru ring-20190215.1.f152c98~ds1/debian/changelog
ring-20190215.1.f152c98~ds1/debian/changelog
--- ring-20190215.1.f152c98~ds1/debian/changelog 2019-02-19
04:46:25.000000000 +0100
+++ ring-20190215.1.f152c98~ds1/debian/changelog 2021-04-22
19:03:02.000000000 +0200
@@ -1,3 +1,14 @@
+ring (20190215.1.f152c98~ds1-1+deb10u1) buster; urgency=high
+
+ * Non-maintainer upload by the LTS Team.
+ * CVE-2021-21375 (Closes: #986815)
+ The embedded copy of pjproject is affected by this CVE.
+ Due to bad handling of two consecutive crafted answers to an INVITE,
+ the attacker is able to crash the server resulting in a denial of
+ service.
+
+ -- Thorsten Alteholz <deb...@alteholz.de> Thu, 22 Apr 2021 19:03:02 +0200
+
ring (20190215.1.f152c98~ds1-1) unstable; urgency=medium
* New upstream version.
diff -Nru ring-20190215.1.f152c98~ds1/debian/patches/CVE-2021-21375.patch
ring-20190215.1.f152c98~ds1/debian/patches/CVE-2021-21375.patch
--- ring-20190215.1.f152c98~ds1/debian/patches/CVE-2021-21375.patch
1970-01-01 01:00:00.000000000 +0100
+++ ring-20190215.1.f152c98~ds1/debian/patches/CVE-2021-21375.patch
2021-04-22 19:03:02.000000000 +0200
@@ -0,0 +1,33 @@
+Index:
ring-20190215.1.f152c98~ds1/daemon/contrib/tarballs-unpacked/pjproject-2.8.tar.gz/pjproject-2.8/pjmedia/src/pjmedia/sdp_neg.c
+===================================================================
+---
ring-20190215.1.f152c98~ds1.orig/daemon/contrib/tarballs-unpacked/pjproject-2.8.tar.gz/pjproject-2.8/pjmedia/src/pjmedia/sdp_neg.c
2021-04-25 18:03:13.057447325 +0200
++++
ring-20190215.1.f152c98~ds1/daemon/contrib/tarballs-unpacked/pjproject-2.8.tar.gz/pjproject-2.8/pjmedia/src/pjmedia/sdp_neg.c
2021-04-25 18:03:13.037446913 +0200
+@@ -304,7 +304,6 @@
+ {
+ pjmedia_sdp_session *new_offer;
+ pjmedia_sdp_session *old_offer;
+- char media_used[PJMEDIA_MAX_SDP_MEDIA];
+ unsigned oi; /* old offer media index */
+ pj_status_t status;
+
+@@ -323,8 +322,19 @@
+ /* Change state to STATE_LOCAL_OFFER */
+ neg->state = PJMEDIA_SDP_NEG_STATE_LOCAL_OFFER;
+
++ /* When there is no active local SDP in state PJMEDIA_SDP_NEG_STATE_DONE,
++ * it means that the previous initial SDP nego must have been failed,
++ * so we'll just set the local SDP offer here.
++ */
++ if (!neg->active_local_sdp) {
++ neg->initial_sdp_tmp = NULL;
++ neg->initial_sdp = pjmedia_sdp_session_clone(pool, local);
++ neg->neg_local_sdp = pjmedia_sdp_session_clone(pool, local);
++
++ return PJ_SUCCESS;
++ }
++
+ /* Init vars */
+- pj_bzero(media_used, sizeof(media_used));
+ old_offer = neg->active_local_sdp;
+ new_offer = pjmedia_sdp_session_clone(pool, local);
+
diff -Nru ring-20190215.1.f152c98~ds1/debian/patches/series
ring-20190215.1.f152c98~ds1/debian/patches/series
--- ring-20190215.1.f152c98~ds1/debian/patches/series 2019-02-19
04:46:25.000000000 +0100
+++ ring-20190215.1.f152c98~ds1/debian/patches/series 2021-04-22
19:03:02.000000000 +0200
@@ -1,3 +1,5 @@
dont-build-gnutls.patch
namedirectory-old-restbed.patch
jsoncpp-rename.patch
+
+CVE-2021-21375.patch
