commit: 0697e55a6fa27051a99aa59fde8b5716c022696e Author: Jaco Kroon <jaco <AT> uls <DOT> co <DOT> za> AuthorDate: Mon Mar 13 06:54:28 2023 +0000 Commit: Joonas Niilola <juippis <AT> gentoo <DOT> org> CommitDate: Wed Apr 5 11:56:14 2023 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0697e55a
net-libs/pjproject: Add 2.13-r1 Bug: https://bugs.gentoo.org/887559 Closes: https://bugs.gentoo.org/888879 Signed-off-by: Jaco Kroon <jaco <AT> uls.co.za> Closes: https://github.com/gentoo/gentoo/pull/30088 Signed-off-by: Joonas Niilola <juippis <AT> gentoo.org> ...3537-buffer-overread-on-STUN-error-decode.patch | 95 ++++++++++++++ ...2022-23547-buffer-overread-on-STUN-decode.patch | 50 ++++++++ ...NOTIFY-tdata-is-set-before-sending-it_new.patch | 46 +++++++ net-libs/pjproject/pjproject-2.13-r1.ebuild | 142 +++++++++++++++++++++ 4 files changed, 333 insertions(+) diff --git a/net-libs/pjproject/files/pjproject-2.13-r1-CVE-2022-23537-buffer-overread-on-STUN-error-decode.patch b/net-libs/pjproject/files/pjproject-2.13-r1-CVE-2022-23537-buffer-overread-on-STUN-error-decode.patch new file mode 100644 index 000000000000..bfd1fc05e160 --- /dev/null +++ b/net-libs/pjproject/files/pjproject-2.13-r1-CVE-2022-23537-buffer-overread-on-STUN-error-decode.patch @@ -0,0 +1,95 @@ +From d8440f4d711a654b511f50f79c0445b26f9dd1e1 Mon Sep 17 00:00:00 2001 +From: Nanang Izzuddin <[email protected]> +Date: Tue, 20 Dec 2022 11:39:12 +0700 +Subject: [PATCH] Merge pull request from GHSA-9pfh-r8x4-w26w + +* Fix buffer overread in STUN message decoder + +* Updates based on comments +--- + pjnath/include/pjnath/stun_msg.h | 4 ++++ + pjnath/src/pjnath/stun_msg.c | 14 +++++++++++--- + 2 files changed, 15 insertions(+), 3 deletions(-) + +diff --git a/pjnath/include/pjnath/stun_msg.h b/pjnath/include/pjnath/stun_msg.h +index b52f95c586..e49f096f3a 100644 +--- a/pjnath/include/pjnath/stun_msg.h ++++ b/pjnath/include/pjnath/stun_msg.h +@@ -442,6 +442,7 @@ typedef enum pj_stun_status + + \endverbatim + */ ++#pragma pack(1) + typedef struct pj_stun_msg_hdr + { + /** +@@ -473,6 +474,7 @@ typedef struct pj_stun_msg_hdr + pj_uint8_t tsx_id[12]; + + } pj_stun_msg_hdr; ++#pragma pack() + + + /** +@@ -490,6 +492,7 @@ typedef struct pj_stun_msg_hdr + + \endverbatim + */ ++#pragma pack(1) + typedef struct pj_stun_attr_hdr + { + /** +@@ -506,6 +509,7 @@ typedef struct pj_stun_attr_hdr + pj_uint16_t length; + + } pj_stun_attr_hdr; ++#pragma pack() + + + /** +diff --git a/pjnath/src/pjnath/stun_msg.c b/pjnath/src/pjnath/stun_msg.c +index 3def6b3eac..e904a0ba47 100644 +--- a/pjnath/src/pjnath/stun_msg.c ++++ b/pjnath/src/pjnath/stun_msg.c +@@ -746,7 +746,7 @@ PJ_DEF(int) pj_stun_set_padding_char(int chr) + + #define INIT_ATTR(a,t,l) (a)->hdr.type=(pj_uint16_t)(t), \ + (a)->hdr.length=(pj_uint16_t)(l) +-#define ATTR_HDR_LEN 4 ++#define ATTR_HDR_LEN sizeof(pj_stun_attr_hdr) + + static pj_uint16_t GETVAL16H(const pj_uint8_t *buf, unsigned pos) + { +@@ -2327,6 +2327,14 @@ PJ_DEF(pj_status_t) pj_stun_msg_decode(pj_pool_t *pool, + status = pj_stun_msg_check(pdu, pdu_len, options); + if (status != PJ_SUCCESS) + return status; ++ } else { ++ /* For safety, verify packet length at least */ ++ pj_uint32_t msg_len = GETVAL16H(pdu, 2) + 20; ++ if (msg_len > pdu_len || ++ ((options & PJ_STUN_IS_DATAGRAM) && msg_len != pdu_len)) ++ { ++ return PJNATH_EINSTUNMSGLEN; ++ } + } + + /* Create the message, copy the header, and convert to host byte order */ +@@ -2345,7 +2353,7 @@ PJ_DEF(pj_status_t) pj_stun_msg_decode(pj_pool_t *pool, + p_response = NULL; + + /* Parse attributes */ +- while (pdu_len >= 4) { ++ while (pdu_len >= ATTR_HDR_LEN) { + unsigned attr_type, attr_val_len; + const struct attr_desc *adesc; + +@@ -2357,7 +2365,7 @@ PJ_DEF(pj_status_t) pj_stun_msg_decode(pj_pool_t *pool, + attr_val_len = (attr_val_len + 3) & (~3); + + /* Check length */ +- if (pdu_len < attr_val_len) { ++ if (pdu_len < attr_val_len + ATTR_HDR_LEN) { + pj_str_t err_msg; + char err_msg_buf[80]; + diff --git a/net-libs/pjproject/files/pjproject-2.13-r1-CVE-2022-23547-buffer-overread-on-STUN-decode.patch b/net-libs/pjproject/files/pjproject-2.13-r1-CVE-2022-23547-buffer-overread-on-STUN-decode.patch new file mode 100644 index 000000000000..499ce4373b56 --- /dev/null +++ b/net-libs/pjproject/files/pjproject-2.13-r1-CVE-2022-23547-buffer-overread-on-STUN-decode.patch @@ -0,0 +1,50 @@ +From bc4812d31a67d5e2f973fbfaf950d6118226cf36 Mon Sep 17 00:00:00 2001 +From: sauwming <[email protected]> +Date: Fri, 23 Dec 2022 15:05:28 +0800 +Subject: [PATCH] Merge pull request from GHSA-cxwq-5g9x-x7fr + +* Fixed heap buffer overflow when parsing STUN errcode attribute + +* Also fixed uint parsing +--- + pjnath/src/pjnath/stun_msg.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/pjnath/src/pjnath/stun_msg.c b/pjnath/src/pjnath/stun_msg.c +index c6b0bdd284..b55d29849a 100644 +--- a/pjnath/src/pjnath/stun_msg.c ++++ b/pjnath/src/pjnath/stun_msg.c +@@ -1438,12 +1438,12 @@ static pj_status_t decode_uint_attr(pj_pool_t *pool, + attr = PJ_POOL_ZALLOC_T(pool, pj_stun_uint_attr); + GETATTRHDR(buf, &attr->hdr); + +- attr->value = GETVAL32H(buf, 4); +- + /* Check that the attribute length is valid */ + if (attr->hdr.length != 4) + return PJNATH_ESTUNINATTRLEN; + ++ attr->value = GETVAL32H(buf, 4); ++ + /* Done */ + *p_attr = attr; + +@@ -1757,14 +1757,15 @@ static pj_status_t decode_errcode_attr(pj_pool_t *pool, + attr = PJ_POOL_ZALLOC_T(pool, pj_stun_errcode_attr); + GETATTRHDR(buf, &attr->hdr); + ++ /* Check that the attribute length is valid */ ++ if (attr->hdr.length < 4) ++ return PJNATH_ESTUNINATTRLEN; ++ + attr->err_code = buf[6] * 100 + buf[7]; + + /* Get pointer to the string in the message */ + value.ptr = ((char*)buf + ATTR_HDR_LEN + 4); + value.slen = attr->hdr.length - 4; +- /* Make sure the length is never negative */ +- if (value.slen < 0) +- value.slen = 0; + + /* Copy the string to the attribute */ + pj_strdup(pool, &attr->reason, &value); diff --git a/net-libs/pjproject/files/pjproject-2.13-r1-Make-sure-that-NOTIFY-tdata-is-set-before-sending-it_new.patch b/net-libs/pjproject/files/pjproject-2.13-r1-Make-sure-that-NOTIFY-tdata-is-set-before-sending-it_new.patch new file mode 100644 index 000000000000..009060a124d8 --- /dev/null +++ b/net-libs/pjproject/files/pjproject-2.13-r1-Make-sure-that-NOTIFY-tdata-is-set-before-sending-it_new.patch @@ -0,0 +1,46 @@ +From ac685b30c17be461b2bf5b46a772ed9742b8e985 Mon Sep 17 00:00:00 2001 +From: Riza Sulistyo <[email protected]> +Date: Thu, 9 Feb 2023 13:19:23 +0700 +Subject: [PATCH] Make sure that NOTIFY tdata is set before sending it. + +--- + pjsip/src/pjsip-simple/evsub.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/pjsip/src/pjsip-simple/evsub.c b/pjsip/src/pjsip-simple/evsub.c +index da0a9b416..68c1d3951 100644 +--- a/pjsip/src/pjsip-simple/evsub.c ++++ b/pjsip/src/pjsip-simple/evsub.c +@@ -2216,23 +2216,26 @@ static void on_tsx_state_uas( pjsip_evsub *sub, pjsip_transaction *tsx, + } + + } else { + sub->state = old_state; + sub->state_str = old_state_str; + } + + /* Send the pending NOTIFY sent by app from inside + * on_rx_refresh() callback. + */ +- pj_assert(sub->pending_notify); +- status = pjsip_evsub_send_request(sub, sub->pending_notify); +- sub->pending_notify = NULL; ++ //pj_assert(sub->pending_notify); ++ /* Make sure that pending_notify is set. */ ++ if (sub->pending_notify) { ++ status = pjsip_evsub_send_request(sub, sub->pending_notify); ++ sub->pending_notify = NULL; ++ } + + } else if (pjsip_method_cmp(&tsx->method, &pjsip_notify_method)==0) { + + /* Handle authentication */ + if (tsx->state == PJSIP_TSX_STATE_COMPLETED && + (tsx->status_code==401 || tsx->status_code==407)) + { + pjsip_tx_data *tdata; + pj_status_t status; + pjsip_rx_data *rdata = event->body.tsx_state.src.rdata; +-- +2.39.1 + diff --git a/net-libs/pjproject/pjproject-2.13-r1.ebuild b/net-libs/pjproject/pjproject-2.13-r1.ebuild new file mode 100644 index 000000000000..5fc988110f6f --- /dev/null +++ b/net-libs/pjproject/pjproject-2.13-r1.ebuild @@ -0,0 +1,142 @@ +# Copyright 1999-2023 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 +# TODO: Figure out a way to disable SRTP from pjproject entirely. +EAPI=8 + +inherit autotools flag-o-matic toolchain-funcs + +DESCRIPTION="Open source SIP, Media, and NAT Traversal Library" +HOMEPAGE="https://github.com/pjsip/pjproject https://www.pjsip.org/"; +SRC_URI="https://github.com/pjsip/${PN}/archive/${PV}.tar.gz -> ${P}.tar.gz" +KEYWORDS="~amd64 ~arm ~arm64 ~ppc ~ppc64 ~x86" + +LICENSE="GPL-2" +SLOT="0/${PV}" + +# g729 not included due to special bcg729 handling. +CODEC_FLAGS="g711 g722 g7221 gsm ilbc speex l16" +VIDEO_FLAGS="sdl ffmpeg v4l2 openh264 libyuv vpx" +SOUND_FLAGS="alsa portaudio" +IUSE="amr debug epoll examples opus resample silk ssl static-libs webrtc + ${CODEC_FLAGS} g729 + ${VIDEO_FLAGS} + ${SOUND_FLAGS}" + +RDEPEND=">=net-libs/libsrtp-2.3.0:= + alsa? ( media-libs/alsa-lib ) + amr? ( media-libs/opencore-amr ) + ffmpeg? ( media-video/ffmpeg:= ) + g729? ( media-libs/bcg729 ) + gsm? ( media-sound/gsm ) + ilbc? ( media-libs/libilbc ) + openh264? ( media-libs/openh264 ) + opus? ( media-libs/opus ) + portaudio? ( media-libs/portaudio ) + resample? ( media-libs/libsamplerate ) + sdl? ( media-libs/libsdl ) + speex? ( + media-libs/speex + media-libs/speexdsp + ) + ssl? ( + dev-libs/openssl:0= + ) +" +DEPEND="${RDEPEND}" +BDEPEND="virtual/pkgconfig" + +PATCHES=( + "${FILESDIR}/pjproject-2.13-r1-Make-sure-that-NOTIFY-tdata-is-set-before-sending-it_new.patch" + "${FILESDIR}/pjproject-2.13-r1-CVE-2022-23537-buffer-overread-on-STUN-error-decode.patch" + "${FILESDIR}/pjproject-2.13-r1-CVE-2022-23547-buffer-overread-on-STUN-decode.patch" +) + +src_prepare() { + default + rm configure || die "Unable to remove unwanted wrapper" + mv aconfigure.ac configure.ac || die "Unable to rename configure script source" + eautoreconf + + cp "${FILESDIR}/pjproject-2.12.1-config_site.h" "${S}/pjlib/include/pj/config_site.h" || die "Unable to create config_site.h" +} + +_pj_enable() { + usex "$1" '' "--disable-${2:-$1}" +} + +_pj_get_define() { + local r="$(sed -nre "s/^#define[[:space:]]+$1[[:space:]]+//p" "${S}/pjlib/include/pj/config_site.h")" + [[ -z "${r}" ]] && die "Unable to fine #define $1 in config_site.h" + echo "$r" +} + +_pj_set_define() { + local c=$(_pj_get_define "$1") + [[ "$c" = "$2" ]] && return 0 + sed -re "s/^#define[[:space:]]+$1[[:space:]].*/#define $1 $2/" -i "${S}/pjlib/include/pj/config_site.h" || die "sed failed updating $1 to $2." + [[ "$(_pj_get_define "$1")" != "$2" ]] && die "sed failed to perform update for $1 to $2." +} + +_pj_use_set_define() { + _pj_set_define "$2" $(usex "$1" 1 0) +} + +src_configure() { + local myconf=() + local videnable="--disable-video" + local t + + use debug || append-cflags -DNDEBUG=1 + + for t in ${CODEC_FLAGS}; do + myconf+=( $(_pj_enable ${t} ${t}-codec) ) + done + myconf+=( $(_pj_enable g729 bcg729) ) + + for t in ${VIDEO_FLAGS}; do + myconf+=( $(_pj_enable ${t}) ) + use "${t}" && videnable="--enable-video" + done + + [ "${videnable}" = "--enable-video" ] && _pj_set_define PJMEDIA_HAS_VIDEO 1 || _pj_set_define PJMEDIA_HAS_VIDEO 0 + + LD="$(tc-getCC)" econf \ + --enable-shared \ + --with-external-srtp \ + ${videnable} \ + $(_pj_enable alsa sound) \ + $(_pj_enable amr opencore-amr) \ + $(_pj_enable epoll) \ + $(_pj_enable opus) \ + $(_pj_enable portaudio ext-sound) \ + $(_pj_enable resample libsamplerate) \ + $(_pj_enable resample resample-dll) \ + $(_pj_enable resample) \ + $(_pj_enable silk) \ + $(_pj_enable speex speex-aec) \ + $(_pj_enable ssl) \ + $(_pj_enable webrtc libwebrtc) \ + $(use_with gsm external-gsm) \ + $(use_with portaudio external-pa) \ + $(use_with speex external-speex) \ + "${myconf[@]}" +} + +src_compile() { + emake dep LD="$(tc-getCC)" + emake LD="$(tc-getCC)" +} + +src_install() { + default + + newbin pjsip-apps/bin/pjsua-${CHOST} pjsua + newbin pjsip-apps/bin/pjsystest-${CHOST} pjsystest + + if use examples; then + insinto "/usr/share/doc/${PF}/examples" + doins -r pjsip-apps/src/samples + fi + + use static-libs || rm "${ED}/usr/$(get_libdir)"/*.a || die "Error removing static archives" +}
