From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <bug-guix-bounces+larch=yhetil.org@gnu.org>
Received: from mp0 ([2001:41d0:2:4a6f::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by ms11 with LMTPS
	id Ey2ZMFyDTmCVLwAA0tVLHw
	(envelope-from <bug-guix-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Sun, 14 Mar 2021 21:42:52 +0000
Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by mp0 with LMTPS
	id q0omLFyDTmDObQAA1q6Kng
	(envelope-from <bug-guix-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Sun, 14 Mar 2021 21:42:52 +0000
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by aspmx1.migadu.com (Postfix) with ESMTPS id 629FE18202
	for <larch@yhetil.org>; Sun, 14 Mar 2021 22:42:52 +0100 (CET)
Received: from localhost ([::1]:41754 helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <bug-guix-bounces+larch=yhetil.org@gnu.org>)
	id 1lLYVf-0007Fh-JZ
	for larch@yhetil.org; Sun, 14 Mar 2021 17:42:51 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:55822)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1lLYR0-0002J1-Oj
 for bug-guix@gnu.org; Sun, 14 Mar 2021 17:38:02 -0400
Received: from debbugs.gnu.org ([209.51.188.43]:51023)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1lLYR0-00040q-FP
 for bug-guix@gnu.org; Sun, 14 Mar 2021 17:38:02 -0400
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1lLYR0-00030n-DK
 for bug-guix@gnu.org; Sun, 14 Mar 2021 17:38:02 -0400
X-Loop: help-debbugs@gnu.org
Subject: bug#47143: pjproject package is vulnerable to CVE-2021-21375 and
 CVE-2020-15260
Resent-From: Mark H Weaver <mhw@netris.org>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: bug-guix@gnu.org
Resent-Date: Sun, 14 Mar 2021 21:38:02 +0000
Resent-Message-ID: <handler.47143.B.161575782711515@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: report 47143
X-GNU-PR-Package: guix
X-GNU-PR-Keywords: 
To: 47143@debbugs.gnu.org
X-Debbugs-Original-To: bug-guix@gnu.org
Received: via spool by submit@debbugs.gnu.org id=B.161575782711515
 (code B ref -1); Sun, 14 Mar 2021 21:38:02 +0000
Received: (at submit) by debbugs.gnu.org; 14 Mar 2021 21:37:07 +0000
Received: from localhost ([127.0.0.1]:34336 helo=debbugs.gnu.org)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
 id 1lLYQ6-0002ze-TU
 for submit@debbugs.gnu.org; Sun, 14 Mar 2021 17:37:07 -0400
Received: from lists.gnu.org ([209.51.188.17]:56524)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <mhw@netris.org>) id 1lLYQ5-0002zX-Lx
 for submit@debbugs.gnu.org; Sun, 14 Mar 2021 17:37:06 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:55762)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mhw@netris.org>) id 1lLYQ5-0000sq-Cr
 for bug-guix@gnu.org; Sun, 14 Mar 2021 17:37:05 -0400
Received: from world.peace.net ([64.112.178.59]:55714)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mhw@netris.org>) id 1lLYQ3-0003ZY-Lv
 for bug-guix@gnu.org; Sun, 14 Mar 2021 17:37:05 -0400
Received: from mhw by world.peace.net with esmtpsa
 (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92)
 (envelope-from <mhw@netris.org>)
 id 1lLYQ2-00019v-2h; Sun, 14 Mar 2021 17:37:02 -0400
From: Mark H Weaver <mhw@netris.org>
References: <ff6b543fa968e4973c3075da4628d10dbc517f71.camel@zaclys.net>
Date: Sun, 14 Mar 2021 17:35:32 -0400
Message-ID: <87a6r5s9j4.fsf@netris.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="=-=-="
Received-SPF: pass client-ip=64.112.178.59; envelope-from=mhw@netris.org;
 helo=world.peace.net
X-Spam_score_int: -18
X-Spam_score: -1.9
X-Spam_bar: -
X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
X-BeenThere: bug-guix@gnu.org
List-Id: Bug reports for GNU Guix <bug-guix.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-guix>,
 <mailto:bug-guix-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/bug-guix>
List-Post: <mailto:bug-guix@gnu.org>
List-Help: <mailto:bug-guix-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-guix>,
 <mailto:bug-guix-request@gnu.org?subject=subscribe>
Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org
Sender: "bug-Guix" <bug-guix-bounces+larch=yhetil.org@gnu.org>
X-Migadu-Flow: FLOW_IN
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org;
	s=key1; t=1615758172;
	h=from:from:sender:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:mime-version:mime-version:
	 content-type:content-type:resent-cc:resent-from:resent-sender:
	 resent-message-id:references:references:list-id:list-help:
	 list-unsubscribe:list-subscribe:list-post;
	bh=xqxG4yNku8DcwhcO+Go8sOMfyqr+TzG+9NQ6BeAlNdc=;
	b=puwbXi0AnoxSkbf07QSPyCVC5UQ6OnB7GkmE/hMqRMWe+1JeMlxG7aJMWlLvcbO80/XSOa
	7sssD1PfIv3D7LwQ4xn06vpqlFhyl0sBYGERZD6nZegXsOj7IIbfxsnhXC6g+p1RKjqbw5
	ciF3MNfh0Kv8DY1mvSgFKUGMF3bkBEXepNRzbE3K4Boj67Sgsa46AnrDdtSvzQYRrXW9tc
	1Fc2J1c+ftRuXVFFGTzs4pN9wiXg2hzeeW9das2AUjxPRHaKsDESsR6bLOI2X2T1/XsyOI
	2DuJ5MQaKl+y/7aDao99k5WLNJhCyMCOr44PnRcHNigoiFOornShz1fsXA9pDw==
ARC-Seal: i=1; s=key1; d=yhetil.org; t=1615758172; a=rsa-sha256; cv=none;
	b=gF6q/gJWOtAyv9t9664oxyXrhxn+Q60r8w95SLbLZh/v4FJ/RwMGeJ05sx1fqFHC2MxDjB
	qVm4HFdp/ZYm2LhtUiCpLCvJNE66s5Ry8fB/HyCOHGev1wZd/POVFbYIC1484YvMh4GqEe
	bRtnvVDMs7//pTaWOMwTM9k6UNyeRJapne6cV/h4VsEr2S2pOO/IpcOvTQO16WbzAq6xqa
	LjEZX/fqzWhTmCPHp+EssMUU6uEzcQeHiy1wnbCHaZI1hP0mHdVGkwpHgX+xvnNxuRt60F
	swWP0jcyhYCD655tZ0dOJohF+5xPr/OFkCsusJW9ruZgVyNkkRxCbkOmGKXV9g==
ARC-Authentication-Results: i=1;
	aspmx1.migadu.com;
	dkim=none;
	dmarc=none;
	spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org
X-Migadu-Spam-Score: -4.50
Authentication-Results: aspmx1.migadu.com;
	dkim=none;
	dmarc=none;
	spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org
X-Migadu-Queue-Id: 629FE18202
X-Spam-Score: -4.50
X-Migadu-Scanner: scn0.migadu.com
X-TUID: CPAXwEYs0Nz5

--=-=-=
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

I'm forwarding this to bug-guix@gnu.org so that it won't be forgotten.

      Mark

-------------------- Start of forwarded message --------------------
Subject: pjproject package is vulnerable to CVE-2021-21375 and CVE-2020-152=
60
From: L=C3=A9o Le Bouter <lle-bout@zaclys.net>
To: guix-devel@gnu.org
Date: Thu, 11 Mar 2021 03:30:42 +0100


--=-=-=
Content-Type: multipart/signed; boundary="==-=-="

--==-=-=
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline

CVE-2021-21375	00:15
PJSIP is a free and open source multimedia communication library
written in C language implementing standard based protocols such as
SIP, SDP, RTP, STUN, TURN, and ICE. In PJSIP version 2.10 and earlier,
after an initial INVITE has been sent, when two 183 responses are
received, with the first one causing negotiation failure, a crash will
occur. This results in a denial of service.

CVE-2020-15260	00:15
PJSIP is a free and open source multimedia communication library
written in C language implementing standard based protocols such as
SIP, SDP, RTP, STUN, TURN, and ICE. In version 2.10 and earlier, PJSIP
transport can be reused if they have the same IP address + port +
protocol. However, this is insufficient for secure transport since it
lacks remote hostname authentication. Suppose we have created a TLS
connection to `sip.foo.com`, which has an IP address `100.1.1.1`. If we
want to create a TLS connection to another hostname, say `sip.bar.com`,
which has the same IP address, then it will reuse that existing
connection, even though `100.1.1.1` does not have certificate to
authenticate as `sip.bar.com`. The vulnerability allows for an insecure
interaction without user awareness. It affects users who need access to
connections to different destinations that translate to the same
address, and allows man-in-the-middle attack if attacker can route a
connection to another destination such as in the case of DNS spoofing.

Upstream has not made a release yet, I advise we wait for a release on
their end then upgrade. To be monitored.

--==-=-=
Content-Type: application/pgp-signature; name=signature.asc
Content-Transfer-Encoding: base64
Content-Description: This is a digitally signed message part

LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0KCmlRSXpCQUFCQ2dBZEZpRUVGSXZMaTlnTCt4
YXgzZzZSUmFpeDZHdk5FS1lGQW1CSmdOSUFDZ2tRUmFpeDZHdk4KRUtZeEZ3LzlILzJCSmZpQ2k2
dHdJQ2YxMVZEN21vdkpXZ3Z0Q1FkVVQ1Q2swd0d5VUdtUzN5L0JaanFSbThSawpUZWdLRlpMRFlT
dmE0dW4reUhheWZTVmpOdFVwcXhEN25kcWN5YnlwUG1Fa0JiREh2V3Bvbjc0RVJBVTBBUldGCk1I
SVVBaElMSjBVNDc3ZllOSFQ4VmxqdVlWMWxyUUFWZ1AvY2k3WHBwTWtRK24yeFFmMnBtMjFTeURL
dC9EZlgKZ1NSZjRnd1U5b2d5U1VXSmg5VTVEbmY3L21zRTRNR1F5WTFXd21pZkJmRGprcWtpbjh0
dWd5RzhrMitJYXRaagpjcjdCVXZWUlFpSXAzaTB6MG9jK01YZjhTaFNrNEZZcVFycitUdVRPNjlX
a3lkcHlrZ3hBVUFuZ0RJY0VaeCtXCjJzVmVsU3BYWmZ5OHNmVm9XY1dPaVhvZTVLWmREUFVhMW9R
SzYwZ0g5V1kxMTlkQ0YvVlNBbmpCZFhWanJSWWgKMFZOTUx6NzJpVDZ4cFZvME9KNlVCbDFxRWFo
RC8zUFhxSUIycHlIRWpaNlJPUkNldGpoU0JtUHRIVVZnMDNZcApvdEYvYUJreDZGcXUxSWorSXlY
Tk14dHhkM0Vjam5PTXg3QUNpeEdXaDVyRHhXSXJMZ01UMFNYQmNsdy9rSXNvCm4rZlVaNms5MjQ1
UkdEd3pVemVXeXZJLytEMTJ3TmdRbDkxTE9namVZZ2lGaEtyT2l0aDFyMEFxZlV4TU9ydS8KSnli
dXh3cVFNa1p2VTdFcjlEUnBEK0U1TlUxSkdIQVdQWGRLOURwNHk4Y2FuZGRpNmUwcHp2R1p5Zzdv
S05LRwpMZ0QwQVVwK1VxTlJzVVdHWFdiYVZEaVJzTURMTmZqTFduemlLMDRtSW5xSGJGM1FvZEE9
Cj1STG1OCi0tLS0tRU5EIFBHUCBTSUdOQVRVUkUtLS0tLQo=
--==-=-=--

--=-=-=
Content-Type: text/plain

-------------------- End of forwarded message --------------------

--=-=-=--