CVE-2022-24793: Potential heap buffer overflow when parsing DNS packets in PJSIP
First published: Wed Apr 06 2022(Updated: )
PJSIP is a free and open source multimedia communication library written in C. A buffer overflow vulnerability in versions 2.12 and prior affects applications that use PJSIP DNS resolution. It doesn't affect PJSIP users who utilize an external resolver. This vulnerability is related to CVE-2023-27585. The difference is that this issue is in parsing the query record `parse_rr()`, while the issue in CVE-2023-27585 is in `parse_query()`. A patch is available in the `master` branch of the `pjsip/pjproject` GitHub repository. A workaround is to disable DNS resolution in PJSIP config (by setting `nameserver_count` to zero) or use an external resolver instead.
Credit: security-advisories@github.com security-advisories@github.com security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| debian/asterisk | 1:16.28.0~dfsg-0+deb10u4 1:16.28.0~dfsg-0+deb11u3 1:16.28.0~dfsg-0+deb11u4 1:20.6.0~dfsg+~cs6.13.40431414-2 | |
| debian/ring | <=20190215.1.f152c98~ds1-1+deb10u1<=20210112.2.b757bac~ds1-1 | 20190215.1.f152c98~ds1-1+deb10u2 20230206.0~ds2-1.1 20231201.0~ds1-1 |
| ubuntu/ring | <20180228.1.503 | 20180228.1.503 |
| ubuntu/ring | <20190215.1. | 20190215.1. |
| Teluu PJSIP | <=2.12 | |
| Debian GNU/Linux | =9.0 | |
| Debian GNU/Linux | =10.0 | |
| Debian GNU/Linux | =11.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/pjsip/pjproject/commit/9fae8f43accef8ea65d4a8ae9cdf297c46cfe29a
- https://github.com/pjsip/pjproject/security/advisories/GHSA-p6g5-v97c-w5q4
- https://lists.debian.org/debian-lts-announce/2022/05/msg00047.html
- https://lists.debian.org/debian-lts-announce/2022/11/msg00021.html
- https://lists.debian.org/debian-lts-announce/2023/08/msg00038.html
- https://security.gentoo.org/glsa/202210-37
- https://www.debian.org/security/2022/dsa-5285
- https://launchpad.net/bugs/cve/CVE-2022-24793
- https://security-tracker.debian.org/tracker/CVE-2022-24793
- https://ubuntu.com/security/notices/USN-6422-1
- https://www.cve.org/CVERecord?id=CVE-2022-24793
- https://nvd.nist.gov/vuln/detail/CVE-2022-24793
- https://ubuntu.com/security/CVE-2022-24793
Frequently Asked Questions
What is CVE-2022-24793?
CVE-2022-24793 is a buffer overflow vulnerability in PJSIP DNS resolution that affects versions 2.12 and prior.
Which applications are affected by CVE-2022-24793?
Applications that use PJSIP DNS resolution are affected by CVE-2022-24793.
Does CVE-2022-24793 affect PJSIP users who utilize an external resolver?
No, PJSIP users who utilize an external resolver are not affected by CVE-2022-24793.
What is the severity of CVE-2022-24793?
CVE-2022-24793 has a severity rating of high (7.5).
How can I fix CVE-2022-24793?
To fix CVE-2022-24793, update to a version of PJSIP that is after 2.12.
- collector/launchpad-cve
- source/Launchpad
- agent/type
- agent/remedy
- agent/first-publish-date
- agent/weakness
- agent/author
- agent/description
- collector/security-tracker-debian
- source/Debian
- agent/software-canonical-lookup
- collector/usn-cve
- source/Ubuntu
- agent/references
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/title
- agent/severity
- agent/event
- agent/trending
- agent/source
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup-request
- agent/softwarecombine
- agent/tags
- collector/nvd-api
- collector/nvd-index
- package-manager/debian
- package-manager/ubuntu
- vendor/pjsip
- canonical/teluu pjsip
- version/teluu pjsip/2.12
- vendor/debian
- canonical/debian gnu/linux
- version/debian gnu/linux/9.0
- version/debian gnu/linux/10.0
- version/debian gnu/linux/11.0