CVE-2023-27585: Buffer Overflow
First published: Tue Mar 14 2023(Updated: )
PJSIP is a free and open source multimedia communication library written in C. A buffer overflow vulnerability in versions 2.13 and prior affects applications that use PJSIP DNS resolver. It doesn't affect PJSIP users who do not utilise PJSIP DNS resolver. This vulnerability is related to CVE-2022-24793. The difference is that this issue is in parsing the query record `parse_query()`, while the issue in CVE-2022-24793 is in `parse_rr()`. A patch is available as commit `d1c5e4d` in the `master` branch. A workaround is to disable DNS resolution in PJSIP config (by setting `nameserver_count` to zero) or use an external resolver implementation instead.
Credit: security-advisories@github.com security-advisories@github.com security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Teluu PJSIP | <2.13 | |
| ubuntu/ring | <20180228.1.503 | 20180228.1.503 |
| ubuntu/ring | <20190215.1. | 20190215.1. |
| ubuntu/ring | <20230206.0~ | 20230206.0~ |
| ubuntu/ring | <20230206.0~ | 20230206.0~ |
| debian/asterisk | <=1:16.2.1~dfsg-1+deb10u2 | 1:16.28.0~dfsg-0+deb10u4 1:16.28.0~dfsg-0+deb11u3 1:16.28.0~dfsg-0+deb11u4 1:20.6.0~dfsg+~cs6.13.40431414-2 |
| debian/ring | <=20190215.1.f152c98~ds1-1+deb10u1<=20210112.2.b757bac~ds1-1<=20230206.0~ds2-1.1 | 20190215.1.f152c98~ds1-1+deb10u2 20231201.0~ds1-1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/pjsip/pjproject/commit/d1c5e4da5bae7f220bc30719888bb389c905c0c5
- https://github.com/pjsip/pjproject/security/advisories/GHSA-p6g5-v97c-w5q4
- https://github.com/pjsip/pjproject/security/advisories/GHSA-q9cp-8wcq-7pfr
- https://lists.debian.org/debian-lts-announce/2023/04/msg00020.html
- https://lists.debian.org/debian-lts-announce/2023/08/msg00038.html
- https://www.debian.org/security/2023/dsa-5438
- https://www.pjsip.org/pjlib-util/docs/html/group__PJ__DNS__RESOLVER.htm
- https://security-tracker.debian.org/tracker/CVE-2023-27585
- https://security-tracker.debian.org/tracker/CVE-2022-24793
- https://www.cve.org/CVERecord?id=CVE-2023-27585
- http://dr.jones.dk/
- https://ko-fi.com/drjones
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036697
- https://launchpad.net/bugs/cve/CVE-2023-27585
- https://ubuntu.com/security/notices/USN-6422-1
- https://ubuntu.com/security/notices/USN-6422-2
- https://nvd.nist.gov/vuln/detail/CVE-2023-27585
- https://ubuntu.com/security/CVE-2023-27585
Frequently Asked Questions
What is CVE-2023-27585?
CVE-2023-27585 is a buffer overflow vulnerability in PJSIP DNS resolver affecting versions 2.13 and prior.
Who is affected by CVE-2023-27585?
Applications that use PJSIP DNS resolver version 2.13 and prior are affected by CVE-2023-27585.
How severe is CVE-2023-27585?
CVE-2023-27585 has a severity rating of 7.5 (high).
How can I fix CVE-2023-27585?
Updating to a version of PJSIP that is not affected by CVE-2023-27585 is recommended.
Where can I find more information about CVE-2023-27585?
More information about CVE-2023-27585 can be found at the following references: [1] [2] [3].
- collector/nvd-api
- collector/nvd-index
- collector/debian-bugs
- alias/CVE-2023-27585
- agent/type
- agent/first-publish-date
- agent/remedy
- collector/launchpad-cve
- source/Launchpad
- agent/weakness
- agent/author
- agent/description
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup
- collector/security-tracker-debian
- source/Debian
- agent/softwarecombine
- collector/usn-cve
- source/Ubuntu
- agent/references
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/severity
- agent/event
- agent/tags
- agent/trending
- vendor/teluu
- canonical/teluu pjsip
- package-manager/debian
- package-manager/ubuntu