CVE-2022-23608

Name

CVE-2022-23608

Description

PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In versions up to and including 2.11.1 when in a dialog set (or forking) scenario, a hash key shared by multiple UAC dialogs can potentially be prematurely freed when one of the dialogs is destroyed . The issue may cause a dialog set to be registered in the hash table multiple times (with different hash keys) leading to undefined behavior such as dialog list collision which eventually leading to endless loop. A patch is available in commit db3235953baa56d2fb0e276ca510fefca751643f which will be included in the next release. There are no known workarounds for this issue.

NVD Severity

high

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
Issue Tracking	https://github.com/pjsip/pjproject/security/advisories/GHSA-ffff-m5fm-qm62
Patch	https://github.com/pjsip/pjproject/commit/db3235953baa56d2fb0e276ca510fefca751643f
FULLDISC	http://seclists.org/fulldisclosure/2022/Mar/1
MISC	http://packetstormsecurity.com/files/166226/Asterisk-Project-Security-Advisory-AST-2022-005.html
MLIST	https://lists.debian.org/debian-lts-announce/2022/03/msg00035.html
MLIST	https://lists.debian.org/debian-lts-announce/2022/03/msg00040.html
Third Party Advisory	https://security.gentoo.org/glsa/202210-37
MLIST	https://lists.debian.org/debian-lts-announce/2022/11/msg00021.html
DEBIAN	https://www.debian.org/security/2022/dsa-5285
MLIST	https://lists.debian.org/debian-lts-announce/2023/08/msg00038.html

References

Match rules

Vulnerable and fixed packages