CVE-2022-24793

Name
CVE-2022-24793
Description
PJSIP is a free and open source multimedia communication library written in C. A buffer overflow vulnerability in versions 2.12 and prior affects applications that use PJSIP DNS resolution. It doesn't affect PJSIP users who utilize an external resolver. This vulnerability is related to CVE-2023-27585. The difference is that this issue is in parsing the query record `parse_rr()`, while the issue in CVE-2023-27585 is in `parse_query()`. A patch is available in the `master` branch of the `pjsip/pjproject` GitHub repository. A workaround is to disable DNS resolution in PJSIP config (by setting `nameserver_count` to zero) or use an external resolver instead.
NVD Severity
medium
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
MISC https://github.com/pjsip/pjproject/commit/9fae8f43accef8ea65d4a8ae9cdf297c46cfe29a
CONFIRM https://github.com/pjsip/pjproject/security/advisories/GHSA-p6g5-v97c-w5q4
mailing-list https://lists.debian.org/debian-lts-announce/2022/05/msg00047.html
vendor-advisory https://security.gentoo.org/glsa/202210-37
mailing-list https://lists.debian.org/debian-lts-announce/2022/11/msg00021.html
vendor-advisory https://www.debian.org/security/2022/dsa-5285
mailing-list https://lists.debian.org/debian-lts-announce/2023/08/msg00038.html
af854a3a-2127-422b-91ae-364da2661108 https://lists.debian.org/debian-lts-announce/2024/09/msg00030.html

Match rules

CPE URI Source package Min version Max version
pjproject >= 0 <= 2.12

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
pjproject edge-main 2.12.1-r0 Natanael Copa <ncopa@alpinelinux.org> fixed
pjproject edge-main 2.12-r0 Natanael Copa <ncopa@alpinelinux.org> possibly vulnerable
pjproject edge-main 2.11.1-r0 Natanael Copa <ncopa@alpinelinux.org> possibly vulnerable
pjproject edge-main 2.11-r0 Natanael Copa <ncopa@alpinelinux.org> possibly vulnerable
pjproject 3.22-main 2.12.1-r0 None fixed
pjproject 3.22-main 2.12-r0 None possibly vulnerable
pjproject 3.22-main 2.11.1-r0 None possibly vulnerable
pjproject 3.22-main 2.11-r0 None possibly vulnerable
pjproject 3.21-main 2.12.1-r0 None fixed
pjproject 3.21-main 2.12-r0 None possibly vulnerable
pjproject 3.21-main 2.11.1-r0 None possibly vulnerable
pjproject 3.21-main 2.11-r0 None possibly vulnerable
pjproject 3.20-main 2.12.1-r0 None fixed
pjproject 3.20-main 2.12-r0 None possibly vulnerable
pjproject 3.20-main 2.11.1-r0 None possibly vulnerable
pjproject 3.20-main 2.11-r0 None possibly vulnerable
pjproject 3.19-main 2.12.1-r0 None fixed
pjproject 3.19-main 2.12-r0 None possibly vulnerable
pjproject 3.19-main 2.11.1-r0 None possibly vulnerable
pjproject 3.19-main 2.11-r0 None possibly vulnerable
pjproject 3.18-main 2.12.1-r0 None fixed
pjproject 3.17-main 2.12.1-r0 None fixed