Bug 2242526 (CVE-2023-38703) - CVE-2023-38703 pjsip: Use-after-free in SRTP media transport
Summary: CVE-2023-38703 pjsip: Use-after-free in SRTP media transport
Keywords:
Status: NEW
Alias: CVE-2023-38703
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2242527 2242528
Blocks:
TreeView+ depends on / blocked
 
Reported: 2023-10-06 18:03 UTC by Patrick Del Bello
Modified: 2023-10-06 18:04 UTC (History)
0 users

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description Patrick Del Bello 2023-10-06 18:03:46 UTC 
PJSIP is a free and open source multimedia communication library written in C with high level API in C, C++, Java, C#, and Python languages. SRTP is a higher level media transport which is stacked upon a lower level media transport such as UDP and ICE. Currently a higher level transport is not synchronized with its lower level transport that may introduce use-after-free issue. This vulnerability affects applications that have SRTP capability (`PJMEDIA_HAS_SRTP` is set) and use underlying media transport other than UDP. This vulnerability’s impact may range from unexpected application termination to control flow hijack/memory corruption. The patch is available as a commit in the master branch.


https://github.com/pjsip/pjproject/commit/6dc9b8c181aff39845f02b4626e0812820d4ef0d
https://github.com/pjsip/pjproject/security/advisories/GHSA-f76w-fh7c-pc66
Comment 1 Patrick Del Bello 2023-10-06 18:04:02 UTC 
Created pjproject tracking bugs for this issue:

Affects: epel-all [bug 2242527]
Affects: fedora-all [bug 2242528]
Note You need to log in before you can comment on or make changes to this bug.