Bug 2242526 (CVE-2023-38703) - CVE-2023-38703 pjsip: Use-after-free in SRTP media transport
Summary: CVE-2023-38703 pjsip: Use-after-free in SRTP media transport
Status: NEW
Alias: CVE-2023-38703
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Product Security
QA Contact:
Depends On: 2242527 2242528
TreeView+ depends on / blocked
Reported: 2023-10-06 18:03 UTC by Patrick Del Bello
Modified: 2023-10-06 18:04 UTC (History)
0 users

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed:

Attachments (Terms of Use)

Description Patrick Del Bello 2023-10-06 18:03:46 UTC
PJSIP is a free and open source multimedia communication library written in C with high level API in C, C++, Java, C#, and Python languages. SRTP is a higher level media transport which is stacked upon a lower level media transport such as UDP and ICE. Currently a higher level transport is not synchronized with its lower level transport that may introduce use-after-free issue. This vulnerability affects applications that have SRTP capability (`PJMEDIA_HAS_SRTP` is set) and use underlying media transport other than UDP. This vulnerability’s impact may range from unexpected application termination to control flow hijack/memory corruption. The patch is available as a commit in the master branch.


Comment 1 Patrick Del Bello 2023-10-06 18:04:02 UTC
Created pjproject tracking bugs for this issue:

Affects: epel-all [bug 2242527]
Affects: fedora-all [bug 2242528]

Note You need to log in before you can comment on or make changes to this bug.