From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 0AFB813835A for ; Thu, 11 Mar 2021 08:27:21 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 501A9E0984; Thu, 11 Mar 2021 08:27:20 +0000 (UTC) Received: from smtp.gentoo.org (dev.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 2A260E0984 for ; Thu, 11 Mar 2021 08:27:20 +0000 (UTC) Received: from oystercatcher.gentoo.org (unknown [IPv6:2a01:4f8:202:4333:225:90ff:fed9:fc84]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id D60C7340DC6 for ; Thu, 11 Mar 2021 08:27:17 +0000 (UTC) Received: from localhost.localdomain (localhost [IPv6:::1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id 48D1A573 for ; Thu, 11 Mar 2021 08:27:16 +0000 (UTC) From: "Sam James" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Sam James" Message-ID: <1615450784.69e63f7c831f2a585cd34cb74a3f8bbff901f798.sam@gentoo> Subject: [gentoo-commits] repo/gentoo:master commit in: net-libs/pjproject/files/, net-libs/pjproject/ X-VCS-Repository: repo/gentoo X-VCS-Files: net-libs/pjproject/files/pjproject-2.10-CVE-2020-15260-tls-hostname-check.patch net-libs/pjproject/files/pjproject-2.10-CVE-2021-21375-negotiation-failure-crash.patch net-libs/pjproject/files/pjproject-2.10-race-condition-between-transport-destroy-and-acquire.patch net-libs/pjproject/pjproject-2.10-r1.ebuild X-VCS-Directories: net-libs/pjproject/ net-libs/pjproject/files/ X-VCS-Committer: sam X-VCS-Committer-Name: Sam James X-VCS-Revision: 69e63f7c831f2a585cd34cb74a3f8bbff901f798 X-VCS-Branch: master Date: Thu, 11 Mar 2021 08:27:16 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply X-Archives-Salt: 8435262a-6957-4eb6-9be0-e13c3a4c6779 X-Archives-Hash: 3aa6c28a0fb15b2d99056ab38f9f17f1 commit: 69e63f7c831f2a585cd34cb74a3f8bbff901f798 Author: Jaco Kroon uls co za> AuthorDate: Thu Mar 11 07:34:54 2021 +0000 Commit: Sam James gentoo org> CommitDate: Thu Mar 11 08:19:44 2021 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=69e63f7c net-libs/pjproject: security rev bump to 2.10-r1 Upstream didn't release a new version as one would expect. Instead patches are applied locally. Also add subslot because they are equally good at maintaining ABI compatibility, and SONAME is never updated, thus we need to be able to depend on subslots to rebuild (preserved-rebuild is no good). Bug: https://bugs.gentoo.org/775359 Bug: https://bugs.gentoo.org/775353 Package-Manager: Portage-3.0.13, Repoman-3.0.2 Signed-off-by: Jaco Kroon uls.co.za> Closes: https://github.com/gentoo/gentoo/pull/19876 Signed-off-by: Sam James gentoo.org> ...ct-2.10-CVE-2020-15260-tls-hostname-check.patch | 125 +++++++++++++++++++++ ...-CVE-2021-21375-negotiation-failure-crash.patch | 45 ++++++++ ...ion-between-transport-destroy-and-acquire.patch | 108 ++++++++++++++++++ net-libs/pjproject/pjproject-2.10-r1.ebuild | 125 +++++++++++++++++++++ 4 files changed, 403 insertions(+) diff --git a/net-libs/pjproject/files/pjproject-2.10-CVE-2020-15260-tls-hostname-check.patch b/net-libs/pjproject/files/pjproject-2.10-CVE-2020-15260-tls-hostname-check.patch new file mode 100644 index 00000000000..0d7df686a15 --- /dev/null +++ b/net-libs/pjproject/files/pjproject-2.10-CVE-2020-15260-tls-hostname-check.patch @@ -0,0 +1,125 @@ +From 67e46c1ac45ad784db5b9080f5ed8b133c122872 Mon Sep 17 00:00:00 2001 +From: sauwming +Date: Mon, 8 Mar 2021 17:39:36 +0800 +Subject: [PATCH] Merge pull request from GHSA-8hcp-hm38-mfph + +* Check hostname during TLS transport selection + +* revision based on feedback + +* remove the code in create_request that has been moved +--- + pjsip/include/pjsip/sip_dialog.h | 1 + + pjsip/src/pjsip/sip_dialog.c | 15 +++++++++++++++ + pjsip/src/pjsip/sip_transport.c | 13 +++++++++++++ + pjsip/src/pjsip/sip_util.c | 11 ++++++++--- + 4 files changed, 37 insertions(+), 3 deletions(-) + +diff --git a/pjsip/include/pjsip/sip_dialog.h b/pjsip/include/pjsip/sip_dialog.h +index a0214d28c..e314c2ece 100644 +--- a/pjsip/include/pjsip/sip_dialog.h ++++ b/pjsip/include/pjsip/sip_dialog.h +@@ -165,6 +165,7 @@ struct pjsip_dialog + pjsip_route_hdr route_set; /**< Route set. */ + pj_bool_t route_set_frozen; /**< Route set has been set. */ + pjsip_auth_clt_sess auth_sess; /**< Client authentication session. */ ++ pj_str_t initial_dest;/**< Initial destination host. */ + + /** Session counter. */ + int sess_count; /**< Number of sessions. */ +diff --git a/pjsip/src/pjsip/sip_dialog.c b/pjsip/src/pjsip/sip_dialog.c +index 27530e4f2..9571b5a35 100644 +--- a/pjsip/src/pjsip/sip_dialog.c ++++ b/pjsip/src/pjsip/sip_dialog.c +@@ -467,6 +467,10 @@ pj_status_t create_uas_dialog( pjsip_user_agent *ua, + + /* Save the remote info. */ + pj_strdup(dlg->pool, &dlg->remote.info_str, &tmp); ++ ++ /* Save initial destination host from transport's info */ ++ pj_strdup(dlg->pool, &dlg->initial_dest, ++ &rdata->tp_info.transport->remote_name.host); + + + /* Init remote's contact from Contact header. +@@ -1192,6 +1196,12 @@ static pj_status_t dlg_create_request_throw( pjsip_dialog *dlg, + return status; + } + ++ /* Copy the initial destination host to tdata. This information can be ++ * used later by transport for transport selection. ++ */ ++ if (dlg->initial_dest.slen) ++ pj_strdup(tdata->pool, &tdata->dest_info.name, &dlg->initial_dest); ++ + /* Done. */ + *p_tdata = tdata; + +@@ -1822,6 +1832,11 @@ static void dlg_update_routeset(pjsip_dialog *dlg, const pjsip_rx_data *rdata) + * transaction as the initial transaction that establishes dialog. + */ + if (dlg->role == PJSIP_ROLE_UAC) { ++ /* Save initial destination host from transport's info. */ ++ if (!dlg->initial_dest.slen) { ++ pj_strdup(dlg->pool, &dlg->initial_dest, ++ &rdata->tp_info.transport->remote_name.host); ++ } + + /* Ignore subsequent request from remote */ + if (msg->type != PJSIP_RESPONSE_MSG) +diff --git a/pjsip/src/pjsip/sip_transport.c b/pjsip/src/pjsip/sip_transport.c +index bef6d24fe..177274b08 100644 +--- a/pjsip/src/pjsip/sip_transport.c ++++ b/pjsip/src/pjsip/sip_transport.c +@@ -2335,6 +2335,19 @@ PJ_DEF(pj_status_t) pjsip_tpmgr_acquire_transport2(pjsip_tpmgr *mgr, + if (!tp_iter->tp->is_shutdown && + !tp_iter->tp->is_destroying) + { ++ if ((type & PJSIP_TRANSPORT_SECURE) && tdata) { ++ /* For secure transport, make sure tdata's ++ * destination host matches the transport's ++ * remote host. ++ */ ++ if (pj_stricmp(&tdata->dest_info.name, ++ &tp_iter->tp->remote_name.host)) ++ { ++ tp_iter = tp_iter->next; ++ continue; ++ } ++ } ++ + if (sel && sel->type == PJSIP_TPSELECTOR_LISTENER && + sel->u.listener) + { +diff --git a/pjsip/src/pjsip/sip_util.c b/pjsip/src/pjsip/sip_util.c +index a1bf878ea..cf916805d 100644 +--- a/pjsip/src/pjsip/sip_util.c ++++ b/pjsip/src/pjsip/sip_util.c +@@ -1417,7 +1417,10 @@ PJ_DEF(pj_status_t) pjsip_endpt_send_request_stateless(pjsip_endpoint *endpt, + */ + if (tdata->dest_info.addr.count == 0) { + /* Copy the destination host name to TX data */ +- pj_strdup(tdata->pool, &tdata->dest_info.name, &dest_info.addr.host); ++ if (!tdata->dest_info.name.slen) { ++ pj_strdup(tdata->pool, &tdata->dest_info.name, ++ &dest_info.addr.host); ++ } + + pjsip_endpt_resolve( endpt, tdata->pool, &dest_info, stateless_data, + &stateless_send_resolver_callback); +@@ -1810,8 +1813,10 @@ PJ_DEF(pj_status_t) pjsip_endpt_send_response( pjsip_endpoint *endpt, + } + } else { + /* Copy the destination host name to TX data */ +- pj_strdup(tdata->pool, &tdata->dest_info.name, +- &res_addr->dst_host.addr.host); ++ if (!tdata->dest_info.name.slen) { ++ pj_strdup(tdata->pool, &tdata->dest_info.name, ++ &res_addr->dst_host.addr.host); ++ } + + pjsip_endpt_resolve(endpt, tdata->pool, &res_addr->dst_host, + send_state, &send_response_resolver_cb); +-- +2.26.2 + diff --git a/net-libs/pjproject/files/pjproject-2.10-CVE-2021-21375-negotiation-failure-crash.patch b/net-libs/pjproject/files/pjproject-2.10-CVE-2021-21375-negotiation-failure-crash.patch new file mode 100644 index 00000000000..9dc9016e491 --- /dev/null +++ b/net-libs/pjproject/files/pjproject-2.10-CVE-2021-21375-negotiation-failure-crash.patch @@ -0,0 +1,45 @@ +From 97b3d7addbaa720b7ddb0af9bf6f3e443e664365 Mon Sep 17 00:00:00 2001 +From: Nanang Izzuddin +Date: Mon, 8 Mar 2021 16:09:34 +0700 +Subject: [PATCH] Merge pull request from GHSA-hvq6-f89p-frvp + +--- + pjmedia/src/pjmedia/sdp_neg.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +diff --git a/pjmedia/src/pjmedia/sdp_neg.c b/pjmedia/src/pjmedia/sdp_neg.c +index f4838f75d..9f76b5200 100644 +--- a/pjmedia/src/pjmedia/sdp_neg.c ++++ b/pjmedia/src/pjmedia/sdp_neg.c +@@ -304,7 +304,6 @@ PJ_DEF(pj_status_t) pjmedia_sdp_neg_modify_local_offer2( + { + pjmedia_sdp_session *new_offer; + pjmedia_sdp_session *old_offer; +- char media_used[PJMEDIA_MAX_SDP_MEDIA]; + unsigned oi; /* old offer media index */ + pj_status_t status; + +@@ -323,8 +322,19 @@ PJ_DEF(pj_status_t) pjmedia_sdp_neg_modify_local_offer2( + /* Change state to STATE_LOCAL_OFFER */ + neg->state = PJMEDIA_SDP_NEG_STATE_LOCAL_OFFER; + ++ /* When there is no active local SDP in state PJMEDIA_SDP_NEG_STATE_DONE, ++ * it means that the previous initial SDP nego must have been failed, ++ * so we'll just set the local SDP offer here. ++ */ ++ if (!neg->active_local_sdp) { ++ neg->initial_sdp_tmp = NULL; ++ neg->initial_sdp = pjmedia_sdp_session_clone(pool, local); ++ neg->neg_local_sdp = pjmedia_sdp_session_clone(pool, local); ++ ++ return PJ_SUCCESS; ++ } ++ + /* Init vars */ +- pj_bzero(media_used, sizeof(media_used)); + old_offer = neg->active_local_sdp; + new_offer = pjmedia_sdp_session_clone(pool, local); + +-- +2.26.2 + diff --git a/net-libs/pjproject/files/pjproject-2.10-race-condition-between-transport-destroy-and-acquire.patch b/net-libs/pjproject/files/pjproject-2.10-race-condition-between-transport-destroy-and-acquire.patch new file mode 100644 index 00000000000..b036951d9ed --- /dev/null +++ b/net-libs/pjproject/files/pjproject-2.10-race-condition-between-transport-destroy-and-acquire.patch @@ -0,0 +1,108 @@ +From 90a16c523bfdf4d43c10506c972c5fd4250b2856 Mon Sep 17 00:00:00 2001 +From: Nanang Izzuddin +Date: Fri, 20 Nov 2020 10:52:22 +0700 +Subject: [PATCH] Race condition between transport destroy and acquire (#2470) + +* Handle race condition between transport_idle_callback() and pjsip_tpmgr_acquire_transport2(). +* Add transport destroy state check as additional of transport shutdown state check +--- + pjsip/src/pjsip/sip_transaction.c | 2 +- + pjsip/src/pjsip/sip_transport.c | 34 +++++++++++++++++++++++++------ + 2 files changed, 29 insertions(+), 7 deletions(-) + +diff --git a/pjsip/src/pjsip/sip_transaction.c b/pjsip/src/pjsip/sip_transaction.c +index 2b4ece7df..f663c7f4b 100644 +--- a/pjsip/src/pjsip/sip_transaction.c ++++ b/pjsip/src/pjsip/sip_transaction.c +@@ -2443,7 +2443,7 @@ static void tsx_update_transport( pjsip_transaction *tsx, + pjsip_transport_add_ref(tp); + pjsip_transport_add_state_listener(tp, &tsx_tp_state_callback, tsx, + &tsx->tp_st_key); +- if (tp->is_shutdown) { ++ if (tp->is_shutdown || tp->is_destroying) { + pjsip_transport_state_info info; + + pj_bzero(&info, sizeof(info)); +diff --git a/pjsip/src/pjsip/sip_transport.c b/pjsip/src/pjsip/sip_transport.c +index 06fce358c..bef6d24fe 100644 +--- a/pjsip/src/pjsip/sip_transport.c ++++ b/pjsip/src/pjsip/sip_transport.c +@@ -1071,6 +1071,19 @@ static void transport_idle_callback(pj_timer_heap_t *timer_heap, + return; + + entry->id = PJ_FALSE; ++ ++ /* Set is_destroying flag under transport manager mutex to avoid ++ * race condition with pjsip_tpmgr_acquire_transport2(). ++ */ ++ pj_lock_acquire(tp->tpmgr->lock); ++ if (pj_atomic_get(tp->ref_cnt) == 0) { ++ tp->is_destroying = PJ_TRUE; ++ } else { ++ pj_lock_release(tp->tpmgr->lock); ++ return; ++ } ++ pj_lock_release(tp->tpmgr->lock); ++ + pjsip_transport_destroy(tp); + } + +@@ -1392,8 +1405,8 @@ PJ_DEF(pj_status_t) pjsip_transport_shutdown2(pjsip_transport *tp, + mgr = tp->tpmgr; + pj_lock_acquire(mgr->lock); + +- /* Do nothing if transport is being shutdown already */ +- if (tp->is_shutdown) { ++ /* Do nothing if transport is being shutdown/destroyed already */ ++ if (tp->is_shutdown || tp->is_destroying) { + pj_lock_release(mgr->lock); + pj_lock_release(tp->lock); + return PJ_SUCCESS; +@@ -2256,6 +2269,13 @@ PJ_DEF(pj_status_t) pjsip_tpmgr_acquire_transport2(pjsip_tpmgr *mgr, + return PJSIP_ETPNOTSUITABLE; + } + ++ /* Make sure the transport is not being destroyed */ ++ if (seltp->is_destroying) { ++ pj_lock_release(mgr->lock); ++ TRACE_((THIS_FILE,"Transport to be acquired is being destroyed")); ++ return PJ_ENOTFOUND; ++ } ++ + /* We could also verify that the destination address is reachable + * from this transport (i.e. both are equal), but if application + * has requested a specific transport to be used, assume that +@@ -2311,8 +2331,10 @@ PJ_DEF(pj_status_t) pjsip_tpmgr_acquire_transport2(pjsip_tpmgr *mgr, + if (tp_entry) { + transport *tp_iter = tp_entry; + do { +- /* Don't use transport being shutdown */ +- if (!tp_iter->tp->is_shutdown) { ++ /* Don't use transport being shutdown/destroyed */ ++ if (!tp_iter->tp->is_shutdown && ++ !tp_iter->tp->is_destroying) ++ { + if (sel && sel->type == PJSIP_TPSELECTOR_LISTENER && + sel->u.listener) + { +@@ -2382,7 +2404,7 @@ PJ_DEF(pj_status_t) pjsip_tpmgr_acquire_transport2(pjsip_tpmgr *mgr, + TRACE_((THIS_FILE, "Transport found but from different listener")); + } + +- if (tp_ref!=NULL && !tp_ref->is_shutdown) { ++ if (tp_ref!=NULL && !tp_ref->is_shutdown && !tp_ref->is_destroying) { + /* + * Transport found! + */ +@@ -2624,7 +2646,7 @@ PJ_DEF(pj_status_t) pjsip_transport_add_state_listener ( + + PJ_ASSERT_RETURN(tp && cb && key, PJ_EINVAL); + +- if (tp->is_shutdown) { ++ if (tp->is_shutdown || tp->is_destroying) { + *key = NULL; + return PJ_EINVALIDOP; + } +-- +2.26.2 + diff --git a/net-libs/pjproject/pjproject-2.10-r1.ebuild b/net-libs/pjproject/pjproject-2.10-r1.ebuild new file mode 100644 index 00000000000..7731f052e47 --- /dev/null +++ b/net-libs/pjproject/pjproject-2.10-r1.ebuild @@ -0,0 +1,125 @@ +# Copyright 1999-2021 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=7 + +inherit autotools flag-o-matic toolchain-funcs + +DESCRIPTION="Open source SIP, Media, and NAT Traversal Library" +HOMEPAGE="https://www.pjsip.org/" +SRC_URI="https://github.com/pjsip/${PN}/archive/${PV}.tar.gz -> ${P}.tar.gz" +KEYWORDS="~amd64 ~arm ~arm64 ~ppc ~ppc64 ~x86" + +LICENSE="GPL-2" +SLOT="0/${PV}" + +# g729 not included due to special bcg729 handling. +CODEC_FLAGS="g711 g722 g7221 gsm ilbc speex l16" +VIDEO_FLAGS="sdl ffmpeg v4l2 openh264 libyuv vpx" +SOUND_FLAGS="alsa portaudio" +IUSE="amr debug epoll examples ipv6 libressl opus resample silk ssl static-libs webrtc + ${CODEC_FLAGS} g729 + ${VIDEO_FLAGS} + ${SOUND_FLAGS}" + +PATCHES=( + "${FILESDIR}/pjproject-2.9-ssl-enable.patch" + "${FILESDIR}/pjproject-2.10-race-condition-between-transport-destroy-and-acquire.patch" + "${FILESDIR}/pjproject-2.10-CVE-2020-15260-tls-hostname-check.patch" + "${FILESDIR}/pjproject-2.10-CVE-2021-21375-negotiation-failure-crash.patch" +) + +RDEPEND="net-libs/libsrtp:= + alsa? ( media-libs/alsa-lib ) + amr? ( media-libs/opencore-amr ) + ffmpeg? ( media-video/ffmpeg:= ) + g729? ( media-libs/bcg729 ) + gsm? ( media-sound/gsm ) + ilbc? ( media-libs/libilbc ) + openh264? ( media-libs/openh264 ) + opus? ( media-libs/opus ) + portaudio? ( media-libs/portaudio ) + resample? ( media-libs/libsamplerate ) + sdl? ( media-libs/libsdl ) + speex? ( + media-libs/speex + media-libs/speexdsp + ) + ssl? ( + !libressl? ( dev-libs/openssl:0= ) + libressl? ( dev-libs/libressl:0= ) + ) +" +DEPEND="${RDEPEND}" +BDEPEND="virtual/pkgconfig" + +src_prepare() { + default + rm configure || die "Unable to remove unwanted wrapper" + mv aconfigure.ac configure.ac || die "Unable to rename configure script source" + eautoreconf + + cp "${FILESDIR}/pjproject-2.9-config_site.h" "${S}/pjlib/include/pj/config_site.h" || die "Unable to create config_site.h" +} + +src_configure() { + local myconf=() + local videnable="--disable-video" + local t + + use debug || append-cflags -DNDEBUG=1 + use ipv6 && append-cflags -DPJ_HAS_IPV6=1 + append-cflags -DPJMEDIA_HAS_SRTP=1 + + for t in ${CODEC_FLAGS}; do + myconf+=( $(use_enable ${t} ${t}-codec) ) + done + myconf+=( $(use_enable g729 bcg729) ) + + for t in ${VIDEO_FLAGS}; do + myconf+=( $(use_enable ${t}) ) + use "${t}" && videnable="--enable-video" + done + + [ "${videnable}" = "--enable-video" ] && append-cflags -DPJMEDIA_HAS_VIDEO=1 + + LD="$(tc-getCC)" econf \ + --enable-shared \ + --with-external-srtp \ + ${videnable} \ + $(use_enable alsa sound) \ + $(use_enable amr opencore-amr) \ + $(use_enable epoll) \ + $(use_enable opus) \ + $(use_enable portaudio ext-sound) \ + $(use_enable resample libsamplerate) \ + $(use_enable resample resample-dll) \ + $(use_enable resample) \ + $(use_enable silk) \ + $(use_enable speex speex-aec) \ + $(use_enable ssl) \ + $(use_with gsm external-gsm) \ + $(use_with portaudio external-pa) \ + $(use_with speex external-speex) \ + $(usex webrtc '' --disable-libwebrtc) \ + "${myconf[@]}" +} + +src_compile() { + emake dep LD="$(tc-getCC)" + emake LD="$(tc-getCC)" +} + +src_install() { + default + + newbin pjsip-apps/bin/pjsua-${CHOST} pjsua + newbin pjsip-apps/bin/pjsystest-${CHOST} pjsystest + + if use examples; then + insinto "/usr/share/doc/${PF}/examples" + doins -r pjsip-apps/src/samples + fi + + use static-libs || rm "${ED}/usr/$(get_libdir)"/*.a || die "Error removing static archives" +}