summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--net-libs/pjproject/files/pjproject-2.10-CVE-2020-15260-tls-hostname-check.patch125
-rw-r--r--net-libs/pjproject/files/pjproject-2.10-CVE-2021-21375-negotiation-failure-crash.patch45
-rw-r--r--net-libs/pjproject/files/pjproject-2.10-race-condition-between-transport-destroy-and-acquire.patch108
-rw-r--r--net-libs/pjproject/pjproject-2.10-r1.ebuild125
4 files changed, 403 insertions, 0 deletions
diff --git a/net-libs/pjproject/files/pjproject-2.10-CVE-2020-15260-tls-hostname-check.patch b/net-libs/pjproject/files/pjproject-2.10-CVE-2020-15260-tls-hostname-check.patch
new file mode 100644
index 000000000000..0d7df686a157
--- /dev/null
+++ b/net-libs/pjproject/files/pjproject-2.10-CVE-2020-15260-tls-hostname-check.patch
@@ -0,0 +1,125 @@
+From 67e46c1ac45ad784db5b9080f5ed8b133c122872 Mon Sep 17 00:00:00 2001
+From: sauwming <ming@teluu.com>
+Date: Mon, 8 Mar 2021 17:39:36 +0800
+Subject: [PATCH] Merge pull request from GHSA-8hcp-hm38-mfph
+
+* Check hostname during TLS transport selection
+
+* revision based on feedback
+
+* remove the code in create_request that has been moved
+---
+ pjsip/include/pjsip/sip_dialog.h | 1 +
+ pjsip/src/pjsip/sip_dialog.c | 15 +++++++++++++++
+ pjsip/src/pjsip/sip_transport.c | 13 +++++++++++++
+ pjsip/src/pjsip/sip_util.c | 11 ++++++++---
+ 4 files changed, 37 insertions(+), 3 deletions(-)
+
+diff --git a/pjsip/include/pjsip/sip_dialog.h b/pjsip/include/pjsip/sip_dialog.h
+index a0214d28c..e314c2ece 100644
+--- a/pjsip/include/pjsip/sip_dialog.h
++++ b/pjsip/include/pjsip/sip_dialog.h
+@@ -165,6 +165,7 @@ struct pjsip_dialog
+ pjsip_route_hdr route_set; /**< Route set. */
+ pj_bool_t route_set_frozen; /**< Route set has been set. */
+ pjsip_auth_clt_sess auth_sess; /**< Client authentication session. */
++ pj_str_t initial_dest;/**< Initial destination host. */
+
+ /** Session counter. */
+ int sess_count; /**< Number of sessions. */
+diff --git a/pjsip/src/pjsip/sip_dialog.c b/pjsip/src/pjsip/sip_dialog.c
+index 27530e4f2..9571b5a35 100644
+--- a/pjsip/src/pjsip/sip_dialog.c
++++ b/pjsip/src/pjsip/sip_dialog.c
+@@ -467,6 +467,10 @@ pj_status_t create_uas_dialog( pjsip_user_agent *ua,
+
+ /* Save the remote info. */
+ pj_strdup(dlg->pool, &dlg->remote.info_str, &tmp);
++
++ /* Save initial destination host from transport's info */
++ pj_strdup(dlg->pool, &dlg->initial_dest,
++ &rdata->tp_info.transport->remote_name.host);
+
+
+ /* Init remote's contact from Contact header.
+@@ -1192,6 +1196,12 @@ static pj_status_t dlg_create_request_throw( pjsip_dialog *dlg,
+ return status;
+ }
+
++ /* Copy the initial destination host to tdata. This information can be
++ * used later by transport for transport selection.
++ */
++ if (dlg->initial_dest.slen)
++ pj_strdup(tdata->pool, &tdata->dest_info.name, &dlg->initial_dest);
++
+ /* Done. */
+ *p_tdata = tdata;
+
+@@ -1822,6 +1832,11 @@ static void dlg_update_routeset(pjsip_dialog *dlg, const pjsip_rx_data *rdata)
+ * transaction as the initial transaction that establishes dialog.
+ */
+ if (dlg->role == PJSIP_ROLE_UAC) {
++ /* Save initial destination host from transport's info. */
++ if (!dlg->initial_dest.slen) {
++ pj_strdup(dlg->pool, &dlg->initial_dest,
++ &rdata->tp_info.transport->remote_name.host);
++ }
+
+ /* Ignore subsequent request from remote */
+ if (msg->type != PJSIP_RESPONSE_MSG)
+diff --git a/pjsip/src/pjsip/sip_transport.c b/pjsip/src/pjsip/sip_transport.c
+index bef6d24fe..177274b08 100644
+--- a/pjsip/src/pjsip/sip_transport.c
++++ b/pjsip/src/pjsip/sip_transport.c
+@@ -2335,6 +2335,19 @@ PJ_DEF(pj_status_t) pjsip_tpmgr_acquire_transport2(pjsip_tpmgr *mgr,
+ if (!tp_iter->tp->is_shutdown &&
+ !tp_iter->tp->is_destroying)
+ {
++ if ((type & PJSIP_TRANSPORT_SECURE) && tdata) {
++ /* For secure transport, make sure tdata's
++ * destination host matches the transport's
++ * remote host.
++ */
++ if (pj_stricmp(&tdata->dest_info.name,
++ &tp_iter->tp->remote_name.host))
++ {
++ tp_iter = tp_iter->next;
++ continue;
++ }
++ }
++
+ if (sel && sel->type == PJSIP_TPSELECTOR_LISTENER &&
+ sel->u.listener)
+ {
+diff --git a/pjsip/src/pjsip/sip_util.c b/pjsip/src/pjsip/sip_util.c
+index a1bf878ea..cf916805d 100644
+--- a/pjsip/src/pjsip/sip_util.c
++++ b/pjsip/src/pjsip/sip_util.c
+@@ -1417,7 +1417,10 @@ PJ_DEF(pj_status_t) pjsip_endpt_send_request_stateless(pjsip_endpoint *endpt,
+ */
+ if (tdata->dest_info.addr.count == 0) {
+ /* Copy the destination host name to TX data */
+- pj_strdup(tdata->pool, &tdata->dest_info.name, &dest_info.addr.host);
++ if (!tdata->dest_info.name.slen) {
++ pj_strdup(tdata->pool, &tdata->dest_info.name,
++ &dest_info.addr.host);
++ }
+
+ pjsip_endpt_resolve( endpt, tdata->pool, &dest_info, stateless_data,
+ &stateless_send_resolver_callback);
+@@ -1810,8 +1813,10 @@ PJ_DEF(pj_status_t) pjsip_endpt_send_response( pjsip_endpoint *endpt,
+ }
+ } else {
+ /* Copy the destination host name to TX data */
+- pj_strdup(tdata->pool, &tdata->dest_info.name,
+- &res_addr->dst_host.addr.host);
++ if (!tdata->dest_info.name.slen) {
++ pj_strdup(tdata->pool, &tdata->dest_info.name,
++ &res_addr->dst_host.addr.host);
++ }
+
+ pjsip_endpt_resolve(endpt, tdata->pool, &res_addr->dst_host,
+ send_state, &send_response_resolver_cb);
+--
+2.26.2
+
diff --git a/net-libs/pjproject/files/pjproject-2.10-CVE-2021-21375-negotiation-failure-crash.patch b/net-libs/pjproject/files/pjproject-2.10-CVE-2021-21375-negotiation-failure-crash.patch
new file mode 100644
index 000000000000..9dc9016e491a
--- /dev/null
+++ b/net-libs/pjproject/files/pjproject-2.10-CVE-2021-21375-negotiation-failure-crash.patch
@@ -0,0 +1,45 @@
+From 97b3d7addbaa720b7ddb0af9bf6f3e443e664365 Mon Sep 17 00:00:00 2001
+From: Nanang Izzuddin <nanang@teluu.com>
+Date: Mon, 8 Mar 2021 16:09:34 +0700
+Subject: [PATCH] Merge pull request from GHSA-hvq6-f89p-frvp
+
+---
+ pjmedia/src/pjmedia/sdp_neg.c | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+diff --git a/pjmedia/src/pjmedia/sdp_neg.c b/pjmedia/src/pjmedia/sdp_neg.c
+index f4838f75d..9f76b5200 100644
+--- a/pjmedia/src/pjmedia/sdp_neg.c
++++ b/pjmedia/src/pjmedia/sdp_neg.c
+@@ -304,7 +304,6 @@ PJ_DEF(pj_status_t) pjmedia_sdp_neg_modify_local_offer2(
+ {
+ pjmedia_sdp_session *new_offer;
+ pjmedia_sdp_session *old_offer;
+- char media_used[PJMEDIA_MAX_SDP_MEDIA];
+ unsigned oi; /* old offer media index */
+ pj_status_t status;
+
+@@ -323,8 +322,19 @@ PJ_DEF(pj_status_t) pjmedia_sdp_neg_modify_local_offer2(
+ /* Change state to STATE_LOCAL_OFFER */
+ neg->state = PJMEDIA_SDP_NEG_STATE_LOCAL_OFFER;
+
++ /* When there is no active local SDP in state PJMEDIA_SDP_NEG_STATE_DONE,
++ * it means that the previous initial SDP nego must have been failed,
++ * so we'll just set the local SDP offer here.
++ */
++ if (!neg->active_local_sdp) {
++ neg->initial_sdp_tmp = NULL;
++ neg->initial_sdp = pjmedia_sdp_session_clone(pool, local);
++ neg->neg_local_sdp = pjmedia_sdp_session_clone(pool, local);
++
++ return PJ_SUCCESS;
++ }
++
+ /* Init vars */
+- pj_bzero(media_used, sizeof(media_used));
+ old_offer = neg->active_local_sdp;
+ new_offer = pjmedia_sdp_session_clone(pool, local);
+
+--
+2.26.2
+
diff --git a/net-libs/pjproject/files/pjproject-2.10-race-condition-between-transport-destroy-and-acquire.patch b/net-libs/pjproject/files/pjproject-2.10-race-condition-between-transport-destroy-and-acquire.patch
new file mode 100644
index 000000000000..b036951d9edd
--- /dev/null
+++ b/net-libs/pjproject/files/pjproject-2.10-race-condition-between-transport-destroy-and-acquire.patch
@@ -0,0 +1,108 @@
+From 90a16c523bfdf4d43c10506c972c5fd4250b2856 Mon Sep 17 00:00:00 2001
+From: Nanang Izzuddin <nanang@teluu.com>
+Date: Fri, 20 Nov 2020 10:52:22 +0700
+Subject: [PATCH] Race condition between transport destroy and acquire (#2470)
+
+* Handle race condition between transport_idle_callback() and pjsip_tpmgr_acquire_transport2().
+* Add transport destroy state check as additional of transport shutdown state check
+---
+ pjsip/src/pjsip/sip_transaction.c | 2 +-
+ pjsip/src/pjsip/sip_transport.c | 34 +++++++++++++++++++++++++------
+ 2 files changed, 29 insertions(+), 7 deletions(-)
+
+diff --git a/pjsip/src/pjsip/sip_transaction.c b/pjsip/src/pjsip/sip_transaction.c
+index 2b4ece7df..f663c7f4b 100644
+--- a/pjsip/src/pjsip/sip_transaction.c
++++ b/pjsip/src/pjsip/sip_transaction.c
+@@ -2443,7 +2443,7 @@ static void tsx_update_transport( pjsip_transaction *tsx,
+ pjsip_transport_add_ref(tp);
+ pjsip_transport_add_state_listener(tp, &tsx_tp_state_callback, tsx,
+ &tsx->tp_st_key);
+- if (tp->is_shutdown) {
++ if (tp->is_shutdown || tp->is_destroying) {
+ pjsip_transport_state_info info;
+
+ pj_bzero(&info, sizeof(info));
+diff --git a/pjsip/src/pjsip/sip_transport.c b/pjsip/src/pjsip/sip_transport.c
+index 06fce358c..bef6d24fe 100644
+--- a/pjsip/src/pjsip/sip_transport.c
++++ b/pjsip/src/pjsip/sip_transport.c
+@@ -1071,6 +1071,19 @@ static void transport_idle_callback(pj_timer_heap_t *timer_heap,
+ return;
+
+ entry->id = PJ_FALSE;
++
++ /* Set is_destroying flag under transport manager mutex to avoid
++ * race condition with pjsip_tpmgr_acquire_transport2().
++ */
++ pj_lock_acquire(tp->tpmgr->lock);
++ if (pj_atomic_get(tp->ref_cnt) == 0) {
++ tp->is_destroying = PJ_TRUE;
++ } else {
++ pj_lock_release(tp->tpmgr->lock);
++ return;
++ }
++ pj_lock_release(tp->tpmgr->lock);
++
+ pjsip_transport_destroy(tp);
+ }
+
+@@ -1392,8 +1405,8 @@ PJ_DEF(pj_status_t) pjsip_transport_shutdown2(pjsip_transport *tp,
+ mgr = tp->tpmgr;
+ pj_lock_acquire(mgr->lock);
+
+- /* Do nothing if transport is being shutdown already */
+- if (tp->is_shutdown) {
++ /* Do nothing if transport is being shutdown/destroyed already */
++ if (tp->is_shutdown || tp->is_destroying) {
+ pj_lock_release(mgr->lock);
+ pj_lock_release(tp->lock);
+ return PJ_SUCCESS;
+@@ -2256,6 +2269,13 @@ PJ_DEF(pj_status_t) pjsip_tpmgr_acquire_transport2(pjsip_tpmgr *mgr,
+ return PJSIP_ETPNOTSUITABLE;
+ }
+
++ /* Make sure the transport is not being destroyed */
++ if (seltp->is_destroying) {
++ pj_lock_release(mgr->lock);
++ TRACE_((THIS_FILE,"Transport to be acquired is being destroyed"));
++ return PJ_ENOTFOUND;
++ }
++
+ /* We could also verify that the destination address is reachable
+ * from this transport (i.e. both are equal), but if application
+ * has requested a specific transport to be used, assume that
+@@ -2311,8 +2331,10 @@ PJ_DEF(pj_status_t) pjsip_tpmgr_acquire_transport2(pjsip_tpmgr *mgr,
+ if (tp_entry) {
+ transport *tp_iter = tp_entry;
+ do {
+- /* Don't use transport being shutdown */
+- if (!tp_iter->tp->is_shutdown) {
++ /* Don't use transport being shutdown/destroyed */
++ if (!tp_iter->tp->is_shutdown &&
++ !tp_iter->tp->is_destroying)
++ {
+ if (sel && sel->type == PJSIP_TPSELECTOR_LISTENER &&
+ sel->u.listener)
+ {
+@@ -2382,7 +2404,7 @@ PJ_DEF(pj_status_t) pjsip_tpmgr_acquire_transport2(pjsip_tpmgr *mgr,
+ TRACE_((THIS_FILE, "Transport found but from different listener"));
+ }
+
+- if (tp_ref!=NULL && !tp_ref->is_shutdown) {
++ if (tp_ref!=NULL && !tp_ref->is_shutdown && !tp_ref->is_destroying) {
+ /*
+ * Transport found!
+ */
+@@ -2624,7 +2646,7 @@ PJ_DEF(pj_status_t) pjsip_transport_add_state_listener (
+
+ PJ_ASSERT_RETURN(tp && cb && key, PJ_EINVAL);
+
+- if (tp->is_shutdown) {
++ if (tp->is_shutdown || tp->is_destroying) {
+ *key = NULL;
+ return PJ_EINVALIDOP;
+ }
+--
+2.26.2
+
diff --git a/net-libs/pjproject/pjproject-2.10-r1.ebuild b/net-libs/pjproject/pjproject-2.10-r1.ebuild
new file mode 100644
index 000000000000..7731f052e47a
--- /dev/null
+++ b/net-libs/pjproject/pjproject-2.10-r1.ebuild
@@ -0,0 +1,125 @@
+# Copyright 1999-2021 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+inherit autotools flag-o-matic toolchain-funcs
+
+DESCRIPTION="Open source SIP, Media, and NAT Traversal Library"
+HOMEPAGE="https://www.pjsip.org/"
+SRC_URI="https://github.com/pjsip/${PN}/archive/${PV}.tar.gz -> ${P}.tar.gz"
+KEYWORDS="~amd64 ~arm ~arm64 ~ppc ~ppc64 ~x86"
+
+LICENSE="GPL-2"
+SLOT="0/${PV}"
+
+# g729 not included due to special bcg729 handling.
+CODEC_FLAGS="g711 g722 g7221 gsm ilbc speex l16"
+VIDEO_FLAGS="sdl ffmpeg v4l2 openh264 libyuv vpx"
+SOUND_FLAGS="alsa portaudio"
+IUSE="amr debug epoll examples ipv6 libressl opus resample silk ssl static-libs webrtc
+ ${CODEC_FLAGS} g729
+ ${VIDEO_FLAGS}
+ ${SOUND_FLAGS}"
+
+PATCHES=(
+ "${FILESDIR}/pjproject-2.9-ssl-enable.patch"
+ "${FILESDIR}/pjproject-2.10-race-condition-between-transport-destroy-and-acquire.patch"
+ "${FILESDIR}/pjproject-2.10-CVE-2020-15260-tls-hostname-check.patch"
+ "${FILESDIR}/pjproject-2.10-CVE-2021-21375-negotiation-failure-crash.patch"
+)
+
+RDEPEND="net-libs/libsrtp:=
+ alsa? ( media-libs/alsa-lib )
+ amr? ( media-libs/opencore-amr )
+ ffmpeg? ( media-video/ffmpeg:= )
+ g729? ( media-libs/bcg729 )
+ gsm? ( media-sound/gsm )
+ ilbc? ( media-libs/libilbc )
+ openh264? ( media-libs/openh264 )
+ opus? ( media-libs/opus )
+ portaudio? ( media-libs/portaudio )
+ resample? ( media-libs/libsamplerate )
+ sdl? ( media-libs/libsdl )
+ speex? (
+ media-libs/speex
+ media-libs/speexdsp
+ )
+ ssl? (
+ !libressl? ( dev-libs/openssl:0= )
+ libressl? ( dev-libs/libressl:0= )
+ )
+"
+DEPEND="${RDEPEND}"
+BDEPEND="virtual/pkgconfig"
+
+src_prepare() {
+ default
+ rm configure || die "Unable to remove unwanted wrapper"
+ mv aconfigure.ac configure.ac || die "Unable to rename configure script source"
+ eautoreconf
+
+ cp "${FILESDIR}/pjproject-2.9-config_site.h" "${S}/pjlib/include/pj/config_site.h" || die "Unable to create config_site.h"
+}
+
+src_configure() {
+ local myconf=()
+ local videnable="--disable-video"
+ local t
+
+ use debug || append-cflags -DNDEBUG=1
+ use ipv6 && append-cflags -DPJ_HAS_IPV6=1
+ append-cflags -DPJMEDIA_HAS_SRTP=1
+
+ for t in ${CODEC_FLAGS}; do
+ myconf+=( $(use_enable ${t} ${t}-codec) )
+ done
+ myconf+=( $(use_enable g729 bcg729) )
+
+ for t in ${VIDEO_FLAGS}; do
+ myconf+=( $(use_enable ${t}) )
+ use "${t}" && videnable="--enable-video"
+ done
+
+ [ "${videnable}" = "--enable-video" ] && append-cflags -DPJMEDIA_HAS_VIDEO=1
+
+ LD="$(tc-getCC)" econf \
+ --enable-shared \
+ --with-external-srtp \
+ ${videnable} \
+ $(use_enable alsa sound) \
+ $(use_enable amr opencore-amr) \
+ $(use_enable epoll) \
+ $(use_enable opus) \
+ $(use_enable portaudio ext-sound) \
+ $(use_enable resample libsamplerate) \
+ $(use_enable resample resample-dll) \
+ $(use_enable resample) \
+ $(use_enable silk) \
+ $(use_enable speex speex-aec) \
+ $(use_enable ssl) \
+ $(use_with gsm external-gsm) \
+ $(use_with portaudio external-pa) \
+ $(use_with speex external-speex) \
+ $(usex webrtc '' --disable-libwebrtc) \
+ "${myconf[@]}"
+}
+
+src_compile() {
+ emake dep LD="$(tc-getCC)"
+ emake LD="$(tc-getCC)"
+}
+
+src_install() {
+ default
+
+ newbin pjsip-apps/bin/pjsua-${CHOST} pjsua
+ newbin pjsip-apps/bin/pjsystest-${CHOST} pjsystest
+
+ if use examples; then
+ insinto "/usr/share/doc/${PF}/examples"
+ doins -r pjsip-apps/src/samples
+ fi
+
+ use static-libs || rm "${ED}/usr/$(get_libdir)"/*.a || die "Error removing static archives"
+}