Asterisk Security Team
2022-Mar-04 20:16 UTC
[asterisk-users] AST-2022-005: pjproject: undefined behavior after freeing a dialog set
Asterisk Project Security Advisory - AST-2022-005 Product Asterisk Summary pjproject: undefined behavior after freeing a dialog set Nature of Advisory Denial of service Susceptibility Remote unauthenticated sessions Severity Major Exploits Known Yes Reported On March 3, 2022 Reported By Sauw Ming Posted On March 4, 2022 Last Updated On March 3, 2022 Advisory Contact kharwell AT sangoma DOT com CVE Name CVE-2022-23608 Description When acting as a UAC, and when placing an outgoing call to a target that then forks Asterisk may experience undefined behavior (crashes, hangs, etc…) after a dialog set is prematurely freed. Modules Affected bundled pjproject Resolution If you use “with-pjproject-bundled” then upgrade to, or install one of, the versions of Asterisk listed below. Otherwise install the appropriate version of pjproject that contains the patch. Affected Versions Product Release Series Asterisk Open Source 16.x All versions Asterisk Open Source 18.x All versions Asterisk Open Source 19.x All versions Certified Asterisk 16.x All versions Corrected In Product Release Asterisk Open Source 16.24.1,18.10.1,19.2.1 Certified Asterisk 16.8-cert13 Patches Patch URL Revision https://downloads.digium.com/pub/security/AST-2022-005-16.diff Asterisk 16 https://downloads.digium.com/pub/security/AST-2022-005-18.diff Asterisk 18 https://downloads.digium.com/pub/security/AST-2022-005-19.diff Asterisk 19 https://downloads.digium.com/pub/security/AST-2022-005-16.8.diff Certified Asterisk 16.8 Links https://issues.asterisk.org/jira/browse/ASTERISK-29945 https://downloads.asterisk.org/pub/security/AST-2022-005.html https://github.com/pjsip/pjproject/security/advisories/GHSA-ffff-m5fm-qm62 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at https://downloads.digium.com/pub/security/AST-2022-005.pdf and https://downloads.digium.com/pub/security/AST-2022-005.html Revision History Date Editor Revisions Made March 3, 2022 Kevin Harwell Initial revision Asterisk Project Security Advisory - AST-2022-005 Copyright © 2022 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form.