Candidate: CVE-2021-43804
PublicDate: 2021-12-22 18:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43804
 https://github.com/pjsip/pjproject/security/advisories/GHSA-3qx3-cg72-wrh9
 https://github.com/pjsip/pjproject/commit/8b621f192cae14456ee0b0ade52ce6c6f258af1e
Description:
 PJSIP is a free and open source multimedia communication library written in
 C language implementing standard based protocols such as SIP, SDP, RTP,
 STUN, TURN, and ICE. In affected versions if the incoming RTCP BYE message
 contains a reason's length, this declared length is not checked against the
 actual received packet size, potentially resulting in an out-of-bound read
 access. This issue affects all users that use PJMEDIA and RTCP. A malicious
 actor can send a RTCP BYE message with an invalid reason length. Users are
 advised to upgrade as soon as possible. There are no known workarounds.
Ubuntu-Description:
Notes:
Mitigation:
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L [7.3 HIGH]


Patches_pjproject:
upstream_pjproject: needs-triage
trusty_pjproject: ignored (out of standard support)
xenial_pjproject: ignored (out of standard support)
bionic_pjproject: needs-triage