Ubuntu
libusrsctp package

libusrsctp (0.9.3.0+20190901-1) vulnerabilities

Bug #2015448 reported by Alexandre Pétillon
262
This bug affects 2 people
Affects Status Importance Assigned to Milestone
libusrsctp (Ubuntu)
Expired
Undecided
Unassigned

Bug Description

1) Focal Fossa 20.04 LTS
2) libusrsctp (0.9.3.0+20190901-1)
3) upgrade to 0.9.4.0 or 0.9.5.0
4) I've been in touch with Byron Campen by email who is in charge of the bug B1795697 (https://bugzilla.mozilla.org/show_bug.cgi?id=1795697) related to CVE-2022-46871 (https://nvd.nist.gov/vuln/detail/CVE-2022-46871) which could impact Kurento Media Server (a service we use in my company). According to him, the 0.9.5.0 release of libusrsctp (https://github.com/sctplab/usrsctp) includes the patch (https://github.com/sctplab/usrsctp/commit/939d48f9632d69bf170c7a84514b312b6b42257d). Firefox was using a very old version of the library.

According to another direct contact I had with the Mozilla security team (Dan Veditz), the problems they found were mainly race conditions (https://cwe.mitre.org/data/definitions/364.html) which in at least one case could lead to a Use After Free vulnerability (https://cwe.mitre.org/data/definitions/416.html).

The version in Ubuntu 20.04 is also affected by CVE-2019-20503.

Conclusion: versions 0.9.4.0 and 0.9.5.0 of the library would not be impacted. Previous versions are potentially impacted.

Alexandre

See original description

CVE References

Revision history for this message
Alexandre Pétillon (ekynox360) wrote :
Revision history for this message
Alex Murray (alexmurray) wrote :

Thanks for the detailed information - I can't see a good reason to keep this bug private, would you mind if I make it publicly visible?

Revision history for this message
Alexandre Pétillon (ekynox360) wrote (last edit ):

No problem to make this bug public. It's done.

Alexandre Pétillon (ekynox360)
information type: Private Security → Public Security
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

tags: added: community-security
Changed in libusrsctp (Ubuntu):
status: New → Confirmed
Revision history for this message
Alexandre Pétillon (ekynox360) wrote : Re: libusrsctp (0.9.3.0+20190901-1) vulnerabilty

No reply from the maintainer Jonas Smedegaard (https://tracker.debian.org/pkg/libusrsctp) to my email of 28 April. The Debian Security Team has responded. So Debian's tracking for CVE-2022-46871 has just been updated https://security-tracker.debian.org/tracker/CVE-2022-46871 :

- libusrsctp 0.9.3.0+20190127-2 is vulnerable,
- libusrsctp 0.9.3.0+20201102-2 is safe,
- libusrsctp 0.9.5.0-2 is safe.

Revision history for this message
Alexandre Pétillon (ekynox360) wrote :
Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "debdiff between libusrsctp_0.9.3.0+20190901-1 and libusrsctp_0.9.3.0+20201102-2" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]

tags: added: patch
Revision history for this message
Seth Arnold (seth-arnold) wrote :

Hello Alexandre, thanks for trying to address this issue.

This debdiff looks broken, however. 1.2 megabytes is way too large for us to review, and there's loads of lines like this in the output:

Binary files /tmp/YQmq31NfW8/libusrsctp-0.9.3.0+20190901/fuzzer/CORPUS_CONNECT/addip-000000 and /tmp/ew3w5N9rtN/libusrsctp-0.9.3.0+20201102/fuzzer/CORPUS_CONNECT/addip-000000 differ

The debdiff ought to be only a little bit larger than whatever the specific security fix is.

Thanks

Jeremy Bícha (jbicha)
Changed in libusrsctp (Ubuntu):
status: Confirmed → Incomplete
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Unsubscribing ubuntu-security-sponsors for now since there is no appropriate debdiff to sponsor.

Please re-subscribe the team once you've attached a new debdiff that includes the minimal changes to fix the security issue. Thanks!

Luís Infante da Câmara (luis220413)
tags: added: focal
Revision history for this message
Luís Infante da Câmara (luis220413) wrote :

@ekynox360 Your debdiff also fixes CVE-2019-20503.

The upstream commits that fix the security issues are:
* for CVE-2019-20503, https://github.com/sctplab/usrsctp/commit/790a7a2555aefb392a5a69923f1e9d17b4968467;
* for CVE-2022-46871, https://github.com/sctplab/usrsctp/commit/939d48f9632d69bf170c7a84514b312b6b42257d.

summary: - libusrsctp (0.9.3.0+20190901-1) vulnerabilty
+ libusrsctp (0.9.3.0+20190901-1) vulnerabilities
Luís Infante da Câmara (luis220413)
description: updated
Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for libusrsctp (Ubuntu) because there has been no activity for 60 days.]

Changed in libusrsctp (Ubuntu):
status: Incomplete → Expired
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Bug attachments

Remote bug watches

Bug watches keep track of this bug in other bug trackers.