PJSIP is a free and open source multimedia communication library written in C. Versions 2.12 and prior contain a stack buffer overflow vulnerability that affects PJSUA2 users or users that call the API `pjmedia_sdp_print(), pjmedia_sdp_media_print()`. Applications that do not use PJSUA2 and do not directly call `pjmedia_sdp_print()` or `pjmedia_sdp_media_print()` should not be affected. A patch is available on the `master` branch of the `pjsip/pjproject` GitHub repository. There are currently no known workarounds.
The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer, leading to a buffer overflow.
The product writes data past the end, or before the beginning, of the intended buffer.
| Link | Tags |
|---|---|
| https://github.com/pjsip/pjproject/security/advisories/GHSA-f5qg-pqcg-765m | third party advisory patch |
| https://github.com/pjsip/pjproject/commit/560a1346f87aabe126509bb24930106dea292b00 | third party advisory patch |
| https://lists.debian.org/debian-lts-announce/2022/03/msg00035.html | third party advisory mailing list |
| https://security.gentoo.org/glsa/202210-37 | third party advisory vendor advisory |
| https://lists.debian.org/debian-lts-announce/2022/11/msg00021.html | third party advisory mailing list |
| https://www.debian.org/security/2022/dsa-5285 | third party advisory vendor advisory |
| https://lists.debian.org/debian-lts-announce/2023/08/msg00038.html | mailing list |