CVE-2022-24792
Potential infinite loop when parsing WAV format file in PJSIP
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
PJSIP is a free and open source multimedia communication library written in C. A denial-of-service vulnerability affects applications on a 32-bit systems that use PJSIP versions 2.12 and prior to play/read invalid WAV files. The vulnerability occurs when reading WAV file data chunks with length greater than 31-bit integers. The vulnerability does not affect 64-bit apps and should not affect apps that only plays trusted WAV files. A patch is available on the `master` branch of the `pjsip/project` GitHub repository. As a workaround, apps can reject a WAV file received from an unknown source or validate the file first.
PJSIP es una biblioteca de comunicación multimedia gratuita y de código abierto escrita en C. Una vulnerabilidad de denegación de servicio afecta a las aplicaciones en sistemas de 32 bits que usan PJSIP versiones 2.12 y anteriores para reproducir/leer archivos WAV no válidos. La vulnerabilidad es producida cuando son leídos trozos de datos de archivos WAV con una longitud superior a los enteros de 31 bits. La vulnerabilidad no afecta a aplicaciones de 64 bits y no debería afectar a las aplicaciones que sólo reproducen archivos WAV confiables. Se presenta un parche disponible en la rama "master" del repositorio GitHub "pjsip/project". Como medida de mitigación, las aplicaciones pueden rechazar un archivo WAV recibido de una fuente desconocida o comprobar primero el archivo
CVSS Scores
SSVC
- Decision:-
Timeline
- 2022-02-10 CVE Reserved
- 2022-04-25 CVE Published
- 2024-08-03 CVE Updated
- 2024-11-03 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop')
CAPEC
References (6)
| URL | Tag | Source |
|---|---|---|
| https://lists.debian.org/debian-lts-announce/2022/05/msg00047.html | Mailing List |
|
| https://lists.debian.org/debian-lts-announce/2022/11/msg00021.html | Mailing List |
|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://github.com/pjsip/pjproject/commit/947bc1ee6d05be10204b918df75a503415fd3213 | 2022-12-06 | |
| https://github.com/pjsip/pjproject/security/advisories/GHSA-rwgw-vwxg-q799 | 2022-12-06 |
| URL | Date | SRC |
|---|---|---|
| https://security.gentoo.org/glsa/202210-37 | 2022-12-06 | |
| https://www.debian.org/security/2022/dsa-5285 | 2022-12-06 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Teluu Search vendor "Teluu" | Pjsip Search vendor "Teluu" for product "Pjsip" | <= 2.12 Search vendor "Teluu" for product "Pjsip" and version " <= 2.12" | x86 |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 9.0 Search vendor "Debian" for product "Debian Linux" and version "9.0" | - |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 10.0 Search vendor "Debian" for product "Debian Linux" and version "10.0" | - |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 11.0 Search vendor "Debian" for product "Debian Linux" and version "11.0" | - |
Affected
| ||||||