Buffer Overflow Affecting asterisk package, versions <1:16.28.0~dfsg-0+deb10u3


Severity

Recommended
0.0
high
0
10

Snyk's Security Team recommends NVD's CVSS assessment. Learn more

Threat Intelligence

EPSS
1% (85th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-DEBIAN10-ASTERISK-5421082
  • published13 Apr 2023
  • disclosed14 Mar 2023

Introduced: 14 Mar 2023

CVE-2023-27585  (opens in a new tab)
CWE-120  (opens in a new tab)
CWE-122  (opens in a new tab)

How to fix?

Upgrade Debian:10 asterisk to version 1:16.28.0~dfsg-0+deb10u3 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream asterisk package and not the asterisk package as distributed by Debian. See How to fix? for Debian:10 relevant fixed versions and status.

PJSIP is a free and open source multimedia communication library written in C. A buffer overflow vulnerability in versions 2.13 and prior affects applications that use PJSIP DNS resolver. It doesn't affect PJSIP users who do not utilise PJSIP DNS resolver. This vulnerability is related to CVE-2022-24793. The difference is that this issue is in parsing the query record parse_query(), while the issue in CVE-2022-24793 is in parse_rr(). A patch is available as commit d1c5e4d in the master branch. A workaround is to disable DNS resolution in PJSIP config (by setting nameserver_count to zero) or use an external resolver implementation instead.

CVSS Scores

version 3.1