package/libpjsip: security bump to version 2.13

- Fix CVE-2022-39269, CVE-2022-39244 and CVE-2022-31031: https://github.com/pjsip/pjproject/security/advisories/GHSA-wx5m-cj97-4wwg https://github.com/pjsip/pjproject/security/advisories/GHSA-fq45-m3f7-3mhj https://github.com/pjsip/pjproject/security/advisories/GHSA-26j7-ww69-c4qj - Drop patch (already in version) - libuuid configure option is available since 0b0488f17b - libupnp is an optional dependency since 82247cb8c0 - libsrtp is optional since fe6cbbc397 https://github.com/pjsip/pjproject/releases/tag/2.13 Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2023-01-08 21:34:03 +01:00 · 2023-01-08 21:34:03 +01:00 · cbc80c7557
commit cbc80c7557
parent 431683def0
4 changed files with 22 additions and 53 deletions
--- a/package/libpjsip/0001-Merge-pull-request-from-GHSA-26j7-ww69-c4qj.patch
+++ b/package/libpjsip/0001-Merge-pull-request-from-GHSA-26j7-ww69-c4qj.patch
@ -1,44 +0,0 @@
-From 450baca94f475345542c6953832650c390889202 Mon Sep 17 00:00:00 2001
-From: sauwming <ming@teluu.com>
-Date: Tue, 7 Jun 2022 12:00:13 +0800
-Subject: [PATCH] Merge pull request from GHSA-26j7-ww69-c4qj
-
-[Retrieved from:
-https://github.com/pjsip/pjproject/commit/450baca94f475345542c6953832650c390889202]
-Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
- pjlib-util/src/pjlib-util/stun_simple.c | 7 ++++++-
- 1 file changed, 6 insertions(+), 1 deletion(-)
-
-diff --git a/pjlib-util/src/pjlib-util/stun_simple.c b/pjlib-util/src/pjlib-util/stun_simple.c
-index 722519584..d0549176d 100644
--- a/pjlib-util/src/pjlib-util/stun_simple.c
-+++ b/pjlib-util/src/pjlib-util/stun_simple.c
-@@ -54,6 +54,7 @@ PJ_DEF(pj_status_t) pjstun_parse_msg( void *buf, pj_size_t buf_len,
- {
-     pj_uint16_t msg_type, msg_len;
-     char *p_attr;
-+    int attr_max_cnt = PJ_ARRAY_SIZE(msg->attr);
- 
-     PJ_CHECK_STACK();
- 
-@@ -83,7 +84,7 @@ PJ_DEF(pj_status_t) pjstun_parse_msg( void *buf, pj_size_t buf_len,
-     msg->attr_count = 0;
-     p_attr = (char*)buf + sizeof(pjstun_msg_hdr);
- 
-    while (msg_len > 0) {
-+    while (msg_len > 0 && msg->attr_count < attr_max_cnt) {
- 	pjstun_attr_hdr **attr = &msg->attr[msg->attr_count];
- 	pj_uint32_t len;
- 	pj_uint16_t attr_type;
-@@ -111,6 +112,10 @@ PJ_DEF(pj_status_t) pjstun_parse_msg( void *buf, pj_size_t buf_len,
- 	p_attr += len;
- 	++msg->attr_count;
-     }
-+    if (msg->attr_count == attr_max_cnt) {
-+	PJ_LOG(4, (THIS_FILE, "Warning: max number attribute %d reached.",
-+		   attr_max_cnt));
-+    }
- 
-     return PJ_SUCCESS;
- }
--- a/package/libpjsip/Config.in
+++ b/package/libpjsip/Config.in
@ -2,7 +2,6 @@ config BR2_PACKAGE_LIBPJSIP
 	bool "libpjsip"
 	depends on BR2_INSTALL_LIBSTDCPP
 	depends on BR2_TOOLCHAIN_HAS_THREADS
-	select BR2_PACKAGE_LIBSRTP
 	help
 	  PJSIP is a free and open source multimedia communication
 	  library written in C language implementing standard based
--- a/package/libpjsip/libpjsip.hash
+++ b/package/libpjsip/libpjsip.hash
@ -1,3 +1,3 @@
 # Locally computed
-sha256  d0feef6963b07934e821ba4328aecb4c36358515c1b3e507da5874555d713533  pjproject-2.12.1.tar.gz
+sha256  4178bb9f586299111463fc16ea04e461adca4a73e646f8ddef61ea53dafa92d9  pjproject-2.13.tar.gz
 sha256  8177f97513213526df2cf6184d8ff986c675afb514d4e68a404010521b880643  COPYING
--- a/package/libpjsip/libpjsip.mk
+++ b/package/libpjsip/libpjsip.mk
@ -4,11 +4,10 @@
 #
 ################################################################################

-LIBPJSIP_VERSION = 2.12.1
+LIBPJSIP_VERSION = 2.13
 LIBPJSIP_SOURCE = pjproject-$(LIBPJSIP_VERSION).tar.gz
 LIBPJSIP_SITE = $(call github,pjsip,pjproject,$(LIBPJSIP_VERSION))

-LIBPJSIP_DEPENDENCIES = libsrtp
 LIBPJSIP_LICENSE = GPL-2.0+
 LIBPJSIP_LICENSE_FILES = COPYING
 LIBPJSIP_CPE_ID_VENDOR = teluu
@ -16,9 +15,6 @@ LIBPJSIP_CPE_ID_PRODUCT = pjsip
 LIBPJSIP_INSTALL_STAGING = YES
 LIBPJSIP_MAKE = $(MAKE1)

-# 0001-Merge-pull-request-from-GHSA-26j7-ww69-c4qj.patch
-LIBPJSIP_IGNORE_CVES += CVE-2022-31031
-
 LIBPJSIP_CFLAGS = $(TARGET_CFLAGS) -DPJ_HAS_IPV6=1

 # relocation truncated to fit: R_68K_GOT16O
@ -40,8 +36,7 @@ LIBPJSIP_CONF_OPTS = \
 	--disable-l16-codec \
 	--disable-g722-codec \
 	--disable-ipp \
-	--disable-silk \
-	--with-external-srtp
+	--disable-silk

 # Note: aconfigure.ac is broken: --enable-epoll or --disable-epoll will
 # both enable it. But that's OK, epoll is better than the alternative,
@ -103,6 +98,22 @@ else
 LIBPJSIP_CONF_OPTS += --disable-libsamplerate
 endif

+ifeq ($(BR2_PACKAGE_LIBSRTP),y)
+LIBPJSIP_DEPENDENCIES += libsrtp
+LIBPJSIP_CONF_OPTS += \
+	--enable-libsrtp \
+	--with-external-srtp
+else
+LIBPJSIP_CONF_OPTS += --disable-libsrtp
+endif
+
+ifeq ($(BR2_PACKAGE_LIBUPNP),y)
+LIBPJSIP_DEPENDENCIES += libupnp
+LIBPJSIP_CONF_OPTS += --with-upnp=$(STAGING_DIR)/usr
+else
+LIBPJSIP_CONF_OPTS += --disable-upnp
+endif
+
 ifeq ($(BR2_PACKAGE_LIBV4L),y)
 # --enable-v4l2 is broken (check for libv4l2 will be omitted)
 LIBPJSIP_DEPENDENCIES += libv4l
@ -161,6 +172,9 @@ endif

 ifeq ($(BR2_PACKAGE_UTIL_LINUX_LIBUUID),y)
 LIBPJSIP_DEPENDENCIES += util-linux
+LIBPJSIP_CONF_OPTS += --enable-libuuid
+else
+LIBPJSIP_CONF_OPTS += --disable-libuuid
 endif

 # disable build of test binaries