CVE-2022-46871 - libusrsctp

110 views
Skip to first unread message

Jean-Baptiste Truffault

unread,
Mar 25, 2023, 6:59:38 AM3/25/23
to kurento
Dears,
The CVE-2022-46871 has been published in december of 2022: https://nvd.nist.gov/vuln/detail/CVE-2022-46871

It affects the libusrsctp that is included in Kurento.
Mozilla corrected Firefox and Thunderbird but I haven't seen any correction concerning Kurento.

Do you know if Kurento is affected ?

Regards

Neil Young

unread,
Mar 25, 2023, 8:38:08 AM3/25/23
to kurento
I quickly checked the lib on my KMS 7 installation. Since KMS 7 uses provided system libs, the libusrsctp is having the same version as installed with Ubuntu 20.04

ubuntu@kms7:~$ sudo dpkg -l | grep libusrsctp

ii  libusrsctp1:amd64                        0.9.3.0+20190901-1                               amd64        portable SCTP userland stack - shared library

From the date (2019) I would suppose, that this lib is not up to date w.r.t. the fix mentioned above (I wasn't able to figure what kind of vulnerability is fixed).


On my KMS 6 source installations I used the fork provided by Kurento (https://github.com/Kurento/libusrsctp). The last commit into this repo has been made 2019 and a comment suggests, that it is based on version 0.9.2 of that lib.

So also here most likely also outdated.

Neil Young

unread,
Mar 25, 2023, 8:44:22 AM3/25/23
to kurento
But from the release history of that lib I cannot see any patch/release related to that issue. Do you know details?


Last release Jan 2021... Not sure if I'm checking the same you are concerned about :)

Jean-Baptiste Truffault

unread,
Mar 25, 2023, 9:36:06 AM3/25/23
to kur...@googlegroups.com
We have the same conclusion: I haven't seen any patch either on the lib ! 


The correction of Firefox and Thunderbird focus on modifying some function calls (not the entire lib since it has not been updated). I guess that only those are vulnerable. 

The thing is, I haven't found any details of the vulnerability, so I cannot say if Kurento is actually relying on the vulnerable part of the lib..

I was wondering if Kurento developers had more information about this !

Regards 




--
You received this message because you are subscribed to the Google Groups "kurento" group.
To unsubscribe from this group and stop receiving emails from it, send an email to kurento+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/kurento/8f09e80b-48e5-484d-a208-bdd82db8b3e1n%40googlegroups.com.

Neil Young

unread,
Mar 25, 2023, 10:10:29 AM3/25/23
to kurento
For instance here:


If you for instance check the changes in "netwerk/sctp/src/netinet/sctp_asconf.c" and compare that with a given original line (https://github.com/sctplab/usrsctp/blob/f9f95023816b61a2f257d2fb77658dceaea7213f/usrsctplib/netinet/sctp_asconf.c#L557), then you'll see, that they (Mozilla) must have made these changes in a fork of that lib.

However, it is not a trivial change and details about the vulnerability are not disclosed, so w/o further information about the nature of possible attacks it will be hard to see, what's cooking.

That being said: If there is such a gap in Kurento KMS then it is what it is and most likely it will never be fixed (I'm not speaking for Kurento, anyway, but I doubt that there will be action on this).

Some of the comments also look as like what you've said: The fixed some use scenarios of the library code on their end, but the last commit is really heavy...

Neil Young

unread,
Mar 25, 2023, 10:15:25 AM3/25/23
to kurento
Hmm. Wait. No, I'm wrong: The last commit to FF is an "update to the latest lib", so they just took over 0.9.5 as it seems. 

Weird.

Maybe a source compilation of the latest version would be sufficient...

Juan Navarro

unread,
Apr 17, 2023, 5:33:36 AM4/17/23
to kurento
Anyone following this issue has possibly already seen it but just in case, this issue is being tracked here:

and an Ubuntu security report has been done here:

We just use the system-provided version for Kurento 7.0.0 onwards, so we can delegate this kind of matters to the Canonical security team.
Reply all
Reply to author
Forward
0 new messages