Build Asterisk 20.5 LTS with pjproject 2.14 due to CVE-2023-38703


I’m trying to build and install Asterisk 20.5 LTS.

There is a security vulnerability in pjproject that was fixed in version 2.14:
CVE-2023-38703, which seems to be somewhat critical:

This vulnerability’s impact may range from unexpected application termination to control flow hijack/memory corruption.
→ I’d love to include a link to the Github Security Advisory but the forum software says new users aren’t allowed to use 2 links…

However, if I run ./configure --with-pjproject-bundled, the Asterisk build process downloads 2.13.1:

checking for embedded pjproject (may have to download)… configuring
[pjproject] Downloading to /tmp/pjproject-2.13.1.tar.bz2

What should I do? Will there be a fixed release in near time?

I tried to download pjproject from and build it on my own. That worked so far.

But when I try to make Asterisk after ./configure --without-pjproject-bundled, it finally terminates with an error:

[LD] chan_pjsip.o pjsip/cli_commands.o pjsip/dialplan_functions.o →
/usr/bin/ld: /usr/local/lib/libpj-x86_64-unknown-linux-gnu.a(os_core_unix.o): warning: relocation against stdout@@GLIBC_2.2.5' in read-only section .text’
/usr/bin/ld: /usr/local/lib/libpj-x86_64-unknown-linux-gnu.a(os_core_unix.o): relocation R_X86_64_PC32 against symbol `stdout@@GLIBC_2.2.5’ can not be used when making a shared object; recompile with -fPIC
/usr/bin/ld: final link failed: bad value
collect2: error: ld returned 1 exit status
make[1]: *** [/root/asterisk/asterisk-20.5.0/Makefile.rules:193:] Error 1
make: *** [Makefile:396: channels] Error 2

Thank you for any advice!

See See Use-after-free in SRTP media transport · Advisory · pjsip/pjproject · GitHub for the Security Advisory.

Asterisk doesn’t use that functionality. We also pull in any applicable security fixes when they occur and do our own release.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.