CVE-2022-46871 impact on Kurento

[secnum]

Hi,

A vulnerability has been identified in the libusrsctp library, itself used in Kurento. Is Kurento affected by this vulnerability and if so, which versions?

[j1elo]

Why do they hide what version is affected by the vulnerability? I went to that link (and several links from there) and still am wondering how to know if Kurento 6.x might be affected.

Kurento 7 uses the package libusrsctp1 from Ubuntu 20.04, so we'd rely on the Ubuntu security team to maintain security patches for it.

[secnum]

Versions 0.9.5.0 and 0.9.4.0 of libusrsctp would not be affected (sctplab/usrsctp@939d48f) from email exchanges I've had with people at Mozilla.

[j1elo]

Version in Ubuntu 20.04 is 0.9.3.0 so it seems it might and probably is affected:

# apt-cache policy libusrsctp1
libusrsctp1:
  Installed: (none)
  Candidate: 0.9.3.0+20190901-1
  Version table:
     0.9.3.0+20190901-1 500
        500 http://archive.ubuntu.com/ubuntu focal/universe amd64 Packages

The commit you linked is from July 2020, and the package version indicates that it was built on 2019, so this probably calls for opening a security ticket with the folks at Canonical. Would you be able to do that and let us know so we can track the state of this issue?

[secnum]

Issue opened here : https://bugs.launchpad.net/ubuntu/+source/libusrsctp/+bug/2015448