package/libpjsip: security bump to version 2.13

- Fix CVE-2022-39269, CVE-2022-39244 and CVE-2022-31031: GHSA-wx5m-cj97-4wwg GHSA-fq45-m3f7-3mhj GHSA-26j7-ww69-c4qj - Drop patch (already in version) - libuuid configure option is available since pjsip/pjproject@0b0488f - libupnp is an optional dependency since pjsip/pjproject@82247cb - libsrtp is optional since pjsip/pjproject@fe6cbbc https://github.com/pjsip/pjproject/releases/tag/2.13 Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit cbc80c7) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
buildroot · Jan 15, 2023 · 82a504e · 82a504e
1 parent d37575c
commit 82a504e
Show file tree

Hide file tree

Showing 4 changed files with 22 additions and 53 deletions.
diff --git a/package/libpjsip/0001-Merge-pull-request-from-GHSA-26j7-ww69-c4qj.patch b/package/libpjsip/0001-Merge-pull-request-from-GHSA-26j7-ww69-c4qj.patch
diff --git a/package/libpjsip/Config.in b/package/libpjsip/Config.in
@@ -2,7 +2,6 @@ config BR2_PACKAGE_LIBPJSIP
 	bool "libpjsip"
 	depends on BR2_INSTALL_LIBSTDCPP
 	depends on BR2_TOOLCHAIN_HAS_THREADS
-	select BR2_PACKAGE_LIBSRTP
 	help
 	  PJSIP is a free and open source multimedia communication
 	  library written in C language implementing standard based

diff --git a/package/libpjsip/libpjsip.hash b/package/libpjsip/libpjsip.hash
@@ -1,3 +1,3 @@
 # Locally computed
-sha256  d0feef6963b07934e821ba4328aecb4c36358515c1b3e507da5874555d713533  pjproject-2.12.1.tar.gz
+sha256  4178bb9f586299111463fc16ea04e461adca4a73e646f8ddef61ea53dafa92d9  pjproject-2.13.tar.gz
 sha256  8177f97513213526df2cf6184d8ff986c675afb514d4e68a404010521b880643  COPYING
diff --git a/package/libpjsip/libpjsip.mk b/package/libpjsip/libpjsip.mk
@@ -4,21 +4,17 @@
 #
 ################################################################################
 
-LIBPJSIP_VERSION = 2.12.1
+LIBPJSIP_VERSION = 2.13
 LIBPJSIP_SOURCE = pjproject-$(LIBPJSIP_VERSION).tar.gz
 LIBPJSIP_SITE = $(call github,pjsip,pjproject,$(LIBPJSIP_VERSION))
 
-LIBPJSIP_DEPENDENCIES = libsrtp
 LIBPJSIP_LICENSE = GPL-2.0+
 LIBPJSIP_LICENSE_FILES = COPYING
 LIBPJSIP_CPE_ID_VENDOR = teluu
 LIBPJSIP_CPE_ID_PRODUCT = pjsip
 LIBPJSIP_INSTALL_STAGING = YES
 LIBPJSIP_MAKE = $(MAKE1)
 
-# 0001-Merge-pull-request-from-GHSA-26j7-ww69-c4qj.patch
-LIBPJSIP_IGNORE_CVES += CVE-2022-31031
-
 LIBPJSIP_CFLAGS = $(TARGET_CFLAGS) -DPJ_HAS_IPV6=1
 
 # relocation truncated to fit: R_68K_GOT16O
@@ -40,8 +36,7 @@ LIBPJSIP_CONF_OPTS = \
 	--disable-l16-codec \
 	--disable-g722-codec \
 	--disable-ipp \
-	--disable-silk \
-	--with-external-srtp
+	--disable-silk
 
 # Note: aconfigure.ac is broken: --enable-epoll or --disable-epoll will
 # both enable it. But that's OK, epoll is better than the alternative,
@@ -103,6 +98,22 @@ else
 LIBPJSIP_CONF_OPTS += --disable-libsamplerate
 endif
 
+ifeq ($(BR2_PACKAGE_LIBSRTP),y)
+LIBPJSIP_DEPENDENCIES += libsrtp
+LIBPJSIP_CONF_OPTS += \
+	--enable-libsrtp \
+	--with-external-srtp
+else
+LIBPJSIP_CONF_OPTS += --disable-libsrtp
+endif
+
+ifeq ($(BR2_PACKAGE_LIBUPNP),y)
+LIBPJSIP_DEPENDENCIES += libupnp
+LIBPJSIP_CONF_OPTS += --with-upnp=$(STAGING_DIR)/usr
+else
+LIBPJSIP_CONF_OPTS += --disable-upnp
+endif
+
 ifeq ($(BR2_PACKAGE_LIBV4L),y)
 # --enable-v4l2 is broken (check for libv4l2 will be omitted)
 LIBPJSIP_DEPENDENCIES += libv4l
@@ -161,6 +172,9 @@ endif
 
 ifeq ($(BR2_PACKAGE_UTIL_LINUX_LIBUUID),y)
 LIBPJSIP_DEPENDENCIES += util-linux
+LIBPJSIP_CONF_OPTS += --enable-libuuid
+else
+LIBPJSIP_CONF_OPTS += --disable-libuuid
 endif
 
 # disable build of test binaries