[asterisk-bugs] [JIRA] (ASTERISK-29580) codec_opus: Version of included libopus?

Joshua C. Colp (JIRA) noreply at issues.asterisk.org
Mon Aug 16 04:45:33 CDT 2021


     [ https://issues.asterisk.org/jira/browse/ASTERISK-29580?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Joshua C. Colp updated ASTERISK-29580:
--------------------------------------

      Workflow: Security Workflow  (was: Subtask and Courtesy Workflow)
    Issue Type: Security  (was: Bug)

> codec_opus: Version of included libopus?
> ----------------------------------------
>
>                 Key: ASTERISK-29580
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-29580
>             Project: Asterisk
>          Issue Type: Security
>      Security Level: None
>          Components: Codecs/codec_opus
>    Affects Versions: 13.38.2, 16.20.0, 17.9.3, 18.6.0
>            Reporter: Alexander Traud
>            Severity: Major
>
> Because an outdated library could contain a security issue, I am asking to display the version of the bundled library, for example, at the start of Asterisk (or even better via a command on the command-line interface; CLI). Actually, there have been security issues in the Opus Codec library, [in the past …|https://www.opus-codec.org/news/]
> Actually, actually, this issue rose from a different perspective, classifying this issue not as a feature request but a software bug. Although, I was able to overwrite it via the configuration file {{codecs.conf}}, I do not consider that an easy workaround – therefore, the severity Major. Anyway, depending on the actual cause, it could be anything from a feature request to a security bug.
> While debugging (another case with) the [ToC byte|https://tools.ietf.org/html/rfc6716#section-3.1] in the RTP media stream of the audio codec Opus Codec, I noticed, the Digium/Sangoma module sends Super Wideband (swb) although the caller stated to support just Wideband (wb) in its SDP.
> This codec module is closed source and comes with a bundled libopus. That codec module has not been updated since the [year 2017|https://downloads.digium.com/pub/telephony/codec_opus/]. Therefore, the bundled libopus cannot be the [current version 1.3.1|https://archive.mozilla.org/pub/opus/].
> I cross-checked with ‘my’ open-source Opus Codec module, which can be linked to any libopus. I went for an older version of libopus and was able to duplicate the symptom. Therefore, I guess, the cause is the old bundled libopus.
> I know, this was reported back in the year 2019 [already|https://community.asterisk.org/t/81919]. However, because that did not create an issue report here in Jira, I guess, that report was classified not as software bug but feature request.
> Because of those two reasons, I would like to know the version of the bundled libopus, to double-check (if there is a security concern and/or whether the outdated libopus might cause my interoperability issue).



--
This message was sent by Atlassian JIRA
(v6.2#6252)



More information about the asterisk-bugs mailing list