Control: severity -1 important On Fri, 11 Dec 2015 18:22:55 +0100 Guido =?iso-8859-1?Q?G=FCnther?= <a...@sigxcpu.org> wrote: > Source: srtp > Version: 1.4.5~20130609~dfsg-1.1 > Severity: grave > Tags: security > > Hi, > from what I figured out it seems the 1.4 series is also affected by > CVE-2015-6360. While there is no aead mode srtp_unprotect needs the > patch nevertheless. See: > > https://security-tracker.debian.org/tracker/CVE-2015-6360 > > for a list of patches. > Cheers, > -- Guido
Hello Guido, hello Security Team, I have investigated bug #807698, alias CVE-2015-6360, and I agree with Guido that at least Wheezy is partially affected. I'm attaching my proposed patch for this issue. AEAD mode is not available in those versions, so there is only one hunk that can be applied to the srtp_unprotect function in srtp/srtp.c. However I don't think Jessie/Stretch/Sid are affected as well. Looking at srtp/srtp.c again the AEAD mode is still not present and none of the upstream commits from [1] can be applied for the srtp_protect and srtp_unprotect functions. Thus I'm going to downgrade the severity to important for now. I would appreciate another look and confirmation though. Regards, Markus [1] https://github.com/cisco/libsrtp/commit/704a31774db0dd941094fd2b47c21638b8dc3de2
From: Markus Koschany <a...@debian.org>
Date: Wed, 30 Mar 2016 18:51:04 +0200
Subject: CVE-2015-6360
---
srtp/srtp.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/srtp/srtp.c b/srtp/srtp.c
index 3301858..a0dd047 100644
--- a/srtp/srtp.c
+++ b/srtp/srtp.c
@@ -1076,6 +1076,8 @@ srtp_unprotect(srtp_ctx_t *ctx, void *srtp_hdr, int *pkt_octet_len) {
srtp_hdr_xtnd_t *xtn_hdr = (srtp_hdr_xtnd_t *)enc_start;
enc_start += (ntohs(xtn_hdr->length) + 1);
}
+ if (!((uint8_t*)enc_start < (uint8_t*)hdr + (*pkt_octet_len - tag_len)))
+ return err_status_parse_err;
enc_octet_len = (uint32_t)(*pkt_octet_len - tag_len
- ((enc_start - (uint32_t *)hdr) << 2));
} else {
signature.asc
Description: OpenPGP digital signature
