oss-sec mailing list archives
CVE for crypto_get_random() from libsrtp
From: Adam Maris <amaris () redhat com>
Date: Fri, 31 Jul 2015 14:47:51 +0200
Hello,I've got question whether this bug (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=793971) is CVE-worthy? Could it be classified as CWE-330: Use of Insufficiently Random Values?
According to the SRTP documentation (http://srtp.sourcearchive.com/documentation/1.4.2.dfsg/group__SRTP_g1d4c228c6a58096dfab3cefbabd66f17.html), it provides 80 bits of random data, which is quite a borderline.
Thanks. -- Adam Maris / Red Hat Product Security
Current thread:
- CVE for crypto_get_random() from libsrtp Adam Maris (Jul 31)
- Re: CVE for crypto_get_random() from libsrtp Scott Arciszewski (Jul 31)
- Re: CVE for crypto_get_random() from libsrtp Michael Samuel (Aug 01)
- Re: CVE for crypto_get_random() from libsrtp Adam Maris (Aug 11)
- Re: CVE for crypto_get_random() from libsrtp Jeremy Stanley (Aug 11)
- Re: CVE for crypto_get_random() from libsrtp Adam Maris (Aug 11)
- Re: CVE for crypto_get_random() from libsrtp Jeremy Stanley (Aug 11)
- Re: CVE for crypto_get_random() from libsrtp Adam Maris (Aug 11)
- Re: CVE for crypto_get_random() from libsrtp Michael Samuel (Aug 20)