CVE request: libsrtp buffer overflow flaw

[Vincent Danen <vdanen () redhat com>]

A buffer overflow flaw was reported in libsrtp, Cisco's reference
implementation of the Secure Real-time Transport Protocol (SRTP), in how
the crypto_policy_set_from_profile_for_rtp() function applies
cryptographic profiles to an srtp_policy.  This could allow for a crash
of a client linked against libsrtp (like asterisk or linphone).

A pull request in git has a patch to correct this issue (doesn't look
like it's been merged into master yet though).

References:

http://seclists.org/fulldisclosure/2013/Jun/10
https://github.com/cisco/libsrtp/pull/26
https://bugzilla.redhat.com/show_bug.cgi?id=970697


As an aside, when I was poking around in github, I also found this but I
don't know anything about libsrtp so I don't know if this is something
that can be triggered by a remote user or if this is just a hardening
thing, but the commit message is "Security fix to not ignore RTCP
encryption, if required."

https://github.com/cisco/libsrtp/commit/8ad50a05279b61a382da3cc730ff1560ab4272e8

Is there someone more familiar with libsrtp that might be able to
comment on whether or not this is a flaw (so can a remote user request
to disable encryption and do ... something?)

--
Vincent Danen / Red Hat Security Response Team