Re: CVE request: libsrtp buffer overflow flaw

[Vincent Danen <vdanen () redhat com>]

* [2013-06-04 12:43:20 -0600] Kurt Seifried wrote:

> On 06/04/2013 09:51 AM, Vincent Danen wrote:
> > A buffer overflow flaw was reported in libsrtp, Cisco's reference
> > implementation of the Secure Real-time Transport Protocol (SRTP),
> > in how the crypto_policy_set_from_profile_for_rtp() function
> > applies cryptographic profiles to an srtp_policy.  This could allow
> > for a crash of a client linked against libsrtp (like asterisk or
> > linphone).
> >
> > A pull request in git has a patch to correct this issue (doesn't
> > look like it's been merged into master yet though).
> >
> > References:
> >
> > http://seclists.org/fulldisclosure/2013/Jun/10
> > https://github.com/cisco/libsrtp/pull/26
> > https://bugzilla.redhat.com/show_bug.cgi?id=970697
>
> Please use CVE-2013-2139 for this issue.

Thanks.  I noted the wrong commit above, it should be this one:

https://github.com/cisco/libsrtp/pull/27

> > As an aside, when I was poking around in github, I also found this
> > but I don't know anything about libsrtp so I don't know if this is
> > something that can be triggered by a remote user or if this is just
> > a hardening thing, but the commit message is "Security fix to not
> > ignore RTCP encryption, if required."
> >
> > https://github.com/cisco/libsrtp/commit/8ad50a05279b61a382da3cc730ff1560ab4272e8
> >
> >
> >
> > Is there someone more familiar with libsrtp that might be able to
> > comment on whether or not this is a flaw (so can a remote user
> > request to disable encryption and do ... something?)

--
Vincent Danen / Red Hat Security Response Team