On Wed, Jul 29, 2015 at 03:37:17PM +0200, Jonas Smedegaard wrote:
> Package: src:pjproject
> Severity: important
> Tags: security
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> PJProject calls libsrtp crypto_get_random() twice in transport_srtp.c:
> https://sources.debian.net/src/pjproject/2.1.0.0.ast20130823-1/pjmedia/src/pjmedia/transport_srtp.c/?hl=1077#L1077
> https://sources.debian.net/src/pjproject/2.4~dfsg-1/pjmedia/src/pjmedia/transport_srtp.c/?hl=1087#L1087
> 
> Libsrtp developers will drop that call in next major release of libsrtp:
> https://github.com/cisco/libsrtp/commit/339b61d
> 
> Since the reason is described as that the implementation is mediocre, it
> would probably be wise - not only for future compatibility but also to
> improve security - to patch (or discuss with your upstream) to use a
> different source for randomness.

Thanks for your report. Upstream SVN seems to have a fix: OpenSSL's RNG
is used and the SRTP one is only used as a fallback (in the single,
SRTP-related place it was used before).

It is fixed in upstream SVN rev. 5079. I'll see about backporting it.

-- 
Tzafrir Cohen         | [email protected] | VIM is
http://tzafrir.org.il |                    | a Mutt's
[email protected] |                    |  best
[email protected]    |                    | friend


-- 
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]

Reply via email to