Bug#807698: srtp: CVE-2015-6360

Markus Koschany Thu, 31 Mar 2016 13:24:39 -0700

Control: severity -1 grave
Control: tags -1 patch

Am 31.03.2016 um 15:14 schrieb John Foley:
> It's my understanding the obsolete versions of libsrtp are vulnerable. 
> Quoting the original text from Randell Jesup...
> 
>     srtp_unprotect (netwerk\srtp\src\srtp\srtp.c) can experience an
>     integer underflow. If it does, it calls a decryption function with a
>     buffer pointer pointing to memory to which it has no right, and with
>     a very large buffer length. This call could scramble large portions
>     of memory, causing incorrect and possibly insecure behavior.
> 
>     The bug is in this code:
> 
>     950: err_status_t
>     951: srtp_unprotect(srtp_ctx_t *ctx, void *srtp_hdr, int *pkt_octet_len) {
>     ...
>     1073:   if (stream->rtp_services & sec_serv_conf) {
>     1074:     enc_start = (uint32_t *)hdr + uint32s_in_rtp_header + hdr->cc;  
>     1075:     if (hdr->x == 1) {
>     1076:       srtp_hdr_xtnd_t *xtn_hdr = (srtp_hdr_xtnd_t *)enc_start;
>     1077:       enc_start += (ntohs(xtn_hdr->length) + 1);
>     1078:     }  
>     1079:     enc_octet_len = (uint32_t)(*pkt_octet_len - tag_len 
>     1080:                            - ((enc_start - (uint32_t *)hdr) << 2));
>     1081:   } else {
>     1082:     enc_start = NULL;
>     1083:   }
>


Thanks for your quick response and clarification. If I understand
correctly we can basically apply the same patch for our version in
Wheezy and Jessie and guard against the potential integer underflow by using

if (!((uint8_t*)enc_start < (uint8_t*)hdr + (*pkt_octet_len - tag_len)))
        return err_status_parse_err;

before

enc_octet_len = (uint32_t)(*pkt_octet_len - tag_len
        - ((enc_start - (uint32_t *)hdr) << 2));

Since it is clear now that Jessie and Sid are affected, I am going to
raise the severity to grave again. Please find attached my proposed
debdiffs.

Regards,

Markus

diff -Nru srtp-1.4.5~20130609~dfsg/debian/changelog 
srtp-1.4.5~20130609~dfsg/debian/changelog
--- srtp-1.4.5~20130609~dfsg/debian/changelog   2014-10-13 22:28:31.000000000 
+0200
+++ srtp-1.4.5~20130609~dfsg/debian/changelog   2016-03-31 21:56:32.000000000 
+0200
@@ -1,3 +1,12 @@
+srtp (1.4.5~20130609~dfsg-1.1+deb8u1) jessie-security; urgency=high
+
+  * Non-maintainer upload.
+  * Add CVE-2015-6360.patch.
+    Prevent potential DoS attack due to lack of bounds checking on RTP header
+    CSRC count and extension header length. (Closes: #807698)
+
+ -- Markus Koschany <[email protected]>  Thu, 31 Mar 2016 21:33:26 +0200
+
 srtp (1.4.5~20130609~dfsg-1.1) unstable; urgency=medium
 
   * Non-maintainer upload.
diff -Nru srtp-1.4.5~20130609~dfsg/debian/patches/CVE-2015-6360.patch 
srtp-1.4.5~20130609~dfsg/debian/patches/CVE-2015-6360.patch
--- srtp-1.4.5~20130609~dfsg/debian/patches/CVE-2015-6360.patch 1970-01-01 
01:00:00.000000000 +0100
+++ srtp-1.4.5~20130609~dfsg/debian/patches/CVE-2015-6360.patch 2016-03-31 
21:17:55.000000000 +0200
@@ -0,0 +1,27 @@
+From: Markus Koschany <[email protected]>
+Date: Thu, 31 Mar 2016 21:09:43 +0200
+Subject: CVE-2015-6360
+
+Prevent potential DoS attack due to lack of bounds checking on RTP header
+CSRC count and extension header length. Only the srtp_unprotect function is
+affected. AEAD mode does not exist.
+
+Debian-Bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=807698
+Origin: 
https://github.com/cisco/libsrtp/commit/704a31774db0dd941094fd2b47c21638b8dc3de2
+---
+ srtp/srtp.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/srtp/srtp.c b/srtp/srtp.c
+index 7fd19e6..ef7ac62 100644
+--- a/srtp/srtp.c
++++ b/srtp/srtp.c
+@@ -1084,6 +1084,8 @@ srtp_unprotect(srtp_ctx_t *ctx, void *srtp_hdr, int 
*pkt_octet_len) {
+       srtp_hdr_xtnd_t *xtn_hdr = (srtp_hdr_xtnd_t *)enc_start;
+       enc_start += (ntohs(xtn_hdr->length) + 1);
+     }  
++    if (!((uint8_t*)enc_start < (uint8_t*)hdr + (*pkt_octet_len - tag_len)))
++        return err_status_parse_err;
+     enc_octet_len = (uint32_t)(*pkt_octet_len - tag_len 
+                              - ((enc_start - (uint32_t *)hdr) << 2));
+   } else {
diff -Nru srtp-1.4.5~20130609~dfsg/debian/patches/series 
srtp-1.4.5~20130609~dfsg/debian/patches/series
--- srtp-1.4.5~20130609~dfsg/debian/patches/series      2014-10-13 
22:28:11.000000000 +0200
+++ srtp-1.4.5~20130609~dfsg/debian/patches/series      2016-03-31 
21:10:10.000000000 +0200
@@ -7,3 +7,4 @@
 1008_shared-lib.patch
 2001_make_shellscript_noisy.patch
 2002_define_missing_latex_cmd_plus.patch
+CVE-2015-6360.patch

diff -Nru srtp-1.4.4+20100615~dfsg/debian/changelog 
srtp-1.4.4+20100615~dfsg/debian/changelog
--- srtp-1.4.4+20100615~dfsg/debian/changelog   2014-01-05 21:22:50.000000000 
+0000
+++ srtp-1.4.4+20100615~dfsg/debian/changelog   2016-03-31 20:01:41.000000000 
+0000
@@ -1,3 +1,12 @@
+srtp (1.4.4+20100615~dfsg-2+deb7u2) wheezy-security; urgency=high
+
+  * Non-maintainer upload.
+  * Add CVE-2015-6360.patch.
+    Prevent potential DoS attack due to lack of bounds checking on RTP header
+    CSRC count and extension header length. (Closes: #807698)
+
+ -- Markus Koschany <[email protected]>  Thu, 31 Mar 2016 21:59:21 +0200
+
 srtp (1.4.4+20100615~dfsg-2+deb7u1) wheezy-security; urgency=high
 
   * Non-maintainer upload by the Security Team.
diff -Nru srtp-1.4.4+20100615~dfsg/debian/patches/CVE-2015-6360.patch 
srtp-1.4.4+20100615~dfsg/debian/patches/CVE-2015-6360.patch
--- srtp-1.4.4+20100615~dfsg/debian/patches/CVE-2015-6360.patch 1970-01-01 
00:00:00.000000000 +0000
+++ srtp-1.4.4+20100615~dfsg/debian/patches/CVE-2015-6360.patch 2016-03-31 
20:02:13.000000000 +0000
@@ -0,0 +1,27 @@
+From: Markus Koschany <[email protected]>
+Date: Wed, 30 Mar 2016 18:51:04 +0200
+Subject: CVE-2015-6360
+
+Prevent potential DoS attack due to lack of bounds checking on RTP header
+CSRC count and extension header length. Only the srtp_unprotect function is
+affected. AEAD mode does not exist.
+
+Debian-Bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=807698
+Origin: 
https://github.com/cisco/libsrtp/commit/704a31774db0dd941094fd2b47c21638b8dc3de2
+---
+ srtp/srtp.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/srtp/srtp.c b/srtp/srtp.c
+index 3301858..a0dd047 100644
+--- a/srtp/srtp.c
++++ b/srtp/srtp.c
+@@ -1076,6 +1076,8 @@ srtp_unprotect(srtp_ctx_t *ctx, void *srtp_hdr, int 
*pkt_octet_len) {
+       srtp_hdr_xtnd_t *xtn_hdr = (srtp_hdr_xtnd_t *)enc_start;
+       enc_start += (ntohs(xtn_hdr->length) + 1);
+     }  
++    if (!((uint8_t*)enc_start < (uint8_t*)hdr + (*pkt_octet_len - tag_len)))
++        return err_status_parse_err;
+     enc_octet_len = (uint32_t)(*pkt_octet_len - tag_len 
+                              - ((enc_start - (uint32_t *)hdr) << 2));
+   } else {
diff -Nru srtp-1.4.4+20100615~dfsg/debian/patches/series 
srtp-1.4.4+20100615~dfsg/debian/patches/series
--- srtp-1.4.4+20100615~dfsg/debian/patches/series      2014-01-05 
21:22:50.000000000 +0000
+++ srtp-1.4.4+20100615~dfsg/debian/patches/series      2016-03-31 
00:51:46.000000000 +0000
@@ -5,3 +5,4 @@
 1008_shared-lib.patch
 1009_CVE-2013-2139.patch
 2001_make_shellscript_noisy.patch
+CVE-2015-6360.patch

signature.asc
Description: OpenPGP digital signature

Bug#807698: srtp: CVE-2015-6360

Reply via email to