Bug#807698: srtp: CVE-2015-6360

Fri, 01 Apr 2016 10:03:49 -0700 

Hi Markus,

On Thu, Mar 31, 2016 at 10:21:32PM +0200, Markus Koschany wrote:
> Control: severity -1 grave
> Control: tags -1 patch
> 
> Am 31.03.2016 um 15:14 schrieb John Foley:
> > It's my understanding the obsolete versions of libsrtp are vulnerable. 
> > Quoting the original text from Randell Jesup...
> > 
> >     srtp_unprotect (netwerk\srtp\src\srtp\srtp.c) can experience an
> >     integer underflow. If it does, it calls a decryption function with a
> >     buffer pointer pointing to memory to which it has no right, and with
> >     a very large buffer length. This call could scramble large portions
> >     of memory, causing incorrect and possibly insecure behavior.
> > 
> >     The bug is in this code:
> > 
> >     950: err_status_t
> >     951: srtp_unprotect(srtp_ctx_t *ctx, void *srtp_hdr, int 
> > *pkt_octet_len) {
> >     ...
> >     1073:   if (stream->rtp_services & sec_serv_conf) {
> >     1074:     enc_start = (uint32_t *)hdr + uint32s_in_rtp_header + 
> > hdr->cc;  
> >     1075:     if (hdr->x == 1) {
> >     1076:       srtp_hdr_xtnd_t *xtn_hdr = (srtp_hdr_xtnd_t *)enc_start;
> >     1077:       enc_start += (ntohs(xtn_hdr->length) + 1);
> >     1078:     }  
> >     1079:     enc_octet_len = (uint32_t)(*pkt_octet_len - tag_len 
> >     1080:                          - ((enc_start - (uint32_t *)hdr) << 2));
> >     1081:   } else {
> >     1082:     enc_start = NULL;
> >     1083:   }
> > 
> 
> Thanks for your quick response and clarification. If I understand
> correctly we can basically apply the same patch for our version in
> Wheezy and Jessie and guard against the potential integer underflow by using
> 
> if (!((uint8_t*)enc_start < (uint8_t*)hdr + (*pkt_octet_len - tag_len)))
>       return err_status_parse_err;
> 
> before
> 
> enc_octet_len = (uint32_t)(*pkt_octet_len - tag_len
>       - ((enc_start - (uint32_t *)hdr) << 2));
> 
> Since it is clear now that Jessie and Sid are affected, I am going to
> raise the severity to grave again. Please find attached my proposed
> debdiffs.

Okay, please go ahead with your upload to security-master. Since the
version for jessie-security is new to dak on security-master please
remember to build with -sa to include the original source tarball.

Thanks for your work on this update.

Regards,
Salvatore

Attachment: signature.asc
Description: PGP signature

Reply via email to