Bug#807698: CVE-2015-6360: Prevent potential DoS attack due to lack of bounds checking on RTP header CSRC count and extension header length

2016-03-30 Thread Markus Koschany 
Control: severity -1 important

On Fri, 11 Dec 2015 18:22:55 +0100 Guido =?iso-8859-1?Q?G=FCnther?=
 wrote:
> Source: srtp
> Version: 1.4.5~20130609~dfsg-1.1
> Severity: grave
> Tags: security
> 
> Hi,
> from what I figured out it seems the 1.4 series is also affected by
> CVE-2015-6360. While there is no aead mode srtp_unprotect needs the
> patch nevertheless. See:
> 
> https://security-tracker.debian.org/tracker/CVE-2015-6360
> 
> for a list of patches.
> Cheers,
>  -- Guido


Hello Guido, hello Security Team,

I have investigated bug #807698, alias CVE-2015-6360, and I agree with
Guido that at least Wheezy is partially affected. I'm attaching my
proposed patch for this issue. AEAD mode is not available in those
versions, so there is only one hunk that can be applied to the
srtp_unprotect function in srtp/srtp.c.

However I don't think Jessie/Stretch/Sid are affected as well. Looking
at srtp/srtp.c again the AEAD mode is still not present and none of the
upstream commits from [1] can be applied for the srtp_protect and
srtp_unprotect functions. Thus I'm going to downgrade the severity to
important for now. I would appreciate another look and confirmation though.

Regards,

Markus


[1]
https://github.com/cisco/libsrtp/commit/704a31774db0dd941094fd2b47c21638b8dc3de2
From: Markus Koschany 
Date: Wed, 30 Mar 2016 18:51:04 +0200
Subject: CVE-2015-6360

---
 srtp/srtp.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/srtp/srtp.c b/srtp/srtp.c
index 3301858..a0dd047 100644
--- a/srtp/srtp.c
+++ b/srtp/srtp.c
@@ -1076,6 +1076,8 @@ srtp_unprotect(srtp_ctx_t *ctx, void *srtp_hdr, int *pkt_octet_len) {
   srtp_hdr_xtnd_t *xtn_hdr = (srtp_hdr_xtnd_t *)enc_start;
   enc_start += (ntohs(xtn_hdr->length) + 1);
 }  
+if (!((uint8_t*)enc_start < (uint8_t*)hdr + (*pkt_octet_len - tag_len)))
+return err_status_parse_err;
 enc_octet_len = (uint32_t)(*pkt_octet_len - tag_len 
 			   - ((enc_start - (uint32_t *)hdr) << 2));
   } else {


signature.asc
Description: OpenPGP digital signature

Bug#807698: CVE-2015-6360: Prevent potential DoS attack due to lack of bounds checking on RTP header CSRC count and extension header length

2015-12-11 Thread Guido Günther 
Source: srtp
Version: 1.4.5~20130609~dfsg-1.1
Severity: grave
Tags: security

Hi,
from what I figured out it seems the 1.4 series is also affected by
CVE-2015-6360. While there is no aead mode srtp_unprotect needs the
patch nevertheless. See:

https://security-tracker.debian.org/tracker/CVE-2015-6360

for a list of patches.
Cheers,
 -- Guido


-- System Information:
Debian Release: stretch/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'stable-updates'), (500, 'unstable'), 
(500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.1.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)