Bug 828009 - (CVE-2013-2139) VUL-0: CVE-2013-2139: srtp: libsrtp buffer overflow flaw
VUL-0: CVE-2013-2139: srtp: libsrtp buffer overflow flaw
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Stanislav Brabec
Security Team bot
Depends on:
  Show dependency treegraph
Reported: 2013-07-03 15:39 UTC by Marcus Meissner
Modified: 2015-02-19 00:18 UTC (History)
6 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2013-07-03 15:39:30 UTC
is public, via oss-sec

Date: Tue, 04 Jun 2013 12:43:20 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Vincent Danen <vdanen@...hat.com>
Subject: Re: CVE request: libsrtp buffer overflow flaw

Hash: SHA1

On 06/04/2013 09:51 AM, Vincent Danen wrote:
> A buffer overflow flaw was reported in libsrtp, Cisco's reference 
> implementation of the Secure Real-time Transport Protocol (SRTP),
> in how the crypto_policy_set_from_profile_for_rtp() function
> applies cryptographic profiles to an srtp_policy.  This could allow
> for a crash of a client linked against libsrtp (like asterisk or
> linphone).
> A pull request in git has a patch to correct this issue (doesn't
> look like it's been merged into master yet though).
> References:
> http://seclists.org/fulldisclosure/2013/Jun/10 
> https://github.com/cisco/libsrtp/pull/26 
> https://bugzilla.redhat.com/show_bug.cgi?id=970697

Please use CVE-2013-2139 for this issue.

> As an aside, when I was poking around in github, I also found this
> but I don't know anything about libsrtp so I don't know if this is
> something that can be triggered by a remote user or if this is just
> a hardening thing, but the commit message is "Security fix to not
> ignore RTCP encryption, if required."
> https://github.com/cisco/libsrtp/commit/8ad50a05279b61a382da3cc730ff1560ab4272e8
> Is there someone more familiar with libsrtp that might be able to 
> comment on whether or not this is a flaw (so can a remote user
> request to disable encryption and do ... something?)
Comment 3 Swamp Workflow Management 2013-07-03 22:00:34 UTC
bugbot adjusting priority
Comment 4 Stanislav Brabec 2013-07-18 16:29:02 UTC
Created OBS maintenance request id 183679 for openSUSE:12.3:Update. No other maintained projects contains srtp.
Comment 6 Marcus Meissner 2013-07-26 09:39:49 UTC
Comment 7 Swamp Workflow Management 2013-07-26 10:04:23 UTC
openSUSE-SU-2013:1258-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 828009
CVE References: CVE-2013-2139
Sources used:
openSUSE 12.3 (src):    srtp-1.4.4-2.4.1
Comment 9 Stanislav Brabec 2014-09-19 15:21:31 UTC
Fixed for 13.1, which was skipped for mistake:
Fix also contains fix for bug 839475, which also reached 12.3 and Factory, but not 13.1.
Comment 10 Swamp Workflow Management 2014-09-29 08:05:20 UTC
openSUSE-SU-2014:1250-1: An update that solves one vulnerability and has one errata is now available.

Category: security (moderate)
Bug References: 828009,839475
CVE References: CVE-2013-2139
Sources used:
openSUSE 13.1 (src):    srtp-1.4.4-4.4.1