Bug 828009 – VUL-0: CVE-2013-2139: srtp: libsrtp buffer overflow flaw

Bug 828009 - (CVE-2013-2139) VUL-0: CVE-2013-2139: srtp: libsrtp buffer overflow flaw

(CVE-2013-2139)
Summary:	VUL-0: CVE-2013-2139: srtp: libsrtp buffer overflow flaw

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assigned To:	Stanislav Brabec
QA Contact:	Security Team bot

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2013-07-03 15:39 UTC by Marcus Meissner
Modified:	2015-02-19 00:18 UTC (History)
CC List:	6 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Marcus Meissner 2013-07-03 15:39:30 UTC

is public, via oss-sec

Date: Tue, 04 Jun 2013 12:43:20 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Vincent Danen <vdanen@...hat.com>
Subject: Re: CVE request: libsrtp buffer overflow flaw

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 06/04/2013 09:51 AM, Vincent Danen wrote:
> A buffer overflow flaw was reported in libsrtp, Cisco's reference 
> implementation of the Secure Real-time Transport Protocol (SRTP),
> in how the crypto_policy_set_from_profile_for_rtp() function
> applies cryptographic profiles to an srtp_policy.  This could allow
> for a crash of a client linked against libsrtp (like asterisk or
> linphone).
> 
> A pull request in git has a patch to correct this issue (doesn't
> look like it's been merged into master yet though).
> 
> References:
> 
> http://seclists.org/fulldisclosure/2013/Jun/10 
> https://github.com/cisco/libsrtp/pull/26 
> https://bugzilla.redhat.com/show_bug.cgi?id=970697

Please use CVE-2013-2139 for this issue.

> As an aside, when I was poking around in github, I also found this
> but I don't know anything about libsrtp so I don't know if this is
> something that can be triggered by a remote user or if this is just
> a hardening thing, but the commit message is "Security fix to not
> ignore RTCP encryption, if required."
> 
> https://github.com/cisco/libsrtp/commit/8ad50a05279b61a382da3cc730ff1560ab4272e8
>
> 
> 
> Is there someone more familiar with libsrtp that might be able to 
> comment on whether or not this is a flaw (so can a remote user
> request to disable encryption and do ... something?)

Comment 3 Swamp Workflow Management 2013-07-03 22:00:34 UTC

bugbot adjusting priority

Comment 4 Stanislav Brabec 2013-07-18 16:29:02 UTC

Created OBS maintenance request id 183679 for openSUSE:12.3:Update. No other maintained projects contains srtp.

Comment 6 Marcus Meissner 2013-07-26 09:39:49 UTC

released

Comment 7 Swamp Workflow Management 2013-07-26 10:04:23 UTC

openSUSE-SU-2013:1258-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 828009
CVE References: CVE-2013-2139
Sources used:
openSUSE 12.3 (src):    srtp-1.4.4-2.4.1

Comment 9 Stanislav Brabec 2014-09-19 15:21:31 UTC

Fixed for 13.1, which was skipped for mistake:
https://build.opensuse.org/request/show/250253
Fix also contains fix for bug 839475, which also reached 12.3 and Factory, but not 13.1.

Comment 10 Swamp Workflow Management 2014-09-29 08:05:20 UTC

openSUSE-SU-2014:1250-1: An update that solves one vulnerability and has one errata is now available.

Category: security (moderate)
Bug References: 828009,839475
CVE References: CVE-2013-2139
Sources used:
openSUSE 13.1 (src):    srtp-1.4.4-4.4.1