Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 472302 (CVE-2013-2139)

Summary: <net-libs/libsrtp-1.4.4_p20121108-r1 : Buffer overflow in application of crypto profiles (CVE-2013-2139)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: chainsaw, chromium, voip+disabled
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugzilla.redhat.com/show_bug.cgi?id=970697
Whiteboard: B3 [glsa]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2013-06-04 16:03:34 UTC 
From ${URL} :

A buffer overflow flaw was reported [1] in libsrtp, Cisco's reference implementation of the Secure Real-time Transport Protocol (SRTP), in how the 
crypto_policy_set_from_profile_for_rtp() function applies cryptographic profiles to an srtp_policy.  This could allow for a crash of a client linked 
against libsrtp (like asterisk or linphone).

A pull request in git [2] has a patch to correct this issue.

[1] http://seclists.org/fulldisclosure/2013/Jun/10
[2] https://github.com/cisco/libsrtp/pull/26


@maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
Comment 1 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2013-06-04 16:42:12 UTC 
(In reply to Agostino Sarubbo from comment #0)
> A pull request in git [2] has a patch to correct this issue.
> 
> [1] http://seclists.org/fulldisclosure/2013/Jun/10
> [2] https://github.com/cisco/libsrtp/pull/26

The pull request author wrote "The changes to the rtcp code are not correct. I'll fix this tomorrow and send a new pull request."
Comment 2 Chris Reffett (RETIRED) gentoo-dev Security 2013-06-29 21:44:19 UTC 
Fixed in the next pull request: https://github.com/cisco/libsrtp/pull/27
Comment 3 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2013-10-13 19:59:59 UTC 
Arches, please test and stabilize libsrtp-1.4.4_p20121108-r1
Comment 4 Agostino Sarubbo gentoo-dev 2013-10-14 06:11:02 UTC 
amd64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2013-10-14 06:11:09 UTC 
x86 stable
Comment 6 Agostino Sarubbo gentoo-dev 2013-10-14 06:12:49 UTC 
@creffett: why B3 instead of B2?
Comment 7 Agostino Sarubbo gentoo-dev 2013-10-14 06:17:17 UTC 
ppc stable
Comment 8 Agostino Sarubbo gentoo-dev 2013-10-24 09:20:41 UTC 
alpha/ia64 stable
Comment 9 Agostino Sarubbo gentoo-dev 2013-10-24 09:22:38 UTC 
ppc64 stable
Comment 10 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2013-10-29 15:32:43 UTC 
vote please
Comment 11 Sergey Popov (RETIRED) gentoo-dev 2013-12-04 07:55:09 UTC 
Thanks for your work.

GLSA vote: yes
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2014-02-04 14:24:16 UTC 
CVE-2013-2139 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2139):
  Buffer overflow in srtp.c in libsrtp in srtp 1.4.5 and earlier allows remote
  attackers to cause a denial of service (crash) via vectors related to a
  length inconsistency in the crypto_policy_set_from_profile_for_rtp and
  srtp_protect functions.
Comment 13 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2014-02-04 14:43:03 UTC 
GLSA vote: yes.

glsa request filed.
Comment 14 GLSAMaker/CVETool Bot gentoo-dev 2014-05-03 13:49:14 UTC 
This issue was resolved and addressed in
 GLSA 201405-02 at http://security.gentoo.org/glsa/glsa-201405-02.xml
by GLSA coordinator Sean Amoss (ackle).