Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 472302 (CVE-2013-2139) - <net-libs/libsrtp-1.4.4_p20121108-r1 : Buffer overflow in application of crypto profiles (CVE-2013-2139)
Summary: <net-libs/libsrtp-1.4.4_p20121108-r1 : Buffer overflow in application of cryp...
Status: RESOLVED FIXED
Alias: CVE-2013-2139
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2013-06-04 16:03 UTC by Agostino Sarubbo
Modified: 2014-05-03 13:49 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-06-04 16:03:34 UTC
From ${URL} :

A buffer overflow flaw was reported [1] in libsrtp, Cisco's reference implementation of the Secure Real-time Transport Protocol (SRTP), in how the 
crypto_policy_set_from_profile_for_rtp() function applies cryptographic profiles to an srtp_policy.  This could allow for a crash of a client linked 
against libsrtp (like asterisk or linphone).

A pull request in git [2] has a patch to correct this issue.

[1] http://seclists.org/fulldisclosure/2013/Jun/10
[2] https://github.com/cisco/libsrtp/pull/26


@maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
Comment 1 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2013-06-04 16:42:12 UTC
(In reply to Agostino Sarubbo from comment #0)
> A pull request in git [2] has a patch to correct this issue.
> 
> [1] http://seclists.org/fulldisclosure/2013/Jun/10
> [2] https://github.com/cisco/libsrtp/pull/26

The pull request author wrote "The changes to the rtcp code are not correct. I'll fix this tomorrow and send a new pull request."
Comment 2 Chris Reffett gentoo-dev Security 2013-06-29 21:44:19 UTC
Fixed in the next pull request: https://github.com/cisco/libsrtp/pull/27
Comment 3 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2013-10-13 19:59:59 UTC
Arches, please test and stabilize libsrtp-1.4.4_p20121108-r1
Comment 4 Agostino Sarubbo gentoo-dev 2013-10-14 06:11:02 UTC
amd64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2013-10-14 06:11:09 UTC
x86 stable
Comment 6 Agostino Sarubbo gentoo-dev 2013-10-14 06:12:49 UTC
@creffett: why B3 instead of B2?
Comment 7 Agostino Sarubbo gentoo-dev 2013-10-14 06:17:17 UTC
ppc stable
Comment 8 Agostino Sarubbo gentoo-dev 2013-10-24 09:20:41 UTC
alpha/ia64 stable
Comment 9 Agostino Sarubbo gentoo-dev 2013-10-24 09:22:38 UTC
ppc64 stable
Comment 10 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2013-10-29 15:32:43 UTC
vote please
Comment 11 Sergey Popov gentoo-dev Security 2013-12-04 07:55:09 UTC
Thanks for your work.

GLSA vote: yes
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2014-02-04 14:24:16 UTC
CVE-2013-2139 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2139):
  Buffer overflow in srtp.c in libsrtp in srtp 1.4.5 and earlier allows remote
  attackers to cause a denial of service (crash) via vectors related to a
  length inconsistency in the crypto_policy_set_from_profile_for_rtp and
  srtp_protect functions.
Comment 13 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2014-02-04 14:43:03 UTC
GLSA vote: yes.

glsa request filed.
Comment 14 GLSAMaker/CVETool Bot gentoo-dev 2014-05-03 13:49:14 UTC
This issue was resolved and addressed in
 GLSA 201405-02 at http://security.gentoo.org/glsa/glsa-201405-02.xml
by GLSA coordinator Sean Amoss (ackle).