Bug#807698: srtp: CVE-2015-6360

Fri, 01 Apr 2016 06:03:55 -0700

Yes, that fix should address the vulnerability. There was one Cisco product that reported an issue with this patch. Specifically, it prevents a zero length payload packet from being decrypted. We never received reports of this problem from downstream open source projects. So you're probably safe with only applying this patch. But we did augment the patch after the Cisco issue to address the zero payload decryption problem. 

On 03/31/2016 04:21 PM, Markus Koschany wrote:

Control: severity -1 grave
Control: tags -1 patch

Am 31.03.2016 um 15:14 schrieb John Foley:

It's my understanding the obsolete versions of libsrtp are vulnerable.
Quoting the original text from Randell Jesup...

     srtp_unprotect (netwerk\srtp\src\srtp\srtp.c) can experience an
     integer underflow. If it does, it calls a decryption function with a
     buffer pointer pointing to memory to which it has no right, and with
     a very large buffer length. This call could scramble large portions
     of memory, causing incorrect and possibly insecure behavior.

     The bug is in this code:

     950: err_status_t
     951: srtp_unprotect(srtp_ctx_t *ctx, void *srtp_hdr, int *pkt_octet_len) {
     ...
     1073:   if (stream->rtp_services & sec_serv_conf) {
     1074:     enc_start = (uint32_t *)hdr + uint32s_in_rtp_header + hdr->cc;
     1075:     if (hdr->x == 1) {
     1076:       srtp_hdr_xtnd_t *xtn_hdr = (srtp_hdr_xtnd_t *)enc_start;
     1077:       enc_start += (ntohs(xtn_hdr->length) + 1);
     1078:     }
     1079:     enc_octet_len = (uint32_t)(*pkt_octet_len - tag_len
     1080:                             - ((enc_start - (uint32_t *)hdr) << 2));
     1081:   } else {
     1082:     enc_start = NULL;
     1083:   }


Thanks for your quick response and clarification. If I understand
correctly we can basically apply the same patch for our version in
Wheezy and Jessie and guard against the potential integer underflow by using

if (!((uint8_t*)enc_start < (uint8_t*)hdr + (*pkt_octet_len - tag_len)))
        return err_status_parse_err;

before

enc_octet_len = (uint32_t)(*pkt_octet_len - tag_len
        - ((enc_start - (uint32_t *)hdr) << 2));

Since it is clear now that Jessie and Sid are affected, I am going to
raise the severity to grave again. Please find attached my proposed
debdiffs.

Regards,

Markus


























					Reply via email to