Bug#807698: marked as done (srtp: CVE-2015-6360: Prevent potential DoS attack due to lack of bounds checking on RTP header CSRC count and extension header length)

[Debian Bug Tracking System]

Your message dated Fri, 08 Apr 2016 09:49:44 +0000
with message-id <e1aot2u-0004nm...@franck.debian.org>
and subject line Bug#807698: fixed in srtp 1.4.4+20100615~dfsg-2+deb7u2
has caused the Debian Bug report #807698,
regarding srtp: CVE-2015-6360: Prevent potential DoS attack due to lack of 
bounds checking on RTP header CSRC count and extension header length
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
807698: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=807698
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: srtp
Version: 1.4.5~20130609~dfsg-1.1
Severity: grave
Tags: security

Hi,
from what I figured out it seems the 1.4 series is also affected by
CVE-2015-6360. While there is no aead mode srtp_unprotect needs the
patch nevertheless. See:

    https://security-tracker.debian.org/tracker/CVE-2015-6360

for a list of patches.
Cheers,
 -- Guido


-- System Information:
Debian Release: stretch/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'stable-updates'), (500, 'unstable'), 
(500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.1.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

--- End Message ---

--- Begin Message ---

Source: srtp
Source-Version: 1.4.4+20100615~dfsg-2+deb7u2

We believe that the bug you reported is fixed in the latest version of
srtp, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 807...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Markus Koschany <a...@debian.org> (supplier of updated srtp package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 01 Apr 2016 19:07:24 +0200
Source: srtp
Binary: libsrtp0-dev libsrtp0 srtp-docs srtp-utils
Architecture: source all amd64
Version: 1.4.4+20100615~dfsg-2+deb7u2
Distribution: wheezy-security
Urgency: high
Maintainer: Jonas Smedegaard <d...@jones.dk>
Changed-By: Markus Koschany <a...@debian.org>
Description: 
 libsrtp0   - Secure RTP (SRTP) and UST Reference Implementations - shared libr
 libsrtp0-dev - Secure RTP (SRTP) and UST Reference Implementations - 
development
 srtp-docs  - Secure RTP (SRTP) and UST Reference Implementations - documentati
 srtp-utils - Secure RTP (SRTP) and UST Reference Implementations - utilities
Closes: 807698
Changes: 
 srtp (1.4.4+20100615~dfsg-2+deb7u2) wheezy-security; urgency=high
 .
   * Non-maintainer upload.
   * Add CVE-2015-6360.patch.
     Prevent potential DoS attack due to lack of bounds checking on RTP header
     CSRC count and extension header length. (Closes: #807698)
Checksums-Sha1: 
 ddef67f6d1726ff4b2788292e061fe16c28b23c8 2404 
srtp_1.4.4+20100615~dfsg-2+deb7u2.dsc
 eb38e263929e84a4b214284ab26136c6abe67fff 15732 
srtp_1.4.4+20100615~dfsg-2+deb7u2.debian.tar.gz
 0f9eb8f4443d39b47a3de075b4a13d6ec9f6f0f0 232820 
srtp-docs_1.4.4+20100615~dfsg-2+deb7u2_all.deb
 ab56d6d140fe43016fccb3eca8ffa405a649e251 117244 
libsrtp0-dev_1.4.4+20100615~dfsg-2+deb7u2_amd64.deb
 abc1ec430267121a0514a29a777bc070195d5146 79998 
libsrtp0_1.4.4+20100615~dfsg-2+deb7u2_amd64.deb
 fb4debe4e545fe545ce75129b7713e9823668dca 366576 
srtp-utils_1.4.4+20100615~dfsg-2+deb7u2_amd64.deb
Checksums-Sha256: 
 46af8f4ec2ec8322d6e4cfcd111c72ddb45d63b4ad47dc1b892b74eb666a8e02 2404 
srtp_1.4.4+20100615~dfsg-2+deb7u2.dsc
 3dbffa22fdcdaee52ef8db71651b2193843b0a2d8a4108cfaeb0e547390b06be 15732 
srtp_1.4.4+20100615~dfsg-2+deb7u2.debian.tar.gz
 647bb100b37546f40f364c98845a8fda64b6d1cfff9a984b6f282d97a073a430 232820 
srtp-docs_1.4.4+20100615~dfsg-2+deb7u2_all.deb
 1910bcbc78e435360e02321a9e4801d2a018fb42fe94e25d5f91dd8182e6171b 117244 
libsrtp0-dev_1.4.4+20100615~dfsg-2+deb7u2_amd64.deb
 4f97bfcd92e39256aa16730567a8436ef4989168858117e2a83353bed03bd0fe 79998 
libsrtp0_1.4.4+20100615~dfsg-2+deb7u2_amd64.deb
 e5189cffc86618cca9b88befa9cd0a2e675acfb2423fa2a926186577d1972c6b 366576 
srtp-utils_1.4.4+20100615~dfsg-2+deb7u2_amd64.deb
Files: 
 793d7153d73e6313a37137c271c21456 2404 libs optional 
srtp_1.4.4+20100615~dfsg-2+deb7u2.dsc
 847a9d474d0e1c1efa5f5838d3377168 15732 libs optional 
srtp_1.4.4+20100615~dfsg-2+deb7u2.debian.tar.gz
 66515a1bb5288341aa323b330741318c 232820 doc optional 
srtp-docs_1.4.4+20100615~dfsg-2+deb7u2_all.deb
 6edf105b3d7467a337f7cde4c3cbcab8 117244 libdevel optional 
libsrtp0-dev_1.4.4+20100615~dfsg-2+deb7u2_amd64.deb
 4c2e931c2b16988d654a6c3d915d7c78 79998 libs optional 
libsrtp0_1.4.4+20100615~dfsg-2+deb7u2_amd64.deb
 8f0614a6200614a7238ea4315b733766 366576 libs optional 
srtp-utils_1.4.4+20100615~dfsg-2+deb7u2_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQJ8BAEBCgBmBQJW/qtLXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRBQ0YzRDA4OEVGMzJFREVGNkExQTgzNUZE
OUFEMTRCOTUxM0I1MUU0AAoJENmtFLlRO1HkuyMP/0u6MMI2KCZJFnK+3nkKKrek
MA0cdKBp8vr//AUPJKF0ox/KI9CYv8fM/6sf83gr/RXFuosx2R02GMLwmQgNHEQi
xD9W4I6mGPVRL3T7Zj+QdyKGZFkHlCV7U5maKmDm+ky/6FLcVy/lBwc16+bO1ep1
wPChOoh5BJ/q46Owg4ROwWzl742H6wrzYAOqYeYDUOQR/nn8kRphRRIFVZP5o0fw
JFUXN9dpBq34/eFNJiUtiYl43ug1nCAd+hukcqm8ptMxx4pq+CTzZsmivz2YZRTt
29JryUtZlsUEAdvlkfeptseOF2vYFPCCXGWk7y4JVAZYBd6zDUiFLjbv66QdgLbO
Llfj9mClK9QSBjxlaBukd3AROIYuQJK7eNV8OvYK9U1QHp3ebBdM+8pYJWwBYaUC
XrpwS7uwVaGfkNFoSbNgp0qsa/lcmu9jXQvymOp///NyVOrDrDp574T9d7fbVQd5
LunzuvDJL79DZ5+KBydGbPz9EZKCDiaOJ6kmhGXUFwmR8GRMmOD6DPU8rmSv9RjG
OuTwXDZcPHwlG+XZlXmuTC5JP6LaukezHzUFrkaE0JiPy0/HwLRYtpzj+k0dxPho
PgVDi6Otpx92IHr4+ynr8j27AWm+bVIIuQbN2fxUlFWYv99JW0NDw3yXCFNNw0rj
bfYmDshyo2WEmwJv8G6i
=uo6w
-----END PGP SIGNATURE-----

--- End Message ---