oss-sec mailing list archives
Re: CVE for crypto_get_random() from libsrtp
From: Michael Samuel <mik () miknet net>
Date: Sat, 1 Aug 2015 19:31:15 +1000
Hi, I can't see any reference to it using 80 bits of random data - it looks like it's AES-CTR mode. Do you have further information on that? That being said, I can see quite a few ways it can go wrong - it's doesn't appear thread-safe for a start. Is it worth taking a closer look or are you planning on shipping the patch anyway? Regards, Michael On 31 July 2015 at 22:47, Adam Maris <amaris () redhat com> wrote:
Hello, I've got question whether this bug ( https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=793971) is CVE-worthy? Could it be classified as CWE-330: Use of Insufficiently Random Values? According to the SRTP documentation ( http://srtp.sourcearchive.com/documentation/1.4.2.dfsg/group__SRTP_g1d4c228c6a58096dfab3cefbabd66f17.html), it provides 80 bits of random data, which is quite a borderline. Thanks. -- Adam Maris / Red Hat Product Security
Current thread:
- CVE for crypto_get_random() from libsrtp Adam Maris (Jul 31)
- Re: CVE for crypto_get_random() from libsrtp Scott Arciszewski (Jul 31)
- Re: CVE for crypto_get_random() from libsrtp Michael Samuel (Aug 01)
- Re: CVE for crypto_get_random() from libsrtp Adam Maris (Aug 11)
- Re: CVE for crypto_get_random() from libsrtp Jeremy Stanley (Aug 11)
- Re: CVE for crypto_get_random() from libsrtp Adam Maris (Aug 11)
- Re: CVE for crypto_get_random() from libsrtp Jeremy Stanley (Aug 11)
- Re: CVE for crypto_get_random() from libsrtp Adam Maris (Aug 11)
- Re: CVE for crypto_get_random() from libsrtp Michael Samuel (Aug 20)