Bug 1301202

Summary: libsrtp global-buffer-overflow
Product: Red Hat Enterprise Linux 7 Reporter: Badalyan Vyacheslav <v.badalyan>
Component: libsrtpAssignee: Jan Grulich <jgrulich>
Status: CLOSED ERRATA QA Contact: qe-baseos-daemons
Severity: high Docs Contact:
Priority: unspecified    
Version: 7.4CC: mboisver, tpelka, tpopela, xrobau
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: libsrtp-1.4.4-11.20101004cvs.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-12-10 14:44:53 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Badalyan Vyacheslav 2016-01-22 21:05:22 UTC 
Fix - https://src.chromium.org/viewvc/chrome?view=revision&revision=157430

Affected:
[root@vm-asterisk04t 111]# rpm -qa | grep libsrtp
libsrtp-1.4.4-13.20101004cvs.el7.x86_64
libsrtp-devel-1.4.4-13.20101004cvs.el7.x86_64

Details:


 Loading res_srtp.so.
=================================================================
==3371==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7f99d98e5d7e at pc 0x7f99d96d1d7f bp 0x7fff3f32ae30 sp 0x7fff3f32ae20
READ of size 1 at 0x7f99d98e5d7e thread T0
    #0 0x7f99d96d1d7e in v128_copy_octet_string ../../srtp/crypto/math/datatypes.c:246
    #1 0x7f99d96cac97 in aes_icm_context_init ../../srtp/crypto/cipher/aes_icm.c:172
    #2 0x7f99d96c0e04 in cipher_type_self_test ../../srtp/crypto/cipher/cipher.c:120
    #3 0x7f99d96d48b0 in crypto_kernel_load_cipher_type ../../srtp/crypto/kernel/crypto_kernel.c:310
    #4 0x7f99d96d4d60 in crypto_kernel_init ../../srtp/crypto/kernel/crypto_kernel.c:154
    #5 0x7f99d96d7fa8 in srtp_init ../../srtp/srtp/srtp.c:1093
    #6 0x7f99d98f009d in res_srtp_init /root/asterisk-13.7.0/res/res_srtp.c:562
    #7 0x7f99d98f0143 in load_module /root/asterisk-13.7.0/res/res_srtp.c:585
    #8 0x6613f5 in start_resource /root/asterisk-13.7.0/main/loader.c:1021
    #9 0x662c78 in load_resource_list /root/asterisk-13.7.0/main/loader.c:1219
    #10 0x663978 in load_modules /root/asterisk-13.7.0/main/loader.c:1367
    #11 0x492049 in asterisk_daemon /root/asterisk-13.7.0/main/asterisk.c:4676
    #12 0x491006 in main /root/asterisk-13.7.0/main/asterisk.c:4282
    #13 0x7f99e0e78b14 in __libc_start_main (/lib64/libc.so.6+0x21b14)
    #14 0x432778  (/usr/sbin/asterisk+0x432778)

ASAN:SIGSEGV
==3371==AddressSanitizer: while reporting a bug found another one. Ignoring.
Comment 1 Badalyan Vyacheslav 2016-01-22 21:17:48 UTC 
libsrtp-1.5.0-3.fc23 also affected!


[root@vm-asterisk04t pbs.vbadalyan]# rpm -qa | grep srtp
libsrtp-1.5.0-3.fc23.x86_64
libsrtp-devel-1.5.0-3.fc23.x86_64
================================================================
==9660==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7f5af10dad7e at pc 0x7f5af0ec6d7f bp 0x7ffda4a4ddc0 sp 0x7ffda4a4ddb0
READ of size 1 at 0x7f5af10dad7e thread T0
    #0 0x7f5af0ec6d7e in v128_copy_octet_string ../../srtp/crypto/math/datatypes.c:246
    #1 0x7f5af0ebfc97 in aes_icm_context_init ../../srtp/crypto/cipher/aes_icm.c:172
    #2 0x7f5af0eb5e04 in cipher_type_self_test ../../srtp/crypto/cipher/cipher.c:120
    #3 0x7f5af0ec98b0 in crypto_kernel_load_cipher_type ../../srtp/crypto/kernel/crypto_kernel.c:310
    #4 0x7f5af0ec9d60 in crypto_kernel_init ../../srtp/crypto/kernel/crypto_kernel.c:154
    #5 0x7f5af0eccfa8 in srtp_init ../../srtp/srtp/srtp.c:1093
    #6 0x7f5aedd0709d in res_srtp_init /root/asterisk-13.7.0/res/res_srtp.c:562
    #7 0x7f5aedd07143 in load_module /root/asterisk-13.7.0/res/res_srtp.c:585
    #8 0x6613f5 in start_resource /root/asterisk-13.7.0/main/loader.c:1021
    #9 0x662c78 in load_resource_list /root/asterisk-13.7.0/main/loader.c:1219
    #10 0x663978 in load_modules /root/asterisk-13.7.0/main/loader.c:1367
    #11 0x492049 in asterisk_daemon /root/asterisk-13.7.0/main/asterisk.c:4676
    #12 0x491006 in main /root/asterisk-13.7.0/main/asterisk.c:4282
    #13 0x7f5af8cf3b14 in __libc_start_main (/lib64/libc.so.6+0x21b14)
    #14 0x432778  (/usr/sbin/asterisk+0x432778)
Comment 2 Badalyan Vyacheslav 2016-01-22 21:29:45 UTC 
Sorry. Comment 1 - mistake.
Comment 3 Badalyan Vyacheslav 2016-01-22 21:50:52 UTC 
libsrtp-1.5.0-3.fc23 does not have this issue.
Comment 5 xrobau 2017-11-14 23:10:05 UTC 
I've just found this bug after it being reported as a Remote DoS on the Asterisk and FreePBX projects.

Cite: https://issues.asterisk.org/jira/browse/ASTERISK-27155
Cite: https://issues.freepbx.org/browse/FREEPBX-15526

The version of LibSRTP that is distributed with RHEL 7 is vulnerable to many security issues, and it should be increased to (at least) 1.5.4.

There are no backward compatibility issues.