Bug 14200

Summary: srtp missing update for CVE-2013-2139
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: olchal, rverschelde, sysadmin-bugs
Version: 3Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/579641/
Whiteboard: has_procedure MGA3-32-OK MGA3-64-OK advisory
Source RPM: srtp-1.4.4-3.mga3.src.rpm CVE:
Status comment:

Description David Walser 2014-09-30 21:26:03 CEST 
Fedora has issued an advisory on December 31:
https://lists.fedoraproject.org/pipermail/package-announce/2014-January/125885.html

More recently, OpenSuSE has issued an advisory for this on September 29:
http://lists.opensuse.org/opensuse-updates/2014-09/msg00059.html

Fedora's patch doesn't apply, but I haven't checked OpenSuSE's or Debian's.

It's also fixed in 1.4.5 (in Mageia 4 and Cauldron), so maybe we could update it.

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2014-10-26 17:07:21 CET 
Debian's patch applies cleanly.

Patched package uploaded for Mageia 3.

Advisory:
========================

Updated srtp package fixes security vulnerability:

Fernando Russ from Groundworks Technologies reported a buffer overflow flaw
in srtp, Cisco's reference implementation of the Secure Real-time Transport
Protocol (SRTP), in how the crypto_policy_set_from_profile_for_rtp() function
applies cryptographic profiles to an srtp_policy. A remote attacker could
exploit this vulnerability to crash an application linked against libsrtp,
resulting in a denial of service (CVE-2013-2139).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2139
https://www.debian.org/security/2014/dsa-2840
========================

Updated packages in core/updates_testing:
========================
srtp-1.4.4-3.1.mga3

from srtp-1.4.4-3.1.mga3.src.rpm

Assignee: fundawang => qa-bugs

Comment 2 David Walser 2014-11-18 03:04:19 CET 
This package only contains a static library, and is not BuildRequire'd by anything in Mageia 3 (it is BR'd by kopete in Mageia 4 and Cauldron).  I'm not sure why this package even existed in Mageia 3.  Anyway, for Mageia 3, there's nothing that can be tested, other than that it installs fine.  Adding the OK for Mageia 3 i586.

Whiteboard: (none) => has_procedure MGA3-32-OK

Comment 3 olivier charles 2014-11-18 07:07:53 CET 
An easy one then :

Before update testing :
# rpm -q srtp
srtp-1.4.4-3.mga3

After update testing :
# rpm -q srtp
srtp-1.4.4-3.1.mga3

CC: (none) => olchal
Whiteboard: has_procedure MGA3-32-OK => has_procedure MGA3-32-OK MGA3-64-OK

Comment 4 olivier charles 2014-11-18 07:24:25 CET 
Sorry, in comment 3, that was Mageia3-64 real HW testing.
Comment 5 RĂ©mi Verschelde 2014-11-19 13:51:47 CET 
Validating, advisory uploaded.

Keywords: (none) => validated_update
Whiteboard: has_procedure MGA3-32-OK MGA3-64-OK => has_procedure MGA3-32-OK MGA3-64-OK advisory
CC: (none) => remi, sysadmin-bugs

Comment 6 Mageia Robot 2014-11-21 13:45:31 CET 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2014-0465.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED