[Secure-testing-team] Bug#793972: src:pjproject: should use SP800-90 compliant DRBG, not libsrtp crypto_get_random()
Jonas Smedegaard
dr at jones.dk
Wed Jul 29 13:37:17 UTC 2015
Package: src:pjproject
Severity: important
Tags: security
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
PJProject calls libsrtp crypto_get_random() twice in transport_srtp.c:
https://sources.debian.net/src/pjproject/2.1.0.0.ast20130823-1/pjmedia/src/pjmedia/transport_srtp.c/?hl=1077#L1077
https://sources.debian.net/src/pjproject/2.4~dfsg-1/pjmedia/src/pjmedia/transport_srtp.c/?hl=1087#L1087
Libsrtp developers will drop that call in next major release of libsrtp:
https://github.com/cisco/libsrtp/commit/339b61d
Since the reason is described as that the implementation is mediocre, it
would probably be wise - not only for future compatibility but also to
improve security - to patch (or discuss with your upstream) to use a
different source for randomness.
- Jonas
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBAgAGBQJVuNcNAAoJECx8MUbBoAEhlrgQAJAzCEpQ69Mehk2MQ7wOvZvX
JkQqJK15jTuSn1cSDgnh967WHdk8rO/MJTo4uG3tL5w1KvXV2HAdEQEHAkk+n1MF
HlOTCQdKZHMt6IfD32XHJ4q17xQifxAj47A/qPH4Q8BqaGYMmZyp6fWg8I4i+HaO
Id2oBeZ+XIpKniJcMfn0gYPvVyvB0atqCXfBpsNzXn+cFxha9Gkc6tCXNHBbhjDU
HhkZDPpV0cOFjZz6YUoDffaxAGYfwR4Vn7VrwSncOOm/munS4ZGp8HVvabTfiNFp
a01Afa2uf5Unkr+bGbkC8G6+UYc9yHqohi5KOZ5UfGqt2G0pLyR5+KxXx3DyO5BD
fZVkAZOJ/8wzlxibEmZDyrPTtU2L5QxzygU11M2nW7Zk2I46DxWXC8ASbBmMriqy
5WwMRTQY8fASi/zgMAIxYETdgU74+mKLbM7dgbhINZBR76uvBwipk00RpiUyeeto
rscvHGp1ivC+kgo8cZr0temAmfgjR3zrGG2nn0teV8bJJ2v7nHd1hLCQSb8uhVSU
B+X4UXUhwsBPrvL/XxwquV0ja+2leeobtvsKVjki/zQp1SeXVbSecnkdFLRw86no
iDBwOGnzthSC3/436/1QRXmLD4Ee835C/ZgkOpzPPtn9QdQ7PW6l36krppkZ/Liy
tG1RtPPEKezcU2y4uY3h
=Tujl
-----END PGP SIGNATURE-----
More information about the Secure-testing-team
mailing list