From 08d52a93c8dde3d00dd097ad9ba0d75bd246fc26 Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: May 20 2020 12:20:56 +0000
Subject: import libsrtp-1.4.4-11.20101004cvs.el7


---

diff --git a/SOURCES/libsrtp-CVE-2013-2139.patch b/SOURCES/libsrtp-CVE-2013-2139.patch
new file mode 100644
index 0000000..4105100
--- /dev/null
+++ b/SOURCES/libsrtp-CVE-2013-2139.patch
@@ -0,0 +1,47 @@
+diff --git a/srtp/srtp.c b/srtp/srtp.c
+index 3722fc1..a0dd047 100644
+--- a/srtp/srtp.c
++++ b/srtp/srtp.c
+@@ -2046,24 +2046,19 @@ crypto_policy_set_from_profile_for_rtp(crypto_policy_t *policy,
+   /* set SRTP policy from the SRTP profile in the key set */
+   switch(profile) {
+   case srtp_profile_aes128_cm_sha1_80:
+-    crypto_policy_set_aes_cm_128_hmac_sha1_80(policy);
+     crypto_policy_set_aes_cm_128_hmac_sha1_80(policy);
+     break;
+   case srtp_profile_aes128_cm_sha1_32:
+     crypto_policy_set_aes_cm_128_hmac_sha1_32(policy);
+-    crypto_policy_set_aes_cm_128_hmac_sha1_80(policy);
+     break;
+   case srtp_profile_null_sha1_80:
+-    crypto_policy_set_null_cipher_hmac_sha1_80(policy);
+     crypto_policy_set_null_cipher_hmac_sha1_80(policy);
+     break;
+   case srtp_profile_aes256_cm_sha1_80:
+-    crypto_policy_set_aes_cm_256_hmac_sha1_80(policy);
+     crypto_policy_set_aes_cm_256_hmac_sha1_80(policy);
+     break;
+   case srtp_profile_aes256_cm_sha1_32:
+     crypto_policy_set_aes_cm_256_hmac_sha1_32(policy);
+-    crypto_policy_set_aes_cm_256_hmac_sha1_80(policy);
+     break;
+     /* the following profiles are not (yet) supported */
+   case srtp_profile_null_sha1_32:
+@@ -2084,6 +2079,8 @@ crypto_policy_set_from_profile_for_rtcp(crypto_policy_t *policy,
+     crypto_policy_set_aes_cm_128_hmac_sha1_80(policy);
+     break;
+   case srtp_profile_aes128_cm_sha1_32:
++    /* We do not honor the 32-bit auth tag request since
++     * this is not compliant with RFC 3711 */
+     crypto_policy_set_aes_cm_128_hmac_sha1_80(policy);
+     break;
+   case srtp_profile_null_sha1_80:
+@@ -2093,6 +2090,8 @@ crypto_policy_set_from_profile_for_rtcp(crypto_policy_t *policy,
+     crypto_policy_set_aes_cm_256_hmac_sha1_80(policy);
+     break;
+   case srtp_profile_aes256_cm_sha1_32:
++    /* We do not honor the 32-bit auth tag request since
++     * this is not compliant with RFC 3711 */
+     crypto_policy_set_aes_cm_256_hmac_sha1_80(policy);
+     break;
+     /* the following profiles are not (yet) supported */
diff --git a/SOURCES/libsrtp-CVE-2015-6360.patch b/SOURCES/libsrtp-CVE-2015-6360.patch
new file mode 100644
index 0000000..00ab39f
--- /dev/null
+++ b/SOURCES/libsrtp-CVE-2015-6360.patch
@@ -0,0 +1,13 @@
+diff --git a/srtp/srtp.c b/srtp/srtp.c
+index 7e6d9e5..3722fc1 100644
+--- a/srtp/srtp.c
++++ b/srtp/srtp.c
+@@ -1076,6 +1076,8 @@ srtp_unprotect(srtp_ctx_t *ctx, void *srtp_hdr, int *pkt_octet_len) {
+       srtp_hdr_xtnd_t *xtn_hdr = (srtp_hdr_xtnd_t *)enc_start;
+       enc_start += (ntohs(xtn_hdr->length) + 1);
+     }  
++    if (!((uint8_t*)enc_start < (uint8_t*)hdr + (*pkt_octet_len - tag_len)))
++        return err_status_parse_err;
+     enc_octet_len = (uint32_t)(*pkt_octet_len - tag_len 
+ 			       - ((enc_start - (uint32_t *)hdr) << 2));
+   } else {
diff --git a/SOURCES/libsrtp-global-buffer-overflow.patch b/SOURCES/libsrtp-global-buffer-overflow.patch
new file mode 100644
index 0000000..d3fe7ed
--- /dev/null
+++ b/SOURCES/libsrtp-global-buffer-overflow.patch
@@ -0,0 +1,41 @@
+Index: srtp/crypto/cipher/aes_icm.c
+===================================================================
+--- srtp/crypto/cipher/aes_icm.c	(revision 157386)
++++ srtp/crypto/cipher/aes_icm.c	(working copy)
+@@ -165,7 +165,7 @@
+ err_status_t
+ aes_icm_context_init(aes_icm_ctx_t *c, const uint8_t *key, int key_len) {
+   err_status_t status;
+-  int base_key_len;
++  int base_key_len, copy_len;
+ 
+   if (key_len > 16 && key_len < 30) /* Ismacryp */
+     base_key_len = 16;
+@@ -174,15 +174,20 @@
+   else
+     return err_status_bad_param;
+ 
+-  /* set counter and initial values to 'offset' value */
+-  /* Note this copies past the end of the 'key' array by 2 bytes! */
+-  v128_copy_octet_string(&c->counter, key + base_key_len);
+-  v128_copy_octet_string(&c->offset, key + base_key_len);
++  /* 
++   * set counter and initial values to 'offset' value, being careful not to
++   * go past the end of the key buffer.
++   */
++  v128_set_to_zero(&c->counter);
++  v128_set_to_zero(&c->offset);
+ 
+-  /* force last two octets of the offset to zero (for srtp compatibility) */
+-  c->offset.v8[14] = c->offset.v8[15] = 0;
+-  c->counter.v8[14] = c->counter.v8[15] = 0;
++  /* force last two octets of the offset to be left zero 
++   * (for srtp compatibility) */
++  copy_len = key_len - base_key_len;
+   
++  memcpy(&c->counter, key + base_key_len, copy_len);
++  memcpy(&c->offset, key + base_key_len, copy_len);
++
+   debug_print(mod_aes_icm, 
+ 	      "key:  %s", octet_string_hex_string(key, base_key_len)); 
+   debug_print(mod_aes_icm, 
diff --git a/SPECS/libsrtp.spec b/SPECS/libsrtp.spec
index 8e0fb11..ea1e0ef 100644
--- a/SPECS/libsrtp.spec
+++ b/SPECS/libsrtp.spec
@@ -3,7 +3,7 @@
 
 Name:		lib%{shortname}
 Version:	1.4.4
-Release:	10.%{cvsver}%{?dist}
+Release:	11.%{cvsver}%{?dist}
 Summary:	An implementation of the Secure Real-time Transport Protocol (SRTP)
 Group:		System Environment/Libraries
 License:	BSD
@@ -21,6 +21,12 @@ Source2:	config.h
 # And how does Chromium always manage to find these projects and use them?
 Patch0:		libsrtp-1.4.4-shared.patch
 
+# Security fixes
+Patch100:	libsrtp-global-buffer-overflow.patch
+Patch101:	libsrtp-CVE-2013-2139.patch
+Patch102:	libsrtp-CVE-2015-6360.patch
+
+
 %description
 This package provides an implementation of the Secure Real-time
 Transport Protocol (SRTP), the Universal Security Transform (UST), and
@@ -40,6 +46,10 @@ developing applications that use %{name}.
 %setup -q -n %{shortname}
 %patch0 -p1 -b .shared
 
+%patch100 -p1 -b .global-buffer-overflow
+%patch101 -p1 -b .CVE-2013-2139
+%patch102 -p1 -b .CVE-2015-6360
+
 # Fix end-of-line encoding
 sed -i 's/\r//g' doc/draft-irtf-cfrg-icm-00.txt
 
@@ -89,6 +99,16 @@ cp -a %{SOURCE2} %{buildroot}%{_includedir}/%{shortname}/config.h
 %{_libdir}/*.so
 
 %changelog
+* Wed Feb 19 2020 Jan Grulich <jgrulich@redhat.com> - 1.4.4-11.20101004cvs
+- Fix global buffer overflow
+  Resolves: bz#1301202
+
+- Fix improper handling of CSRC count and extension header length in RTP header
+  Resolves: bz#1323705
+
+- Fix buffer overflow in application of crypto profiles
+  Resolves: bz#1141897
+
 * Tue Sep 16 2014 Jan Grulich <jgrulich@redhat.com> - 1.4.4-10.20101004cvs
 - Add detection for aarch64
   Resolves: bz#1141907