Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Fri, 31 Jul 2015 14:47:51 +0200
From: Adam Maris <amaris@...hat.com>
To: oss-security@...ts.openwall.com
Subject: CVE for crypto_get_random() from libsrtp

Hello,

I've got question whether this bug 
(https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=793971) is 
CVE-worthy? Could it be classified as CWE-330: Use of Insufficiently 
Random Values?

According to the SRTP documentation 
(http://srtp.sourcearchive.com/documentation/1.4.2.dfsg/group__SRTP_g1d4c228c6a58096dfab3cefbabd66f17.html), 
it provides 80 bits of random data, which is quite a borderline.

Thanks.

-- 
Adam Maris / Red Hat Product Security

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ