Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 31 Jul 2015 09:38:52 -0400
From: Scott Arciszewski <>
Subject: Re: CVE for crypto_get_random() from libsrtp

On Fri, Jul 31, 2015 at 8:47 AM, Adam Maris <> wrote:
> Hello,
> I've got question whether this bug
> ( is CVE-worthy?
> Could it be classified as CWE-330: Use of Insufficiently Random Values?
> According to the SRTP documentation
> (,
> it provides 80 bits of random data, which is quite a borderline.
> Thanks.
> --
> Adam Maris / Red Hat Product Security

I would consider 80 bits insufficient for cryptography, but it's not
really exploitably weak (like, say, rand() would be). Whether or not
it warrants a CVE is obviously MITRE's discretion.

2^80 is out of reach for most people to brute force in 2015 (maybe
even for intelligence agencies), but 2^100 is generally the lower
bound of acceptable.

Just my $0.02.

Scott Arciszewski
Chief Development Officer
Paragon Initiative Enterprises <>

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ