Date: Sat, 1 Aug 2015 19:31:15 +1000 From: Michael Samuel <mik@...net.net> To: oss-security@...ts.openwall.com Subject: Re: CVE for crypto_get_random() from libsrtp Hi, I can't see any reference to it using 80 bits of random data - it looks like it's AES-CTR mode. Do you have further information on that? That being said, I can see quite a few ways it can go wrong - it's doesn't appear thread-safe for a start. Is it worth taking a closer look or are you planning on shipping the patch anyway? Regards, Michael On 31 July 2015 at 22:47, Adam Maris <amaris@...hat.com> wrote: > Hello, > > I've got question whether this bug ( > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=793971) is CVE-worthy? > Could it be classified as CWE-330: Use of Insufficiently Random Values? > > According to the SRTP documentation ( > http://srtp.sourcearchive.com/documentation/1.4.2.dfsg/group__SRTP_g1d4c228c6a58096dfab3cefbabd66f17.html), > it provides 80 bits of random data, which is quite a borderline. > > Thanks. > > -- > Adam Maris / Red Hat Product Security > >
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ