Bug#793974: src:linphone: should use SP800-90 compliant DRBG, not libsrtp crypto_get_random()
Jonas Smedegaard
dr at jones.dk
Wed Jul 29 13:41:34 UTC 2015
Package: src:linphone
Severity: important
Tags: security
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Linphone uses libsrtp crypto_get_random() call in ortp_srtp.c:
https://sources.debian.net/src/linphone/3.6.1-2.4/oRTP/src/ortp_srtp.c/?hl=275#L275
Libsrtp developers will drop that call in next major release of libsrtp:
https://github.com/cisco/libsrtp/commit/339b61d
Since the reason is described as that the implementation is mediocre, it
would probably be wise - not only for future compatibility but also to
improve security - to patch (or discuss with your upstream) to use a
different source for randomness.
...and also, please consider to actually (build-depend on libsrtp-dev
and) enable srtp support in the binary build for Debian ;-)
- Jonas
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBAgAGBQJVuNgOAAoJECx8MUbBoAEhW3kQAIYA4Wm4zou/HvyC0uAerEMN
6PAob+pE1SKQGd1UdJBX643tolfB38/40xGRURSO+0or/pfZGoj+MRDCGh/h6epa
DdNbZPSZwEADTVyMSqMr9Zfh1s7aksuytyN/e+sE2eH4LF+4RXmEWXZSjF6pUZDx
ZwtcrRJ4R1pOkqSZp6GcY0BcI55Amre0vCTPQQovBx1Bnt/KGpIUU6Dsj0yMZljz
TyQO+Zy8CpN4JwW2LUJOdSNugZkFgVfrTW0Zei2qt4uHK9tPclRmhaRd2/LEVYOx
wGJjjciw5ztaGmmCJ/zWlxOVssEscefxlodAaillmJPGm1scgoCgkNKgLcmplbn0
Yvx0zpbOTL+oKTXZvJe2RE0PVMz0aOQu/AcoNpGGYkqKxaP8haA3ofh/wescBOuF
TXmIaL1RxQRNS7Bfn+4jh/GYLYeIYr4Mz4KcywPBUMzSGuw4Re//yIuNXei/IgZ8
NV9IMfVuDszuy6uxJ5qEUvSrAL17+wHiHaGl8XbDtkvbrR2Z60ujuj1ZhjbTYWAM
5Z73tv25YScHVMVyjrCCoYDvCi5oyJvOavEQ9naXnquCH7KymNlOY6mRC6mE+0te
5eiOs7+RlQKKxS0A4jVRFKOLI/rbtp/NisjG9e3leHO8xpj5HGthZ0P5N4Y6D1mq
EJT86HnM8Si6ebQvDP8t
=kUAE
-----END PGP SIGNATURE-----
More information about the Pkg-voip-maintainers
mailing list