--- /dev/null
+Description: CVE-2013-2139: buffer overflow in application of crypto profiles
+Origin: backport,
+ https://github.com/cisco/libsrtp/pull/27,
+ https://github.com/cisco/libsrtp/commit/8884f4d8eb4ca7122dfcbd640b933b98ef4bab80,
+ https://github.com/cisco/libsrtp/commit/8e47faf0f5b90672c7ebf2f0cf0562ee81a8b621,
+ https://github.com/cisco/libsrtp/commit/0acbb039c12b790621839facf56bfedbd071b74d
+Bug: https://github.com/cisco/libsrtp/issues/24
+Bug-Debian: http://bugs.debian.org/711163
+Forwarded: not-needed
+Author: Salvatore Bonaccorso <carnil@debian.org>
+Last-Update: 2014-01-02
+
+--- a/srtp/srtp.c
++++ b/srtp/srtp.c
+@@ -1807,15 +1807,12 @@
+ switch(profile) {
+ case srtp_profile_aes128_cm_sha1_80:
+ crypto_policy_set_aes_cm_128_hmac_sha1_80(policy);
+- crypto_policy_set_aes_cm_128_hmac_sha1_80(policy);
+ break;
+ case srtp_profile_aes128_cm_sha1_32:
+ crypto_policy_set_aes_cm_128_hmac_sha1_32(policy);
+- crypto_policy_set_aes_cm_128_hmac_sha1_80(policy);
+ break;
+ case srtp_profile_null_sha1_80:
+ crypto_policy_set_null_cipher_hmac_sha1_80(policy);
+- crypto_policy_set_null_cipher_hmac_sha1_80(policy);
+ break;
+ /* the following profiles are not (yet) supported */
+ case srtp_profile_null_sha1_32:
+@@ -1838,6 +1835,8 @@
+ crypto_policy_set_aes_cm_128_hmac_sha1_80(policy);
+ break;
+ case srtp_profile_aes128_cm_sha1_32:
++ /* We do not honor the 32-bit auth tag request since
++ * this is not compliant with RFC 3711 */
+ crypto_policy_set_aes_cm_128_hmac_sha1_80(policy);
+ break;
+ case srtp_profile_null_sha1_80:
--- /dev/null
+Index: srtp-1.4.4~dfsg/srtp/srtp.c
+===================================================================
+--- srtp-1.4.4~dfsg.orig/srtp/srtp.c 2016-01-17 19:49:52.000000000 +0100
++++ srtp-1.4.4~dfsg/srtp/srtp.c 2016-01-17 22:50:43.000000000 +0100
+@@ -938,6 +938,8 @@
+ srtp_hdr_xtnd_t *xtn_hdr = (srtp_hdr_xtnd_t *)enc_start;
+ enc_start += (ntohs(xtn_hdr->length) + 1);
+ }
++ if (!((uint8_t*)enc_start < (uint8_t*)hdr + (*pkt_octet_len - tag_len)))
++ return err_status_parse_err;
+ enc_octet_len = (uint32_t)(*pkt_octet_len - tag_len
+ - ((enc_start - (uint32_t *)hdr) << 2));
+ } else {