From: Jiri Slachta Date: Thu, 11 Jan 2018 18:45:05 +0000 (+0100) Subject: Merge pull request #234 from micmac1/libs-for-15.05 X-Git-Url: http://git.openwrt.org/?a=commitdiff_plain;h=005ef6633a79541cadaa7ea658751988937e862d;hp=c399bb6013479c55aabe8ed8461b0e2a10a6c5a2;p=feed%2Ftelephony.git Merge pull request #234 from micmac1/libs-for-15.05 Libs for 15.05 --- diff --git a/libs/iksemel/Makefile b/libs/iksemel/Makefile index 29606f3..f9adc26 100644 --- a/libs/iksemel/Makefile +++ b/libs/iksemel/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=iksemel PKG_VERSION:=1.4 -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=http://iksemel.googlecode.com/files/ @@ -31,7 +31,7 @@ define Package/libiksemel CATEGORY:=Libraries TITLE:=Iksemel Jabber Library URL:=http://code.google.com/p/iksemel/ - DEPENDS:= +libgnutls +libtasn1 +libgcrypt +libgpg-error + DEPENDS:=+libgnutls endef define Package/libiksemel/description @@ -41,21 +41,6 @@ in ANSI C except the network code (which is POSIX compatible), thus highly portable. endef -TARGET_CFLAGS += $(FPIC) -TARGET_LDFLAGS += \ - -Wl,-rpath-link,$(STAGING_DIR)/usr/lib \ - -lgnutls -lgcrypt -lgpg-error - -define Build/Configure - $(call Build/Configure/Default, \ - --enable-shared \ - --enable-static \ - --with-libgnutls-prefix="$(STAGING_DIR)/usr" \ - , \ - LIBS="$(TARGET_LDFLAGS)" \ - ) -endef - define Build/InstallDev $(INSTALL_DIR) $(1)/usr/include/ $(CP) $(PKG_INSTALL_DIR)/usr/include/iksemel.h $(1)/usr/include/ diff --git a/libs/iksemel/patches/001-missing-macros.patch b/libs/iksemel/patches/001-missing-macros.patch deleted file mode 100644 index 4563ac5..0000000 --- a/libs/iksemel/patches/001-missing-macros.patch +++ /dev/null @@ -1,163 +0,0 @@ ---- /dev/null -+++ b/gnutls.m4 -@@ -0,0 +1,160 @@ -+dnl Autoconf macros for libgnutls -+dnl $id$ -+ -+# Modified for LIBGNUTLS -- nmav -+# Configure paths for LIBGCRYPT -+# Shamelessly stolen from the one of XDELTA by Owen Taylor -+# Werner Koch 99-12-09 -+ -+dnl AM_PATH_LIBGNUTLS([MINIMUM-VERSION, [ACTION-IF-FOUND [, ACTION-IF-NOT-FOUND ]]]) -+dnl Test for libgnutls, and define LIBGNUTLS_CFLAGS and LIBGNUTLS_LIBS -+dnl -+AC_DEFUN([AM_PATH_LIBGNUTLS], -+[dnl -+dnl Get the cflags and libraries from the libgnutls-config script -+dnl -+AC_ARG_WITH(libgnutls-prefix, -+ [ --with-libgnutls-prefix=PFX Prefix where libgnutls is installed (optional)], -+ libgnutls_config_prefix="$withval", libgnutls_config_prefix="") -+ -+ if test x$libgnutls_config_prefix != x ; then -+ if test x${LIBGNUTLS_CONFIG+set} != xset ; then -+ LIBGNUTLS_CONFIG=$libgnutls_config_prefix/bin/libgnutls-config -+ fi -+ fi -+ -+ AC_PATH_PROG(LIBGNUTLS_CONFIG, libgnutls-config, no) -+ min_libgnutls_version=ifelse([$1], ,0.1.0,$1) -+ AC_MSG_CHECKING(for libgnutls - version >= $min_libgnutls_version) -+ no_libgnutls="" -+ if test "$LIBGNUTLS_CONFIG" = "no" ; then -+ no_libgnutls=yes -+ else -+ LIBGNUTLS_CFLAGS=`$LIBGNUTLS_CONFIG $libgnutls_config_args --cflags` -+ LIBGNUTLS_LIBS=`$LIBGNUTLS_CONFIG $libgnutls_config_args --libs` -+ libgnutls_config_version=`$LIBGNUTLS_CONFIG $libgnutls_config_args --version` -+ -+ -+ ac_save_CFLAGS="$CFLAGS" -+ ac_save_LIBS="$LIBS" -+ CFLAGS="$CFLAGS $LIBGNUTLS_CFLAGS" -+ LIBS="$LIBS $LIBGNUTLS_LIBS" -+dnl -+dnl Now check if the installed libgnutls is sufficiently new. Also sanity -+dnl checks the results of libgnutls-config to some extent -+dnl -+ rm -f conf.libgnutlstest -+ AC_TRY_RUN([ -+#include -+#include -+#include -+#include -+ -+int -+main () -+{ -+ system ("touch conf.libgnutlstest"); -+ -+ if( strcmp( gnutls_check_version(NULL), "$libgnutls_config_version" ) ) -+ { -+ printf("\n*** 'libgnutls-config --version' returned %s, but LIBGNUTLS (%s)\n", -+ "$libgnutls_config_version", gnutls_check_version(NULL) ); -+ printf("*** was found! If libgnutls-config was correct, then it is best\n"); -+ printf("*** to remove the old version of LIBGNUTLS. You may also be able to fix the error\n"); -+ printf("*** by modifying your LD_LIBRARY_PATH enviroment variable, or by editing\n"); -+ printf("*** /etc/ld.so.conf. Make sure you have run ldconfig if that is\n"); -+ printf("*** required on your system.\n"); -+ printf("*** If libgnutls-config was wrong, set the environment variable LIBGNUTLS_CONFIG\n"); -+ printf("*** to point to the correct copy of libgnutls-config, and remove the file config.cache\n"); -+ printf("*** before re-running configure\n"); -+ } -+ else if ( strcmp(gnutls_check_version(NULL), LIBGNUTLS_VERSION ) ) -+ { -+ printf("\n*** LIBGNUTLS header file (version %s) does not match\n", LIBGNUTLS_VERSION); -+ printf("*** library (version %s)\n", gnutls_check_version(NULL) ); -+ } -+ else -+ { -+ if ( gnutls_check_version( "$min_libgnutls_version" ) ) -+ { -+ return 0; -+ } -+ else -+ { -+ printf("no\n*** An old version of LIBGNUTLS (%s) was found.\n", -+ gnutls_check_version(NULL) ); -+ printf("*** You need a version of LIBGNUTLS newer than %s. The latest version of\n", -+ "$min_libgnutls_version" ); -+ printf("*** LIBGNUTLS is always available from ftp://gnutls.hellug.gr/pub/gnutls.\n"); -+ printf("*** \n"); -+ printf("*** If you have already installed a sufficiently new version, this error\n"); -+ printf("*** probably means that the wrong copy of the libgnutls-config shell script is\n"); -+ printf("*** being found. The easiest way to fix this is to remove the old version\n"); -+ printf("*** of LIBGNUTLS, but you can also set the LIBGNUTLS_CONFIG environment to point to the\n"); -+ printf("*** correct copy of libgnutls-config. (In this case, you will have to\n"); -+ printf("*** modify your LD_LIBRARY_PATH enviroment variable, or edit /etc/ld.so.conf\n"); -+ printf("*** so that the correct libraries are found at run-time))\n"); -+ } -+ } -+ return 1; -+} -+],, no_libgnutls=yes,[echo $ac_n "cross compiling; assumed OK... $ac_c"]) -+ CFLAGS="$ac_save_CFLAGS" -+ LIBS="$ac_save_LIBS" -+ fi -+ -+ if test "x$no_libgnutls" = x ; then -+ AC_MSG_RESULT(yes) -+ ifelse([$2], , :, [$2]) -+ else -+ if test -f conf.libgnutlstest ; then -+ : -+ else -+ AC_MSG_RESULT(no) -+ fi -+ if test "$LIBGNUTLS_CONFIG" = "no" ; then -+ echo "*** The libgnutls-config script installed by LIBGNUTLS could not be found" -+ echo "*** If LIBGNUTLS was installed in PREFIX, make sure PREFIX/bin is in" -+ echo "*** your path, or set the LIBGNUTLS_CONFIG environment variable to the" -+ echo "*** full path to libgnutls-config." -+ else -+ if test -f conf.libgnutlstest ; then -+ : -+ else -+ echo "*** Could not run libgnutls test program, checking why..." -+ CFLAGS="$CFLAGS $LIBGNUTLS_CFLAGS" -+ LIBS="$LIBS $LIBGNUTLS_LIBS" -+ AC_TRY_LINK([ -+#include -+#include -+#include -+#include -+], [ return !!gnutls_check_version(NULL); ], -+ [ echo "*** The test program compiled, but did not run. This usually means" -+ echo "*** that the run-time linker is not finding LIBGNUTLS or finding the wrong" -+ echo "*** version of LIBGNUTLS. If it is not finding LIBGNUTLS, you'll need to set your" -+ echo "*** LD_LIBRARY_PATH environment variable, or edit /etc/ld.so.conf to point" -+ echo "*** to the installed location Also, make sure you have run ldconfig if that" -+ echo "*** is required on your system" -+ echo "***" -+ echo "*** If you have an old version installed, it is best to remove it, although" -+ echo "*** you may also be able to get things to work by modifying LD_LIBRARY_PATH" -+ echo "***" ], -+ [ echo "*** The test program failed to compile or link. See the file config.log for the" -+ echo "*** exact error that occured. This usually means LIBGNUTLS was incorrectly installed" -+ echo "*** or that you have moved LIBGNUTLS since it was installed. In the latter case, you" -+ echo "*** may want to edit the libgnutls-config script: $LIBGNUTLS_CONFIG" ]) -+ CFLAGS="$ac_save_CFLAGS" -+ LIBS="$ac_save_LIBS" -+ fi -+ fi -+ LIBGNUTLS_CFLAGS="" -+ LIBGNUTLS_LIBS="" -+ ifelse([$3], , :, [$3]) -+ fi -+ rm -f conf.libgnutlstest -+ AC_SUBST(LIBGNUTLS_CFLAGS) -+ AC_SUBST(LIBGNUTLS_LIBS) -+]) -+ -+dnl *-*wedit:notab*-* Please keep this as the last line. diff --git a/libs/iksemel/patches/001-pkgconfig-gnutls.patch b/libs/iksemel/patches/001-pkgconfig-gnutls.patch new file mode 100644 index 0000000..ebc870d --- /dev/null +++ b/libs/iksemel/patches/001-pkgconfig-gnutls.patch @@ -0,0 +1,28 @@ +Last-Update: 2013-07-29 +Forwarded: not-needed +Origin: upstream, commit:4652af9cf119145af3a90c632f8a6db215946784 +Bug-Iksemel: https://code.google.com/p/iksemel/issues/detail?id=20 +Author: Dmitry Smirnov +Description: use pkgconfig for checking gnutls + +--- a/configure.ac ++++ b/configure.ac +@@ -44,9 +44,17 @@ + AC_SEARCH_LIBS(recv,socket) + AC_CHECK_FUNCS(getopt_long) + AC_CHECK_FUNCS(getaddrinfo) + +-AM_PATH_LIBGNUTLS(,AC_DEFINE(HAVE_GNUTLS,,"Use libgnutls")) ++dnl Check GNU TLS ++PKG_CHECK_MODULES(GNUTLS, gnutls >= 2.0.0, have_gnutls=yes, have_gnutls=no) ++if test "x$have_gnutls" = "xyes"; then ++ LIBGNUTLS_CFLAGS="$GNUTLS_CFLAGS" ++ LIBGNUTLS_LIBS="$GNUTLS_LIBS" ++ AC_SUBST(LIBGNUTLS_CFLAGS) ++ AC_SUBST(LIBGNUTLS_LIBS) ++ AC_DEFINE(HAVE_GNUTLS, 1, [whether to use GnuTSL support.]) ++fi + + dnl Check -Wall flag of GCC + if test "x$GCC" = "xyes"; then + if test -z "`echo "$CFLAGS" | grep "\-Wall" 2> /dev/null`" ; then diff --git a/libs/iksemel/patches/002-secure_gnutls_options.patch b/libs/iksemel/patches/002-secure_gnutls_options.patch new file mode 100644 index 0000000..bf09e17 --- /dev/null +++ b/libs/iksemel/patches/002-secure_gnutls_options.patch @@ -0,0 +1,38 @@ +Last-Update: 2015-10-28 +Bug-Upstream: https://github.com/meduketto/iksemel/issues/48 +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=803204 +From: Marc Dequènes (duck) +Description: fix security problem (and compatibility problem with servers rejecting low grade ciphers). + +--- a/src/stream.c ++++ b/src/stream.c +@@ -62,13 +62,9 @@ + + static int + handshake (struct stream_data *data) + { +- const int protocol_priority[] = { GNUTLS_TLS1, GNUTLS_SSL3, 0 }; +- const int kx_priority[] = { GNUTLS_KX_RSA, 0 }; +- const int cipher_priority[] = { GNUTLS_CIPHER_3DES_CBC, GNUTLS_CIPHER_ARCFOUR, 0}; +- const int comp_priority[] = { GNUTLS_COMP_ZLIB, GNUTLS_COMP_NULL, 0 }; +- const int mac_priority[] = { GNUTLS_MAC_SHA, GNUTLS_MAC_MD5, 0 }; ++ const char *priority_string = "SECURE256:+SECURE192:-VERS-TLS-ALL:+VERS-TLS1.2"; + int ret; + + if (gnutls_global_init () != 0) + return IKS_NOMEM; +@@ -79,13 +75,9 @@ + if (gnutls_init (&data->sess, GNUTLS_CLIENT) != 0) { + gnutls_certificate_free_credentials (data->cred); + return IKS_NOMEM; + } +- gnutls_protocol_set_priority (data->sess, protocol_priority); +- gnutls_cipher_set_priority(data->sess, cipher_priority); +- gnutls_compression_set_priority(data->sess, comp_priority); +- gnutls_kx_set_priority(data->sess, kx_priority); +- gnutls_mac_set_priority(data->sess, mac_priority); ++ gnutls_priority_set_direct(data->sess, priority_string, NULL); + gnutls_credentials_set (data->sess, GNUTLS_CRD_CERTIFICATE, data->cred); + + gnutls_transport_set_push_function (data->sess, (gnutls_push_func) tls_push); + gnutls_transport_set_pull_function (data->sess, (gnutls_pull_func) tls_pull); diff --git a/libs/iksemel/patches/002-use-of-newer-gnutls_priority_set_direct-api.patch b/libs/iksemel/patches/002-use-of-newer-gnutls_priority_set_direct-api.patch deleted file mode 100644 index 8f91d10..0000000 --- a/libs/iksemel/patches/002-use-of-newer-gnutls_priority_set_direct-api.patch +++ /dev/null @@ -1,65 +0,0 @@ -From 6b213b593c5b499679506a8c169ff3f0f4d6a34f Mon Sep 17 00:00:00 2001 -From: John Papandriopoulos -Date: Thu, 20 Aug 2015 16:55:39 -0700 -Subject: [PATCH] Use of newer gnutls_priority_set_direct API - ---- - configure.ac | 1 + - src/stream.c | 13 +++++++++++++ - 2 files changed, 14 insertions(+) - -diff --git a/configure.ac b/configure.ac -index 91e69e3..281a044 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -46,6 +46,7 @@ AC_CHECK_FUNCS(getopt_long) - AC_CHECK_FUNCS(getaddrinfo) - - AM_PATH_LIBGNUTLS(,AC_DEFINE(HAVE_GNUTLS,,"Use libgnutls")) -+AM_PATH_LIBGNUTLS(,AC_CHECK_FUNCS(gnutls_priority_set_direct)) - - dnl Check -Wall flag of GCC - if test "x$GCC" = "xyes"; then -diff --git a/src/stream.c b/src/stream.c -index e8a1e8c..7d19a82 100644 ---- a/src/stream.c -+++ b/src/stream.c -@@ -63,11 +63,20 @@ tls_pull (iksparser *prs, char *buffer, size_t len) - static int - handshake (struct stream_data *data) - { -+#if HAVE_GNUTLS_PRIORITY_SET_DIRECT -+ const char *priorities = -+ "NONE" -+ ":+VERS-TLS1.0:+VERS-SSL3.0" -+ ":+RSA" -+ ":+3DES-CBC:+ARCFOUR-128" -+ ":+SHA1:+SHA256:+SHA384:+MD5"; -+#else - const int protocol_priority[] = { GNUTLS_TLS1, GNUTLS_SSL3, 0 }; - const int kx_priority[] = { GNUTLS_KX_RSA, 0 }; - const int cipher_priority[] = { GNUTLS_CIPHER_3DES_CBC, GNUTLS_CIPHER_ARCFOUR, 0}; - const int comp_priority[] = { GNUTLS_COMP_ZLIB, GNUTLS_COMP_NULL, 0 }; - const int mac_priority[] = { GNUTLS_MAC_SHA, GNUTLS_MAC_MD5, 0 }; -+#endif - int ret; - - if (gnutls_global_init () != 0) -@@ -80,11 +89,15 @@ handshake (struct stream_data *data) - gnutls_certificate_free_credentials (data->cred); - return IKS_NOMEM; - } -+#if HAVE_GNUTLS_PRIORITY_SET_DIRECT -+ gnutls_priority_set_direct (data->sess, priorities, NULL); -+#else - gnutls_protocol_set_priority (data->sess, protocol_priority); - gnutls_cipher_set_priority(data->sess, cipher_priority); - gnutls_compression_set_priority(data->sess, comp_priority); - gnutls_kx_set_priority(data->sess, kx_priority); - gnutls_mac_set_priority(data->sess, mac_priority); -+#endif - gnutls_credentials_set (data->sess, GNUTLS_CRD_CERTIFICATE, data->cred); - - gnutls_transport_set_push_function (data->sess, (gnutls_push_func) tls_push); --- -2.1.4 diff --git a/libs/libosip2/Makefile b/libs/libosip2/Makefile index fe4066b..d5d6a84 100644 --- a/libs/libosip2/Makefile +++ b/libs/libosip2/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=libosip2 PKG_VERSION:=4.1.0 -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=@GNU/osip diff --git a/libs/libosip2/patches/002-CVE-2016-10324_CVE-2016-10325_CVE-2016-10326_CVE-2017-7853.patch b/libs/libosip2/patches/002-CVE-2016-10324_CVE-2016-10325_CVE-2016-10326_CVE-2017-7853.patch new file mode 100644 index 0000000..b217d0d --- /dev/null +++ b/libs/libosip2/patches/002-CVE-2016-10324_CVE-2016-10325_CVE-2016-10326_CVE-2017-7853.patch @@ -0,0 +1,69 @@ +Upstream patches by Aymeric Moizard : + +7e0793e15e21f68337e130c67b031ca38edf055f +1d9fb1d3a71cc85ef95352e549b140c706cf8696 +b9dd097b5b24f5ee54b0a8739e59641cd51b6ead +1ae06daf3b2375c34af23083394a6f010be24a45 + +--- libosip2-4.1.0.orig/src/osipparser2/osip_body.c ++++ libosip2-4.1.0/src/osipparser2/osip_body.c +@@ -417,6 +417,14 @@ osip_body_to_str (const osip_body_t * bo + } + + if ((osip_list_size (body->headers) > 0) || (body->content_type != NULL)) { ++ if (length < tmp_body - ptr + 3) { ++ size_t len; ++ ++ len = tmp_body - ptr; ++ length = length + 3 + body->length; /* add body->length, to avoid calling realloc often */ ++ ptr = osip_realloc (ptr, length); ++ tmp_body = ptr + len; ++ } + tmp_body = osip_strn_append (tmp_body, CRLF, 2); + } + if (length < tmp_body - ptr + body->length + 4) { +--- libosip2-4.1.0.orig/src/osipparser2/osip_message_parse.c ++++ libosip2-4.1.0/src/osipparser2/osip_message_parse.c +@@ -812,6 +812,12 @@ msg_osip_body_parse (osip_message_t * si + if ('\n' == start_of_body[0] || '\r' == start_of_body[0]) + start_of_body++; + ++ /* if message body is empty or contains a single CR/LF */ ++ if (end_of_body <= start_of_body) { ++ osip_free (sep_boundary); ++ return OSIP_SYNTAXERROR; ++ } ++ + body_len = end_of_body - start_of_body; + + /* Skip CR before end boundary. */ +--- libosip2-4.1.0.orig/src/osipparser2/osip_message_to_str.c ++++ libosip2-4.1.0/src/osipparser2/osip_message_to_str.c +@@ -378,6 +378,13 @@ _osip_message_to_str (osip_message_t * s + /* A start-line isn't required for message/sipfrag parts. */ + } + else { ++ size_t message_len = strlen(tmp); ++ if (_osip_message_realloc (&message, dest, message_len + 3, &malloc_size) < 0) { ++ osip_free (tmp); ++ *dest = NULL; ++ return OSIP_NOMEM; ++ } ++ + message = osip_str_append (message, tmp); + osip_free (tmp); + message = osip_strn_append (message, CRLF, 2); +--- libosip2-4.1.0.orig/src/osipparser2/osip_port.c ++++ libosip2-4.1.0/src/osipparser2/osip_port.c +@@ -1462,8 +1462,10 @@ osip_clrncpy (char *dst, const char *src + char *p; + size_t spaceless_length; + +- if (src == NULL) ++ if (src == NULL || len == 0) { ++ *dst = '\0'; + return NULL; ++ } + + /* find the start of relevant text */ + pbeg = src; diff --git a/libs/libsrtp/Makefile b/libs/libsrtp/Makefile index eb7d3bc..84f5ab5 100644 --- a/libs/libsrtp/Makefile +++ b/libs/libsrtp/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=libsrtp PKG_VERSION:=1.4.4 -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_SOURCE:=srtp-$(PKG_VERSION).tgz PKG_SOURCE_URL:=@SF/srtp diff --git a/libs/libsrtp/patches/1009_CVE-2013-2139.patch b/libs/libsrtp/patches/1009_CVE-2013-2139.patch new file mode 100644 index 0000000..3a1976b --- /dev/null +++ b/libs/libsrtp/patches/1009_CVE-2013-2139.patch @@ -0,0 +1,39 @@ +Description: CVE-2013-2139: buffer overflow in application of crypto profiles +Origin: backport, + https://github.com/cisco/libsrtp/pull/27, + https://github.com/cisco/libsrtp/commit/8884f4d8eb4ca7122dfcbd640b933b98ef4bab80, + https://github.com/cisco/libsrtp/commit/8e47faf0f5b90672c7ebf2f0cf0562ee81a8b621, + https://github.com/cisco/libsrtp/commit/0acbb039c12b790621839facf56bfedbd071b74d +Bug: https://github.com/cisco/libsrtp/issues/24 +Bug-Debian: http://bugs.debian.org/711163 +Forwarded: not-needed +Author: Salvatore Bonaccorso +Last-Update: 2014-01-02 + +--- a/srtp/srtp.c ++++ b/srtp/srtp.c +@@ -1807,15 +1807,12 @@ + switch(profile) { + case srtp_profile_aes128_cm_sha1_80: + crypto_policy_set_aes_cm_128_hmac_sha1_80(policy); +- crypto_policy_set_aes_cm_128_hmac_sha1_80(policy); + break; + case srtp_profile_aes128_cm_sha1_32: + crypto_policy_set_aes_cm_128_hmac_sha1_32(policy); +- crypto_policy_set_aes_cm_128_hmac_sha1_80(policy); + break; + case srtp_profile_null_sha1_80: + crypto_policy_set_null_cipher_hmac_sha1_80(policy); +- crypto_policy_set_null_cipher_hmac_sha1_80(policy); + break; + /* the following profiles are not (yet) supported */ + case srtp_profile_null_sha1_32: +@@ -1838,6 +1835,8 @@ + crypto_policy_set_aes_cm_128_hmac_sha1_80(policy); + break; + case srtp_profile_aes128_cm_sha1_32: ++ /* We do not honor the 32-bit auth tag request since ++ * this is not compliant with RFC 3711 */ + crypto_policy_set_aes_cm_128_hmac_sha1_80(policy); + break; + case srtp_profile_null_sha1_80: diff --git a/libs/libsrtp/patches/1010-CVE-2015-6360-1.patch b/libs/libsrtp/patches/1010-CVE-2015-6360-1.patch new file mode 100644 index 0000000..d3a3564 --- /dev/null +++ b/libs/libsrtp/patches/1010-CVE-2015-6360-1.patch @@ -0,0 +1,13 @@ +Index: srtp-1.4.4~dfsg/srtp/srtp.c +=================================================================== +--- srtp-1.4.4~dfsg.orig/srtp/srtp.c 2016-01-17 19:49:52.000000000 +0100 ++++ srtp-1.4.4~dfsg/srtp/srtp.c 2016-01-17 22:50:43.000000000 +0100 +@@ -938,6 +938,8 @@ + srtp_hdr_xtnd_t *xtn_hdr = (srtp_hdr_xtnd_t *)enc_start; + enc_start += (ntohs(xtn_hdr->length) + 1); + } ++ if (!((uint8_t*)enc_start < (uint8_t*)hdr + (*pkt_octet_len - tag_len))) ++ return err_status_parse_err; + enc_octet_len = (uint32_t)(*pkt_octet_len - tag_len + - ((enc_start - (uint32_t *)hdr) << 2)); + } else {