From 5eee92177f5a67ddff8ce0c071405d8b89ea9206 Mon Sep 17 00:00:00 2001
From: Sebastian Kemper <sebastian_ml@gmx.net>
Date: Wed, 10 Jan 2018 20:03:23 +0100
Subject: [PATCH] libsrtp: add patches that fix 2 CVEs

Patches copied from Debian. They fix:

CVE-2013-2139
CVE-2015-6360

Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
---
 libs/libsrtp/Makefile                         |  2 +-
 libs/libsrtp/patches/1009_CVE-2013-2139.patch | 39 +++++++++++++++++++
 .../patches/1010-CVE-2015-6360-1.patch        | 13 +++++++
 3 files changed, 53 insertions(+), 1 deletion(-)
 create mode 100644 libs/libsrtp/patches/1009_CVE-2013-2139.patch
 create mode 100644 libs/libsrtp/patches/1010-CVE-2015-6360-1.patch

diff --git a/libs/libsrtp/Makefile b/libs/libsrtp/Makefile
index eb7d3bc..84f5ab5 100644
--- a/libs/libsrtp/Makefile
+++ b/libs/libsrtp/Makefile
@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=libsrtp
 PKG_VERSION:=1.4.4
-PKG_RELEASE:=1
+PKG_RELEASE:=2
 
 PKG_SOURCE:=srtp-$(PKG_VERSION).tgz
 PKG_SOURCE_URL:=@SF/srtp
diff --git a/libs/libsrtp/patches/1009_CVE-2013-2139.patch b/libs/libsrtp/patches/1009_CVE-2013-2139.patch
new file mode 100644
index 0000000..3a1976b
--- /dev/null
+++ b/libs/libsrtp/patches/1009_CVE-2013-2139.patch
@@ -0,0 +1,39 @@
+Description: CVE-2013-2139: buffer overflow in application of crypto profiles
+Origin: backport,
+ https://github.com/cisco/libsrtp/pull/27,
+ https://github.com/cisco/libsrtp/commit/8884f4d8eb4ca7122dfcbd640b933b98ef4bab80,
+ https://github.com/cisco/libsrtp/commit/8e47faf0f5b90672c7ebf2f0cf0562ee81a8b621,
+ https://github.com/cisco/libsrtp/commit/0acbb039c12b790621839facf56bfedbd071b74d
+Bug: https://github.com/cisco/libsrtp/issues/24
+Bug-Debian: http://bugs.debian.org/711163
+Forwarded: not-needed
+Author: Salvatore Bonaccorso <carnil@debian.org>
+Last-Update: 2014-01-02
+
+--- a/srtp/srtp.c
++++ b/srtp/srtp.c
+@@ -1807,15 +1807,12 @@
+   switch(profile) {
+   case srtp_profile_aes128_cm_sha1_80:
+     crypto_policy_set_aes_cm_128_hmac_sha1_80(policy);
+-    crypto_policy_set_aes_cm_128_hmac_sha1_80(policy);
+     break;
+   case srtp_profile_aes128_cm_sha1_32:
+     crypto_policy_set_aes_cm_128_hmac_sha1_32(policy);
+-    crypto_policy_set_aes_cm_128_hmac_sha1_80(policy);
+     break;
+   case srtp_profile_null_sha1_80:
+     crypto_policy_set_null_cipher_hmac_sha1_80(policy);
+-    crypto_policy_set_null_cipher_hmac_sha1_80(policy);
+     break;
+     /* the following profiles are not (yet) supported */
+   case srtp_profile_null_sha1_32:
+@@ -1838,6 +1835,8 @@
+     crypto_policy_set_aes_cm_128_hmac_sha1_80(policy);
+     break;
+   case srtp_profile_aes128_cm_sha1_32:
++    /* We do not honor the 32-bit auth tag request since
++     * this is not compliant with RFC 3711 */
+     crypto_policy_set_aes_cm_128_hmac_sha1_80(policy);
+     break;
+   case srtp_profile_null_sha1_80:
diff --git a/libs/libsrtp/patches/1010-CVE-2015-6360-1.patch b/libs/libsrtp/patches/1010-CVE-2015-6360-1.patch
new file mode 100644
index 0000000..d3a3564
--- /dev/null
+++ b/libs/libsrtp/patches/1010-CVE-2015-6360-1.patch
@@ -0,0 +1,13 @@
+Index: srtp-1.4.4~dfsg/srtp/srtp.c
+===================================================================
+--- srtp-1.4.4~dfsg.orig/srtp/srtp.c	2016-01-17 19:49:52.000000000 +0100
++++ srtp-1.4.4~dfsg/srtp/srtp.c	2016-01-17 22:50:43.000000000 +0100
+@@ -938,6 +938,8 @@
+       srtp_hdr_xtnd_t *xtn_hdr = (srtp_hdr_xtnd_t *)enc_start;
+       enc_start += (ntohs(xtn_hdr->length) + 1);
+     }  
++    if (!((uint8_t*)enc_start < (uint8_t*)hdr + (*pkt_octet_len - tag_len)))
++       return err_status_parse_err;
+     enc_octet_len = (uint32_t)(*pkt_octet_len - tag_len 
+ 			       - ((enc_start - (uint32_t *)hdr) << 2));
+   } else {
-- 
2.30.2