Accepting request 244636 from home:sreeves1:branches:multimedia:libs

OBS-URL: https://build.opensuse.org/request/show/244636
OBS-URL: https://build.opensuse.org/package/show/multimedia:libs/pulseaudio?expand=0&rev=141

pulseaudio-bnc881524-rtp.patch

@@ -0,0 +1,52 @@
+commit 26b9d22dd24c17eb118d0205bf7b02b75d435e3c
+Author: Alexander E. Patrakov <patrakov@gmail.com>
+Date:   Thu Jun 5 22:29:25 2014 +0600
+
+    rtp-recv: fix crash on empty UDP packets (CVE-2014-3970)
+    
+    On FIONREAD returning 0 bytes, we cannot return success, as the caller
+    (rtpoll_work_cb in module-rtp-recv.c) would then try to
+    pa_memblock_unref(chunk.memblock) and, because memblock is NULL, trigger
+    an assertion.
+    
+    Also we have to read out the possible empty packet from the socket, so
+    that the kernel doesn't tell us again and again about it.
+    
+    Signed-off-by: Alexander E. Patrakov <patrakov@gmail.com>
+
+diff --git a/src/modules/rtp/rtp.c b/src/modules/rtp/rtp.c
+index 570737e..7b75e0e 100644
+--- a/src/modules/rtp/rtp.c
++++ b/src/modules/rtp/rtp.c
+@@ -182,8 +182,29 @@ int pa_rtp_recv(pa_rtp_context *c, pa_memchunk *chunk, pa_mempool *pool, struct
+         goto fail;
+     }
+ 
+-    if (size <= 0)
+-        return 0;
++    if (size <= 0) {
++        /* size can be 0 due to any of the following reasons:
++         *
++         * 1. Somebody sent us a perfectly valid zero-length UDP packet.
++         * 2. Somebody sent us a UDP packet with a bad CRC.
++         *
++         * It is unknown whether size can actually be less than zero.
++         *
++         * In the first case, the packet has to be read out, otherwise the
++         * kernel will tell us again and again about it, thus preventing
++         * reception of any further packets. So let's just read it out
++         * now and discard it later, when comparing the number of bytes
++         * received (0) with the number of bytes wanted (1, see below).
++         *
++         * In the second case, recvmsg() will fail, thus allowing us to
++         * return the error.
++         *
++         * Just to avoid passing zero-sized memchunks and NULL pointers to
++         * recvmsg(), let's force allocation of at least one byte by setting
++         * size to 1.
++         */
++        size = 1;
++    }
+ 
+     if (c->memchunk.length < (unsigned) size) {
+         size_t l;

pulseaudio.changes

@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Fri Jul 18 20:11:16 UTC 2014 - sreeves@suse.com
+
+- Add pulseaudio-bnc881524-rtp.patch.  CVE-2014-3970
+    Denial of service in module-rtp-recv
+
 -------------------------------------------------------------------
 Thu Mar 20 20:17:16 UTC 2014 - crrodriguez@opensuse.org
 

pulseaudio.spec

@@ -42,6 +42,8 @@ Source99:       baselibs.conf
 Patch0:         disabled-start.diff
 Patch1:         suppress-socket-error-msg.diff
 Patch2:         pulseaudio-wrong-memset.patch
+# PATCH-FIX-UPSTREAM pulseaudio-bnc881524-rtp.patch sreeves@suse.com
+Patch3:         pulseaudio-bnc881524-rtp.patch
 BuildRequires:  alsa-devel >= 1.0.19
 # require only minimal bluez, if we are on bluez 5 we will determine in %build phase
 BuildRequires:  bluez-devel >= 4.99
@@ -290,6 +292,7 @@ This package contains GDM integration hooks for the PulseAudio sound server.
 %patch0
 %patch1 -p1
 %patch2
+%patch3 -p1
 
 %build
 %configure \