From 31fea2963d14c66e5c77d830a1352d08c6f557dbde30ab16719f4a54d068c66c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ismail=20D=C3=B6nmez?= Date: Thu, 14 Aug 2014 09:05:07 +0000 Subject: [PATCH] Accepting request 244636 from home:sreeves1:branches:multimedia:libs OBS-URL: https://build.opensuse.org/request/show/244636 OBS-URL: https://build.opensuse.org/package/show/multimedia:libs/pulseaudio?expand=0&rev=141 --- pulseaudio-bnc881524-rtp.patch | 52 ++++++++++++++++++++++++++++++++++ pulseaudio.changes | 6 ++++ pulseaudio.spec | 3 ++ 3 files changed, 61 insertions(+) create mode 100644 pulseaudio-bnc881524-rtp.patch diff --git a/pulseaudio-bnc881524-rtp.patch b/pulseaudio-bnc881524-rtp.patch new file mode 100644 index 0000000..a8037d6 --- /dev/null +++ b/pulseaudio-bnc881524-rtp.patch @@ -0,0 +1,52 @@ +commit 26b9d22dd24c17eb118d0205bf7b02b75d435e3c +Author: Alexander E. Patrakov +Date: Thu Jun 5 22:29:25 2014 +0600 + + rtp-recv: fix crash on empty UDP packets (CVE-2014-3970) + + On FIONREAD returning 0 bytes, we cannot return success, as the caller + (rtpoll_work_cb in module-rtp-recv.c) would then try to + pa_memblock_unref(chunk.memblock) and, because memblock is NULL, trigger + an assertion. + + Also we have to read out the possible empty packet from the socket, so + that the kernel doesn't tell us again and again about it. + + Signed-off-by: Alexander E. Patrakov + +diff --git a/src/modules/rtp/rtp.c b/src/modules/rtp/rtp.c +index 570737e..7b75e0e 100644 +--- a/src/modules/rtp/rtp.c ++++ b/src/modules/rtp/rtp.c +@@ -182,8 +182,29 @@ int pa_rtp_recv(pa_rtp_context *c, pa_memchunk *chunk, pa_mempool *pool, struct + goto fail; + } + +- if (size <= 0) +- return 0; ++ if (size <= 0) { ++ /* size can be 0 due to any of the following reasons: ++ * ++ * 1. Somebody sent us a perfectly valid zero-length UDP packet. ++ * 2. Somebody sent us a UDP packet with a bad CRC. ++ * ++ * It is unknown whether size can actually be less than zero. ++ * ++ * In the first case, the packet has to be read out, otherwise the ++ * kernel will tell us again and again about it, thus preventing ++ * reception of any further packets. So let's just read it out ++ * now and discard it later, when comparing the number of bytes ++ * received (0) with the number of bytes wanted (1, see below). ++ * ++ * In the second case, recvmsg() will fail, thus allowing us to ++ * return the error. ++ * ++ * Just to avoid passing zero-sized memchunks and NULL pointers to ++ * recvmsg(), let's force allocation of at least one byte by setting ++ * size to 1. ++ */ ++ size = 1; ++ } + + if (c->memchunk.length < (unsigned) size) { + size_t l; diff --git a/pulseaudio.changes b/pulseaudio.changes index ef6aad2..3f3b36c 100644 --- a/pulseaudio.changes +++ b/pulseaudio.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Fri Jul 18 20:11:16 UTC 2014 - sreeves@suse.com + +- Add pulseaudio-bnc881524-rtp.patch. CVE-2014-3970 + Denial of service in module-rtp-recv + ------------------------------------------------------------------- Thu Mar 20 20:17:16 UTC 2014 - crrodriguez@opensuse.org diff --git a/pulseaudio.spec b/pulseaudio.spec index c0b5808..6534973 100644 --- a/pulseaudio.spec +++ b/pulseaudio.spec @@ -42,6 +42,8 @@ Source99: baselibs.conf Patch0: disabled-start.diff Patch1: suppress-socket-error-msg.diff Patch2: pulseaudio-wrong-memset.patch +# PATCH-FIX-UPSTREAM pulseaudio-bnc881524-rtp.patch sreeves@suse.com +Patch3: pulseaudio-bnc881524-rtp.patch BuildRequires: alsa-devel >= 1.0.19 # require only minimal bluez, if we are on bluez 5 we will determine in %build phase BuildRequires: bluez-devel >= 4.99 @@ -290,6 +292,7 @@ This package contains GDM integration hooks for the PulseAudio sound server. %patch0 %patch1 -p1 %patch2 +%patch3 -p1 %build %configure \