Hello community, here is the log from the commit of package pulseaudio for openSUSE:Factory checked in at 2014-08-15 09:55:35 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/pulseaudio (Old) and /work/SRC/openSUSE:Factory/.pulseaudio.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "pulseaudio" Changes: -------- --- /work/SRC/openSUSE:Factory/pulseaudio/pulseaudio.changes 2014-03-23 22:29:41.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.pulseaudio.new/pulseaudio.changes 2014-08-15 09:55:46.000000000 +0200 @@ -1,0 +2,6 @@ +Fri Jul 18 20:11:16 UTC 2014 - [email protected] + +- Add pulseaudio-bnc881524-rtp.patch. CVE-2014-3970 + Denial of service in module-rtp-recv + +------------------------------------------------------------------- New: ---- pulseaudio-bnc881524-rtp.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ pulseaudio.spec ++++++ --- /var/tmp/diff_new_pack.Lzcgm7/_old 2014-08-15 09:55:47.000000000 +0200 +++ /var/tmp/diff_new_pack.Lzcgm7/_new 2014-08-15 09:55:47.000000000 +0200 @@ -42,6 +42,8 @@ Patch0: disabled-start.diff Patch1: suppress-socket-error-msg.diff Patch2: pulseaudio-wrong-memset.patch +# PATCH-FIX-UPSTREAM pulseaudio-bnc881524-rtp.patch [email protected] +Patch3: pulseaudio-bnc881524-rtp.patch BuildRequires: alsa-devel >= 1.0.19 # require only minimal bluez, if we are on bluez 5 we will determine in %build phase BuildRequires: bluez-devel >= 4.99 @@ -290,6 +292,7 @@ %patch0 %patch1 -p1 %patch2 +%patch3 -p1 %build %configure \ ++++++ pulseaudio-bnc881524-rtp.patch ++++++ commit 26b9d22dd24c17eb118d0205bf7b02b75d435e3c Author: Alexander E. Patrakov <[email protected]> Date: Thu Jun 5 22:29:25 2014 +0600 rtp-recv: fix crash on empty UDP packets (CVE-2014-3970) On FIONREAD returning 0 bytes, we cannot return success, as the caller (rtpoll_work_cb in module-rtp-recv.c) would then try to pa_memblock_unref(chunk.memblock) and, because memblock is NULL, trigger an assertion. Also we have to read out the possible empty packet from the socket, so that the kernel doesn't tell us again and again about it. Signed-off-by: Alexander E. Patrakov <[email protected]> diff --git a/src/modules/rtp/rtp.c b/src/modules/rtp/rtp.c index 570737e..7b75e0e 100644 --- a/src/modules/rtp/rtp.c +++ b/src/modules/rtp/rtp.c @@ -182,8 +182,29 @@ int pa_rtp_recv(pa_rtp_context *c, pa_memchunk *chunk, pa_mempool *pool, struct goto fail; } - if (size <= 0) - return 0; + if (size <= 0) { + /* size can be 0 due to any of the following reasons: + * + * 1. Somebody sent us a perfectly valid zero-length UDP packet. + * 2. Somebody sent us a UDP packet with a bad CRC. + * + * It is unknown whether size can actually be less than zero. + * + * In the first case, the packet has to be read out, otherwise the + * kernel will tell us again and again about it, thus preventing + * reception of any further packets. So let's just read it out + * now and discard it later, when comparing the number of bytes + * received (0) with the number of bytes wanted (1, see below). + * + * In the second case, recvmsg() will fail, thus allowing us to + * return the error. + * + * Just to avoid passing zero-sized memchunks and NULL pointers to + * recvmsg(), let's force allocation of at least one byte by setting + * size to 1. + */ + size = 1; + } if (c->memchunk.length < (unsigned) size) { size_t l; -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
