Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package live555 for openSUSE:Factory checked in at 2026-05-28 17:23:59 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/live555 (Old) and /work/SRC/openSUSE:Factory/.live555.new.1937 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "live555" Thu May 28 17:23:59 2026 rev:44 rq:1355360 version:2026.04.22 Changes: -------- --- /work/SRC/openSUSE:Factory/live555/live555.changes 2026-03-29 20:00:31.433015741 +0200 +++ /work/SRC/openSUSE:Factory/.live555.new.1937/live555.changes 2026-05-28 17:24:36.761940954 +0200 @@ -1,0 +2,21 @@ +Wed May 27 10:32:53 UTC 2026 - Dominique Leuenberger <[email protected]> + +- Update to version 2026.04.22 (CVE-2026-41470, boo#1265856): + + Added extra checking to the handling of the RTSP server's + "PLAY", "PAUSE", "TEARDOWN", and "SET_PARAMETER" commands, to + ensure that, if the session is authenticated, then a proper + authentication check is done before these commands are handled. + This protects against the use of a 'stolen' RTSP session id to + send these commands. (Note, however, that if the session is + not authenticated (i.e., no username,password is needed), then no + such protection is possible.) +- Changes from version 2026-04-01: + + Updated the way that the RTSP server generates successive RTSP + 'session ids' to make it less likely that an attacker could + guess a session id. + + Updated the RTSP server implementation to make it possible for + a client to request both interleaved (i.e., RTP/RTCP-over-TCP) + and non-interleaved (i.e., RTP/RTCP-over-UDP) delivery within + the same session. + +------------------------------------------------------------------- Old: ---- live.2026.03.23.tar.gz New: ---- live.2026.04.22.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ live555.spec ++++++ --- /var/tmp/diff_new_pack.RRQpEn/_old 2026-05-28 17:24:37.597975561 +0200 +++ /var/tmp/diff_new_pack.RRQpEn/_new 2026-05-28 17:24:37.601975726 +0200 @@ -17,10 +17,10 @@ # -%define lmdmaj 117 +%define lmdmaj 118 Name: live555 -Version: 2026.03.23 +Version: 2026.04.22 Release: 0 Summary: LIVE555 Streaming Media License: LGPL-2.1-only ++++++ live.2026.03.23.tar.gz -> live.2026.04.22.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/live/BasicUsageEnvironment/include/BasicUsageEnvironment_version.hh new/live/BasicUsageEnvironment/include/BasicUsageEnvironment_version.hh --- old/live/BasicUsageEnvironment/include/BasicUsageEnvironment_version.hh 2026-03-23 06:13:40.000000000 +0100 +++ new/live/BasicUsageEnvironment/include/BasicUsageEnvironment_version.hh 2026-04-22 22:34:43.000000000 +0200 @@ -19,8 +19,8 @@ #ifndef _BASICUSAGEENVIRONMENT_VERSION_HH #define _BASICUSAGEENVIRONMENT_VERSION_HH -#define BASICUSAGEENVIRONMENT_LIBRARY_VERSION_STRING "2026.03.23" -#define BASICUSAGEENVIRONMENT_LIBRARY_VERSION_INT 1774224000 +#define BASICUSAGEENVIRONMENT_LIBRARY_VERSION_STRING "2026.04.22" +#define BASICUSAGEENVIRONMENT_LIBRARY_VERSION_INT 1776816000 extern char const* const BasicUsageEnvironmentLibraryVersionStr; extern int const BasicUsageEnvironmentLibraryVersionInt; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/live/UsageEnvironment/include/UsageEnvironment_version.hh new/live/UsageEnvironment/include/UsageEnvironment_version.hh --- old/live/UsageEnvironment/include/UsageEnvironment_version.hh 2026-03-23 06:13:40.000000000 +0100 +++ new/live/UsageEnvironment/include/UsageEnvironment_version.hh 2026-04-22 22:34:43.000000000 +0200 @@ -19,8 +19,8 @@ #ifndef _USAGEENVIRONMENT_VERSION_HH #define _USAGEENVIRONMENT_VERSION_HH -#define USAGEENVIRONMENT_LIBRARY_VERSION_STRING "2026.03.23" -#define USAGEENVIRONMENT_LIBRARY_VERSION_INT 1774224000 +#define USAGEENVIRONMENT_LIBRARY_VERSION_STRING "2026.04.22" +#define USAGEENVIRONMENT_LIBRARY_VERSION_INT 1776816000 extern char const* const UsageEnvironmentLibraryVersionStr; extern int const UsageEnvironmentLibraryVersionInt; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/live/config.linux-with-shared-libraries new/live/config.linux-with-shared-libraries --- old/live/config.linux-with-shared-libraries 2026-03-23 06:14:03.000000000 +0100 +++ new/live/config.linux-with-shared-libraries 2026-04-22 22:35:05.000000000 +0200 @@ -3,8 +3,8 @@ # At least one interface changes, or is removed => CURRENT += 1; REVISION = 0; AGE = 0 # One or more interfaces were added, but no existing interfaces were changed or removed => CURRENT += 1; REVISION = 0; AGE += 1 -libliveMedia_VERSION_CURRENT=117 -libliveMedia_VERSION_REVISION=2 +libliveMedia_VERSION_CURRENT=118 +libliveMedia_VERSION_REVISION=0 libliveMedia_VERSION_AGE=0 libliveMedia_LIB_SUFFIX=so.$(shell expr $(libliveMedia_VERSION_CURRENT) - $(libliveMedia_VERSION_AGE)).$(libliveMedia_VERSION_AGE).$(libliveMedia_VERSION_REVISION) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/live/groupsock/include/groupsock_version.hh new/live/groupsock/include/groupsock_version.hh --- old/live/groupsock/include/groupsock_version.hh 2026-03-23 06:13:40.000000000 +0100 +++ new/live/groupsock/include/groupsock_version.hh 2026-04-22 22:34:43.000000000 +0200 @@ -19,8 +19,8 @@ #ifndef _GROUPSOCK_VERSION_HH #define _GROUPSOCK_VERSION_HH -#define GROUPSOCK_LIBRARY_VERSION_STRING "2026.03.23" -#define GROUPSOCK_LIBRARY_VERSION_INT 1774224000 +#define GROUPSOCK_LIBRARY_VERSION_STRING "2026.04.22" +#define GROUPSOCK_LIBRARY_VERSION_INT 1776816000 extern char const* const groupsockLibraryVersionStr; extern int const groupsockLibraryVersionInt; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/live/liveMedia/GenericMediaServer.cpp new/live/liveMedia/GenericMediaServer.cpp --- old/live/liveMedia/GenericMediaServer.cpp 2026-03-23 06:13:40.000000000 +0100 +++ new/live/liveMedia/GenericMediaServer.cpp 2026-04-22 22:34:43.000000000 +0200 @@ -403,7 +403,9 @@ // because that has a special use by some servers. Similarly, we avoid choosing the same // session id twice in a row.) do { - sessionId = (u_int32_t)our_random32(); + struct timeval timeNow; + gettimeofday(&timeNow, NULL); + sessionId = (u_int32_t)(our_random32() ^ timeNow.tv_sec ^ timeNow.tv_usec); snprintf(sessionIdStr, sizeof sessionIdStr, "%08X", sessionId); } while (sessionId == 0 || sessionId == fPreviousClientSessionId || lookupClientSession(sessionIdStr) != NULL); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/live/liveMedia/OnDemandServerMediaSubsession.cpp new/live/liveMedia/OnDemandServerMediaSubsession.cpp --- old/live/liveMedia/OnDemandServerMediaSubsession.cpp 2026-03-23 06:13:40.000000000 +0100 +++ new/live/liveMedia/OnDemandServerMediaSubsession.cpp 2026-04-22 22:34:43.000000000 +0200 @@ -557,14 +557,14 @@ if (dests->isTCP) { // Change RTP and RTCP to use the TCP socket instead of UDP: - if (fRTPSink != NULL && dests->rtpChannelId != 0xFF) { + if (fRTPSink != NULL) { fRTPSink->addStreamSocket(dests->tcpSocketNum, dests->rtpChannelId, dests->tlsState); RTPInterface ::setServerRequestAlternativeByteHandler(fRTPSink->envir(), dests->tcpSocketNum, serverRequestAlternativeByteHandler, serverRequestAlternativeByteHandlerClientData); // So that we continue to handle RTSP commands from the client } - if (fRTCPInstance != NULL && dests->rtcpChannelId != 0xFF) { + if (fRTCPInstance != NULL) { fRTCPInstance->addStreamSocket(dests->tcpSocketNum, dests->rtcpChannelId, dests->tlsState); struct sockaddr_storage tcpSocketNumAsAddress; // hack diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/live/liveMedia/RTSPServer.cpp new/live/liveMedia/RTSPServer.cpp --- old/live/liveMedia/RTSPServer.cpp 2026-03-23 06:13:40.000000000 +0100 +++ new/live/liveMedia/RTSPServer.cpp 2026-04-22 22:34:43.000000000 +0200 @@ -366,7 +366,10 @@ } void RTSPServer::RTSPClientConnection -::handleCmd_SET_PARAMETER(char const* /*fullRequestStr*/) { +::handleCmd_SET_PARAMETER(char const* fullRequestStr) { + // If we're authenticating, then any attempt to change state should be checked: + if (!authenticationOK("SET_PARAMETER", "", fullRequestStr)) return; + // By default, we implement "SET_PARAMETER" (on the entire server) just as a 'no op', and send back an empty response. // (If you want to handle this type of "SET_PARAMETER" differently, you can do so by defining a subclass of "RTSPServer" // and "RTSPServer::RTSPClientConnection", and then reimplement this virtual function in your subclass.) @@ -1575,7 +1578,9 @@ subsession->getStreamParameters(fOurSessionId, fOurClientConnection->fClientAddr, clientRTPPort, clientRTCPPort, - fStreamStates[trackNum].tcpSocketNum, rtpChannelId, rtcpChannelId, + streamingMode == RTP_TCP + ? fStreamStates[trackNum].tcpSocketNum : -1, + rtpChannelId, rtcpChannelId, &fOurClientConnection->fTLS, destinationAddress, destinationTTL, fIsMulticast, serverRTPPort, serverRTCPPort, @@ -1725,11 +1730,11 @@ } if (strcmp(cmdName, "TEARDOWN") == 0) { - handleCmd_TEARDOWN(ourClientConnection, subsession); + handleCmd_TEARDOWN(ourClientConnection, subsession, fullRequestStr); } else if (strcmp(cmdName, "PLAY") == 0) { handleCmd_PLAY(ourClientConnection, subsession, fullRequestStr); } else if (strcmp(cmdName, "PAUSE") == 0) { - handleCmd_PAUSE(ourClientConnection, subsession); + handleCmd_PAUSE(ourClientConnection, subsession, fullRequestStr); } else if (strcmp(cmdName, "GET_PARAMETER") == 0) { handleCmd_GET_PARAMETER(ourClientConnection, subsession, fullRequestStr); } else if (strcmp(cmdName, "SET_PARAMETER") == 0) { @@ -1739,7 +1744,10 @@ void RTSPServer::RTSPClientSession ::handleCmd_TEARDOWN(RTSPServer::RTSPClientConnection* ourClientConnection, - ServerMediaSubsession* subsession) { + ServerMediaSubsession* subsession, char const* fullRequestStr) { + // If we're authenticating, then check here, to protect against use of a stolen session id: + if (!ourClientConnection->authenticationOK("TEARDOWN", "", fullRequestStr)) return; + unsigned i; for (i = 0; i < fNumStreamStates; ++i) { if (subsession == NULL /* means: aggregated operation */ @@ -1773,6 +1781,9 @@ = fOurRTSPServer.rtspURL(fOurServerMediaSession, ourClientConnection->fClientInputSocket); unsigned rtspURLSize = strlen(rtspURL); + // If we're authenticating, then check here, to protect against use of a stolen session id: + if (!ourClientConnection->authenticationOK("PLAY", rtspURL, fullRequestStr)) return; + // Parse the client's "Scale:" header, if any: float scale; Boolean sawScaleHeader = parseScaleHeader(fullRequestStr, scale); @@ -1986,7 +1997,10 @@ void RTSPServer::RTSPClientSession ::handleCmd_PAUSE(RTSPServer::RTSPClientConnection* ourClientConnection, - ServerMediaSubsession* subsession) { + ServerMediaSubsession* subsession, char const* fullRequestStr) { + // If we're authenticating, then check here, to protect against use of a stolen session id: + if (!ourClientConnection->authenticationOK("PAUSE", "", fullRequestStr)) return; + for (unsigned i = 0; i < fNumStreamStates; ++i) { if (subsession == NULL /* means: aggregated operation */ || subsession == fStreamStates[i].subsession) { @@ -2010,7 +2024,10 @@ void RTSPServer::RTSPClientSession ::handleCmd_SET_PARAMETER(RTSPServer::RTSPClientConnection* ourClientConnection, - ServerMediaSubsession* /*subsession*/, char const* /*fullRequestStr*/) { + ServerMediaSubsession* /*subsession*/, char const* fullRequestStr) { + // If we're authenticating, then any attempt to change state should be checked: + if (!fOurClientConnection->authenticationOK("SET_PARAMETER", "", fullRequestStr)) return; + // By default, we implement "SET_PARAMETER" just as a 'keep alive', and send back an empty response. // (If you want to handle "SET_PARAMETER" properly, you can do so by defining a subclass of "RTSPServer" // and "RTSPServer::RTSPClientSession", and then reimplement this virtual function in your subclass.) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/live/liveMedia/include/RTSPServer.hh new/live/liveMedia/include/RTSPServer.hh --- old/live/liveMedia/include/RTSPServer.hh 2026-03-23 06:13:40.000000000 +0100 +++ new/live/liveMedia/include/RTSPServer.hh 2026-04-22 22:34:43.000000000 +0200 @@ -262,11 +262,11 @@ char const* urlPreSuffix, char const* urlSuffix, char const* fullRequestStr); virtual void handleCmd_TEARDOWN(RTSPClientConnection* ourClientConnection, - ServerMediaSubsession* subsession); + ServerMediaSubsession* subsession, char const* fullRequestStr); virtual void handleCmd_PLAY(RTSPClientConnection* ourClientConnection, ServerMediaSubsession* subsession, char const* fullRequestStr); virtual void handleCmd_PAUSE(RTSPClientConnection* ourClientConnection, - ServerMediaSubsession* subsession); + ServerMediaSubsession* subsession, char const* fullRequestStr); virtual void handleCmd_GET_PARAMETER(RTSPClientConnection* ourClientConnection, ServerMediaSubsession* subsession, char const* fullRequestStr); virtual void handleCmd_SET_PARAMETER(RTSPClientConnection* ourClientConnection, diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/live/liveMedia/include/liveMedia_version.hh new/live/liveMedia/include/liveMedia_version.hh --- old/live/liveMedia/include/liveMedia_version.hh 2026-03-23 06:13:40.000000000 +0100 +++ new/live/liveMedia/include/liveMedia_version.hh 2026-04-22 22:34:43.000000000 +0200 @@ -19,8 +19,8 @@ #ifndef _LIVEMEDIA_VERSION_HH #define _LIVEMEDIA_VERSION_HH -#define LIVEMEDIA_LIBRARY_VERSION_STRING "2026.03.23" -#define LIVEMEDIA_LIBRARY_VERSION_INT 1774224000 +#define LIVEMEDIA_LIBRARY_VERSION_STRING "2026.04.22" +#define LIVEMEDIA_LIBRARY_VERSION_INT 1776816000 extern char const* const liveMediaLibraryVersionStr; extern int const liveMediaLibraryVersionInt;
