[gentoo-commits] gentoo-x86 commit in media-sound/pulseaudio/files: pulseaudio-5.0-crash-udp.patch pulseaudio-5.0-module-switch.patch

[Pacho Ramos (pacho)]

pacho       14/06/12 17:42:47

  Added:                pulseaudio-5.0-crash-udp.patch
                        pulseaudio-5.0-module-switch.patch
  Log:
  Fix CVE-2014-3970 (#512516), bash-completion dir (#509486 by poncho) and 
apply a patch from upstream used in Fedora to fix the profiles switching.
  
  (Portage version: 2.2.10/cvs/Linux x86_64, signed Manifest commit with key 
A188FBD4)

Revision  Changes    Path
1.1                  media-sound/pulseaudio/files/pulseaudio-5.0-crash-udp.patch

file : 
http://sources.gentoo.org/viewvc.cgi/gentoo-x86/media-sound/pulseaudio/files/pulseaudio-5.0-crash-udp.patch?rev=1.1&view=markup
plain: 
http://sources.gentoo.org/viewvc.cgi/gentoo-x86/media-sound/pulseaudio/files/pulseaudio-5.0-crash-udp.patch?rev=1.1&content-type=text/plain

Index: pulseaudio-5.0-crash-udp.patch
===================================================================
>From 26b9d22dd24c17eb118d0205bf7b02b75d435e3c Mon Sep 17 00:00:00 2001
From: Alexander E. Patrakov <patra...@gmail.com>
Date: Thu, 05 Jun 2014 16:29:25 +0000
Subject: rtp-recv: fix crash on empty UDP packets (CVE-2014-3970)

On FIONREAD returning 0 bytes, we cannot return success, as the caller
(rtpoll_work_cb in module-rtp-recv.c) would then try to
pa_memblock_unref(chunk.memblock) and, because memblock is NULL, trigger
an assertion.

Also we have to read out the possible empty packet from the socket, so
that the kernel doesn't tell us again and again about it.

Signed-off-by: Alexander E. Patrakov <patra...@gmail.com>
---
diff --git a/src/modules/rtp/rtp.c b/src/modules/rtp/rtp.c
index 570737e..7b75e0e 100644
--- a/src/modules/rtp/rtp.c
+++ b/src/modules/rtp/rtp.c
@@ -182,8 +182,29 @@ int pa_rtp_recv(pa_rtp_context *c, pa_memchunk *chunk, 
pa_mempool *pool, struct
         goto fail;
     }
 
-    if (size <= 0)
-        return 0;
+    if (size <= 0) {
+        /* size can be 0 due to any of the following reasons:
+         *
+         * 1. Somebody sent us a perfectly valid zero-length UDP packet.
+         * 2. Somebody sent us a UDP packet with a bad CRC.
+         *
+         * It is unknown whether size can actually be less than zero.
+         *
+         * In the first case, the packet has to be read out, otherwise the
+         * kernel will tell us again and again about it, thus preventing
+         * reception of any further packets. So let's just read it out
+         * now and discard it later, when comparing the number of bytes
+         * received (0) with the number of bytes wanted (1, see below).
+         *
+         * In the second case, recvmsg() will fail, thus allowing us to
+         * return the error.
+         *
+         * Just to avoid passing zero-sized memchunks and NULL pointers to
+         * recvmsg(), let's force allocation of at least one byte by setting
+         * size to 1.
+         */
+        size = 1;
+    }
 
     if (c->memchunk.length < (unsigned) size) {
         size_t l;
--
cgit v0.9.0.2-2-gbebe



1.1                  
media-sound/pulseaudio/files/pulseaudio-5.0-module-switch.patch

file : 
http://sources.gentoo.org/viewvc.cgi/gentoo-x86/media-sound/pulseaudio/files/pulseaudio-5.0-module-switch.patch?rev=1.1&view=markup
plain: 
http://sources.gentoo.org/viewvc.cgi/gentoo-x86/media-sound/pulseaudio/files/pulseaudio-5.0-module-switch.patch?rev=1.1&content-type=text/plain

Index: pulseaudio-5.0-module-switch.patch
===================================================================
>From ef4a41e8b0ef81a53769d853dbc7679b25252327 Mon Sep 17 00:00:00 2001
From: David Henningsson <david.hennings...@canonical.com>
Date: Fri, 28 Mar 2014 11:59:09 +0100
Subject: [PATCH 36/38] module-switch-on-port-available: Don't switch profiles
 on uninitialized cards

This could cause the HDMI port to become the default on some systems
where analog output was available.

BugLink: https://bugs.launchpad.net/ubuntu/+source/pulseaudio/+bug/1256511
BugLink: https://bugs.freedesktop.org/show_bug.cgi?id=73375
Signed-off-by: David Henningsson <david.hennings...@canonical.com>
---
 src/modules/module-switch-on-port-available.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/modules/module-switch-on-port-available.c 
b/src/modules/module-switch-on-port-available.c
index 2c7ad17..c560306 100644
--- a/src/modules/module-switch-on-port-available.c
+++ b/src/modules/module-switch-on-port-available.c
@@ -173,6 +173,11 @@ static pa_hook_result_t 
port_available_hook_callback(pa_core *c, pa_device_port
         return PA_HOOK_OK;
     }
 
+    if (pa_idxset_size(card->sinks) == 0 && pa_idxset_size(card->sources) == 0)
+        /* This card is not initialized yet. We'll handle it in
+           sink_new / source_new callbacks later. */
+        return PA_HOOK_OK;
+
     find_sink_and_source(card, port, &sink, &source);
 
     is_active_profile = card->active_profile == pa_hashmap_get(port->profiles, 
card->active_profile->name);
-- 
1.9.0