[Pkg-pulseaudio-devel] r116 - in /pulseaudio/trunk/debian: ./ patches/

neurocyte-guest at users.alioth.debian.org neurocyte-guest at users.alioth.debian.org
Thu May 24 21:09:05 UTC 2007 

Author: neurocyte-guest
Date: Thu May 24 21:09:05 2007
New Revision: 116

URL: http://svn.debian.org/wsvn/pkg-pulseaudio/?sc=1&rev=116
Log:
Backport fixes for DOS vulnerabilities

Added:
    pulseaudio/trunk/debian/patches/r1443-treat-empty-DISPLAY-identically-to-unset-DISPLAY.patch
    pulseaudio/trunk/debian/patches/r1445-fix-a-dos-vulnerability.patch
    pulseaudio/trunk/debian/patches/r1446-fix-another-dos-vulnerability.patch
    pulseaudio/trunk/debian/patches/r1448-fix-yet-another-dos-vulnerability.patch
    pulseaudio/trunk/debian/patches/r1450-fix-a-dos-with-allocating-overly-large-silence-buffers.patch
    pulseaudio/trunk/debian/patches/r1452-fix-another-dos-vulnerability.patch
Modified:
    pulseaudio/trunk/debian/changelog
    pulseaudio/trunk/debian/patches/series

Modified: pulseaudio/trunk/debian/changelog
URL: http://svn.debian.org/wsvn/pkg-pulseaudio/pulseaudio/trunk/debian/changelog?rev=116&op=diff
==============================================================================
--- pulseaudio/trunk/debian/changelog (original)
+++ pulseaudio/trunk/debian/changelog Thu May 24 21:09:05 2007
@@ -23,8 +23,9 @@
   * debian/patch: r1434-dont-fail-if-hal-doesn-t-contain-any-devices
     + Added. Don't unload module-hal-detect if HAL doesn't report any devices.
              (Closes: #395893)
+  * debian/patches: Backport DOS attack fixes r1445-1450.
 
- -- CJ van den Berg <cj at vdbonline.com>  Wed, 23 May 2007 09:41:40 +0200
+ -- CJ van den Berg <cj at vdbonline.com>  Thu, 24 May 2007 19:16:36 +0200
 
 pulseaudio (0.9.5-7) unstable; urgency=low
 

Added: pulseaudio/trunk/debian/patches/r1443-treat-empty-DISPLAY-identically-to-unset-DISPLAY.patch
URL: http://svn.debian.org/wsvn/pkg-pulseaudio/pulseaudio/trunk/debian/patches/r1443-treat-empty-DISPLAY-identically-to-unset-DISPLAY.patch?rev=116&op=file
==============================================================================
--- pulseaudio/trunk/debian/patches/r1443-treat-empty-DISPLAY-identically-to-unset-DISPLAY.patch (added)
+++ pulseaudio/trunk/debian/patches/r1443-treat-empty-DISPLAY-identically-to-unset-DISPLAY.patch Thu May 24 21:09:05 2007
@@ -1,0 +1,23 @@
+Treat empty :0.0 identically to unset :0.0 when trying to find a PA server. (Closes #87)
+
+From: lennart <lennart at fefdeb5f-60dc-0310-8127-8f9354f1896f>
+
+git-svn-id: svn://svn.0pointer.net/pulseaudio/trunk@1443 fefdeb5f-60dc-0310-8127-8f9354f1896f
+---
+
+ src/pulse/client-conf-x11.c |    2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+diff --git a/src/pulse/client-conf-x11.c b/src/pulse/client-conf-x11.c
+index 8cedc48..ff145af 100644
+--- a/src/pulse/client-conf-x11.c
++++ b/src/pulse/client-conf-x11.c
+@@ -42,7 +42,7 @@ int pa_client_conf_from_x11(pa_client_conf *c, const char *dname) {
+     int ret = -1;
+     char t[1024];
+ 
+-    if (!dname && !getenv("DISPLAY"))
++    if (!dname && (!(dname = getenv("DISPLAY")) || *dname == '\0'))
+         goto finish;
+     
+     if (!(d = XOpenDisplay(dname))) {

Added: pulseaudio/trunk/debian/patches/r1445-fix-a-dos-vulnerability.patch
URL: http://svn.debian.org/wsvn/pkg-pulseaudio/pulseaudio/trunk/debian/patches/r1445-fix-a-dos-vulnerability.patch?rev=116&op=file
==============================================================================
--- pulseaudio/trunk/debian/patches/r1445-fix-a-dos-vulnerability.patch (added)
+++ pulseaudio/trunk/debian/patches/r1445-fix-a-dos-vulnerability.patch Thu May 24 21:09:05 2007
@@ -1,0 +1,23 @@
+fix a DoS vulnerability (re #67), originally identified by Luigi Auriemma
+
+From: lennart <lennart at fefdeb5f-60dc-0310-8127-8f9354f1896f>
+
+git-svn-id: svn://svn.0pointer.net/pulseaudio/trunk@1445 fefdeb5f-60dc-0310-8127-8f9354f1896f
+---
+
+ src/pulsecore/pstream.c |    2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+diff --git a/src/pulsecore/pstream.c b/src/pulsecore/pstream.c
+index 511972d..3660a71 100644
+--- a/src/pulsecore/pstream.c
++++ b/src/pulsecore/pstream.c
+@@ -585,7 +585,7 @@ static int do_read(pa_pstream *p) {
+ 
+         flags = ntohl(p->read.descriptor[PA_PSTREAM_DESCRIPTOR_FLAGS]);
+ 
+-        if (!p->import && (flags & PA_FLAG_SHMMASK) != 0) {
++        if (!p->use_shm && (flags & PA_FLAG_SHMMASK) != 0) {
+             pa_log_warn("Recieved SHM frame on a socket where SHM is disabled.");
+             return -1;
+         }

Added: pulseaudio/trunk/debian/patches/r1446-fix-another-dos-vulnerability.patch
URL: http://svn.debian.org/wsvn/pkg-pulseaudio/pulseaudio/trunk/debian/patches/r1446-fix-another-dos-vulnerability.patch?rev=116&op=file
==============================================================================
--- pulseaudio/trunk/debian/patches/r1446-fix-another-dos-vulnerability.patch (added)
+++ pulseaudio/trunk/debian/patches/r1446-fix-another-dos-vulnerability.patch Thu May 24 21:09:05 2007
@@ -1,0 +1,25 @@
+Fix another DoS vulnerability, also identified Luigi Auriemma (closes #67)
+
+From: CJ van den Berg <cj at vdbonline.com>
+
+git-svn-id: svn://svn.0pointer.net/pulseaudio/trunk@1446 fefdeb5f-60dc-0310-8127-8f9354f1896f
+---
+
+ src/pulsecore/pstream.c |    4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/pulsecore/pstream.c b/src/pulsecore/pstream.c
+index 3660a71..c3020df 100644
+--- a/src/pulsecore/pstream.c
++++ b/src/pulsecore/pstream.c
+@@ -614,8 +614,8 @@ static int do_read(pa_pstream *p) {
+         }
+ 
+         length = ntohl(p->read.descriptor[PA_PSTREAM_DESCRIPTOR_LENGTH]);
+-        
+-        if (length > FRAME_SIZE_MAX_ALLOW) {
++
++        if (length > FRAME_SIZE_MAX_ALLOW || length <= 0) {
+             pa_log_warn("Recieved invalid frame size : %lu", (unsigned long) length);
+             return -1;
+         }

Added: pulseaudio/trunk/debian/patches/r1448-fix-yet-another-dos-vulnerability.patch
URL: http://svn.debian.org/wsvn/pkg-pulseaudio/pulseaudio/trunk/debian/patches/r1448-fix-yet-another-dos-vulnerability.patch?rev=116&op=file
==============================================================================
--- pulseaudio/trunk/debian/patches/r1448-fix-yet-another-dos-vulnerability.patch (added)
+++ pulseaudio/trunk/debian/patches/r1448-fix-yet-another-dos-vulnerability.patch Thu May 24 21:09:05 2007
@@ -1,0 +1,24 @@
+Fix yet another DoS vulnerability, also identified Luigi Auriemma (re #67)
+
+From: lennart <lennart at fefdeb5f-60dc-0310-8127-8f9354f1896f>
+
+git-svn-id: svn://svn.0pointer.net/pulseaudio/trunk@1448 fefdeb5f-60dc-0310-8127-8f9354f1896f
+---
+
+ src/pulsecore/protocol-native.c |    3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
+
+diff --git a/src/pulsecore/protocol-native.c b/src/pulsecore/protocol-native.c
+index 0f01507..da3aaa7 100644
+--- a/src/pulsecore/protocol-native.c
++++ b/src/pulsecore/protocol-native.c
+@@ -760,7 +760,8 @@ static void command_create_playback_stream(PA_GCC_UNUSED pa_pdispatch *pd, PA_GC
+     CHECK_VALIDITY(c->pstream, pa_cvolume_valid(&volume), tag, PA_ERR_INVALID);
+     CHECK_VALIDITY(c->pstream, map.channels == ss.channels && volume.channels == ss.channels, tag, PA_ERR_INVALID);
+     CHECK_VALIDITY(c->pstream, maxlength > 0 && maxlength <= MAX_MEMBLOCKQ_LENGTH, tag, PA_ERR_INVALID);
+-
++    CHECK_VALIDITY(c->pstream, maxlength >= pa_frame_size(&ss), tag, PA_ERR_INVALID);
++    
+     if (sink_index != PA_INVALID_INDEX) {
+         sink = pa_idxset_get_by_index(c->protocol->core->sinks, sink_index);
+         CHECK_VALIDITY(c->pstream, sink, tag, PA_ERR_NOENTITY);

Added: pulseaudio/trunk/debian/patches/r1450-fix-a-dos-with-allocating-overly-large-silence-buffers.patch
URL: http://svn.debian.org/wsvn/pkg-pulseaudio/pulseaudio/trunk/debian/patches/r1450-fix-a-dos-with-allocating-overly-large-silence-buffers.patch?rev=116&op=file
==============================================================================
--- pulseaudio/trunk/debian/patches/r1450-fix-a-dos-with-allocating-overly-large-silence-buffers.patch (added)
+++ pulseaudio/trunk/debian/patches/r1450-fix-a-dos-with-allocating-overly-large-silence-buffers.patch Thu May 24 21:09:05 2007
@@ -1,0 +1,40 @@
+Fix a DoS with allocating overly large silence buffers. (Identified by Luigi Auriemma (re #67)
+
+From: lennart <lennart at fefdeb5f-60dc-0310-8127-8f9354f1896f>
+
+git-svn-id: svn://svn.0pointer.net/pulseaudio/trunk@1450 fefdeb5f-60dc-0310-8127-8f9354f1896f
+---
+
+ src/pulsecore/sample-util.c |   12 ++++++++++++
+ 1 files changed, 12 insertions(+), 0 deletions(-)
+
+diff --git a/src/pulsecore/sample-util.c b/src/pulsecore/sample-util.c
+index a7a5ed8..17f9bda 100644
+--- a/src/pulsecore/sample-util.c
++++ b/src/pulsecore/sample-util.c
+@@ -35,13 +35,25 @@
+ #include "sample-util.h"
+ #include "endianmacros.h"
+ 
++#define PA_SILENCE_MAX (1024*1024*1)
++
+ pa_memblock *pa_silence_memblock_new(pa_mempool *pool, const pa_sample_spec *spec, size_t length) {
++    size_t fs;
+     assert(pool);
+     assert(spec);
+ 
+     if (length == 0)
+         length = pa_bytes_per_second(spec)/20; /* 50 ms */
+ 
++    if (length > PA_SILENCE_MAX)
++        length = PA_SILENCE_MAX;
++
++    fs = pa_frame_size(spec);
++    length = ((PA_SILENCE_MAX+fs-1) / fs) * fs;
++
++    if (length <= 0)
++        length = fs;
++    
+     return pa_silence_memblock(pa_memblock_new(pool, length), spec);
+ }
+ 

Added: pulseaudio/trunk/debian/patches/r1452-fix-another-dos-vulnerability.patch
URL: http://svn.debian.org/wsvn/pkg-pulseaudio/pulseaudio/trunk/debian/patches/r1452-fix-another-dos-vulnerability.patch?rev=116&op=file
==============================================================================
--- pulseaudio/trunk/debian/patches/r1452-fix-another-dos-vulnerability.patch (added)
+++ pulseaudio/trunk/debian/patches/r1452-fix-another-dos-vulnerability.patch Thu May 24 21:09:05 2007
@@ -1,0 +1,24 @@
+Fix another DoS vulnerability that has been identified by Luigi Auriemma. (Finally closes #67)
+
+From: lennart <lennart at fefdeb5f-60dc-0310-8127-8f9354f1896f>
+
+git-svn-id: svn://svn.0pointer.net/pulseaudio/trunk@1452 fefdeb5f-60dc-0310-8127-8f9354f1896f
+---
+
+ src/modules/rtp/sap.c |    3 ---
+ 1 files changed, 0 insertions(+), 3 deletions(-)
+
+diff --git a/src/modules/rtp/sap.c b/src/modules/rtp/sap.c
+index 022c7fa..86ecff5 100644
+--- a/src/modules/rtp/sap.c
++++ b/src/modules/rtp/sap.c
+@@ -142,9 +142,6 @@ int pa_sap_recv(pa_sap_context *c, int *goodbye) {
+         goto fail;
+     }
+ 
+-    if (!size)
+-        return 0;
+-
+     buf = pa_xnew(char, size+1);
+     buf[size] = 0;
+     

Modified: pulseaudio/trunk/debian/patches/series
URL: http://svn.debian.org/wsvn/pkg-pulseaudio/pulseaudio/trunk/debian/patches/series?rev=116&op=diff
==============================================================================
--- pulseaudio/trunk/debian/patches/series (original)
+++ pulseaudio/trunk/debian/patches/series Thu May 24 21:09:05 2007
@@ -17,3 +17,9 @@
 r1433-handle-suspended-alsa-devices.patch
 r1434-dont-fail-if-hal-doesn-t-contain-any-devices.patch
 r1437-add-support-for-SNDCTL_DSP_SETTRIGGER.patch
+r1443-treat-empty-DISPLAY-identically-to-unset-DISPLAY.patch
+r1445-fix-a-dos-vulnerability.patch
+r1446-fix-another-dos-vulnerability.patch
+r1448-fix-yet-another-dos-vulnerability.patch
+r1450-fix-a-dos-with-allocating-overly-large-silence-buffers.patch
+r1452-fix-another-dos-vulnerability.patch

More information about the Pkg-pulseaudio-devel mailing list