[pulseaudio] 01/01: Add patch to fix CVE-2014-397

Felipe Sateler fsateler at moszumanska.debian.org
Fri Jun 6 23:25:51 UTC 2014 

This is an automated email from the git hooks/post-receive script.

fsateler pushed a commit to branch master
in repository pulseaudio.

commit 18d941b4a2a8c9053e6551e834ab566d5b50b7d6
Author: Felipe Sateler <fsateler at debian.org>
Date:   Fri Jun 6 19:25:42 2014 -0400

    Add patch to fix CVE-2014-397
    
    * debian/patches/rtp-recv-fix-crash-on-empty-UDP-packets-CVE-2014-397.patch
       - New patch from upstream, fixes crash on empty UDP packets.
         Fixes CVE-2014-397
---
 debian/changelog                                   |  3 ++
 ...x-crash-on-empty-UDP-packets-CVE-2014-397.patch | 57 ++++++++++++++++++++++
 debian/patches/series                              |  1 +
 3 files changed, 61 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 2127a38..0ca2c13 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -23,6 +23,9 @@ pulseaudio (5.0-3) UNRELEASED; urgency=medium
   * debian/patches/only-autostart-kde-version.patch:
      - Do not autostart pulseaudio twice under KDE, it sometimes leads
        to slow system startup. Closes: #705426
+  * debian/patches/rtp-recv-fix-crash-on-empty-UDP-packets-CVE-2014-397.patch
+     - New patch from upstream, fixes crash on empty UDP packets.
+       Fixes CVE-2014-397
 
   [ Jelmer Vernooij ]
   * Disable building against tdb on the hurd, where it is not available.
diff --git a/debian/patches/rtp-recv-fix-crash-on-empty-UDP-packets-CVE-2014-397.patch b/debian/patches/rtp-recv-fix-crash-on-empty-UDP-packets-CVE-2014-397.patch
new file mode 100644
index 0000000..073e663
--- /dev/null
+++ b/debian/patches/rtp-recv-fix-crash-on-empty-UDP-packets-CVE-2014-397.patch
@@ -0,0 +1,57 @@
+From 26b9d22dd24c17eb118d0205bf7b02b75d435e3c Mon Sep 17 00:00:00 2001
+From: "Alexander E. Patrakov" <patrakov at gmail.com>
+Date: Thu, 5 Jun 2014 22:29:25 +0600
+Subject: [PATCH] rtp-recv: fix crash on empty UDP packets (CVE-2014-3970)
+
+On FIONREAD returning 0 bytes, we cannot return success, as the caller
+(rtpoll_work_cb in module-rtp-recv.c) would then try to
+pa_memblock_unref(chunk.memblock) and, because memblock is NULL, trigger
+an assertion.
+
+Also we have to read out the possible empty packet from the socket, so
+that the kernel doesn't tell us again and again about it.
+
+Signed-off-by: Alexander E. Patrakov <patrakov at gmail.com>
+---
+ src/modules/rtp/rtp.c | 25 +++++++++++++++++++++++--
+ 1 file changed, 23 insertions(+), 2 deletions(-)
+
+diff --git a/src/modules/rtp/rtp.c b/src/modules/rtp/rtp.c
+index 570737e..7b75e0e 100644
+--- a/src/modules/rtp/rtp.c
++++ b/src/modules/rtp/rtp.c
+@@ -182,8 +182,29 @@ int pa_rtp_recv(pa_rtp_context *c, pa_memchunk *chunk, pa_mempool *pool, struct
+         goto fail;
+     }
+ 
+-    if (size <= 0)
+-        return 0;
++    if (size <= 0) {
++        /* size can be 0 due to any of the following reasons:
++         *
++         * 1. Somebody sent us a perfectly valid zero-length UDP packet.
++         * 2. Somebody sent us a UDP packet with a bad CRC.
++         *
++         * It is unknown whether size can actually be less than zero.
++         *
++         * In the first case, the packet has to be read out, otherwise the
++         * kernel will tell us again and again about it, thus preventing
++         * reception of any further packets. So let's just read it out
++         * now and discard it later, when comparing the number of bytes
++         * received (0) with the number of bytes wanted (1, see below).
++         *
++         * In the second case, recvmsg() will fail, thus allowing us to
++         * return the error.
++         *
++         * Just to avoid passing zero-sized memchunks and NULL pointers to
++         * recvmsg(), let's force allocation of at least one byte by setting
++         * size to 1.
++         */
++        size = 1;
++    }
+ 
+     if (c->memchunk.length < (unsigned) size) {
+         size_t l;
+-- 
+2.0.0
+
diff --git a/debian/patches/series b/debian/patches/series
index 0e3ae57..e1ee714 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -5,3 +5,4 @@
 kfreebsd_no_lock_and_threads_synchro.patch
 asus-P5K-SE-udev-rules.patch
 only-autostart-kde-version.patch
+rtp-recv-fix-crash-on-empty-UDP-packets-CVE-2014-397.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-pulseaudio/pulseaudio.git

More information about the pkg-pulseaudio-devel mailing list