Login
[x]
Log in using an account from:
Fedora Account System
Red Hat Associate
Red Hat Customer
Or login using a Red Hat Bugzilla account
Forgot Password
Login:
Hide Forgot
Create an Account
Red Hat Bugzilla – Attachment 902932 Details for
Bug 1104835
CVE-2014-3970 pulseaudio: denial of service in module-rtp-recv
[?]
New
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
|
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh83 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
This site requires JavaScript to be enabled to function correctly, please enable it.
[patch]
possible patch
0001-Fix-for-CVE-2014-3970.patch (text/plain), 4.40 KB, created by
Wim Taymans
on 2014-06-06 13:17:17 UTC
(
hide
)
Description:
possible patch
Filename:
MIME Type:
Creator:
Wim Taymans
Created:
2014-06-06 13:17:17 UTC
Size:
4.40 KB
patch
obsolete
>From b1843d17b21979abd407667942fe8bf4f1470dce Mon Sep 17 00:00:00 2001 >From: Wim Taymans <wtaymans@redhat.com> >Date: Fri, 6 Jun 2014 15:05:30 +0200 >Subject: [PATCH] Fix for CVE-2014-3970 > >--- > ...x-crash-on-empty-UDP-packets-CVE-2014-397.patch | 57 ++++++++++++++++++++++ > pulseaudio.spec | 7 ++- > 2 files changed, 63 insertions(+), 1 deletion(-) > create mode 100644 0001-rtp-recv-fix-crash-on-empty-UDP-packets-CVE-2014-397.patch > >diff --git a/0001-rtp-recv-fix-crash-on-empty-UDP-packets-CVE-2014-397.patch b/0001-rtp-recv-fix-crash-on-empty-UDP-packets-CVE-2014-397.patch >new file mode 100644 >index 0000000..da83785 >--- /dev/null >+++ b/0001-rtp-recv-fix-crash-on-empty-UDP-packets-CVE-2014-397.patch >@@ -0,0 +1,57 @@ >+From 3eebd8e912904969be3faf2624cf15cde306a37c Mon Sep 17 00:00:00 2001 >+From: "Alexander E. Patrakov" <patrakov@gmail.com> >+Date: Thu, 5 Jun 2014 22:29:25 +0600 >+Subject: [PATCH] rtp-recv: fix crash on empty UDP packets (CVE-2014-3970) >+ >+On FIONREAD returning 0 bytes, we cannot return success, as the caller >+(rtpoll_work_cb in module-rtp-recv.c) would then try to >+pa_memblock_unref(chunk.memblock) and, because memblock is NULL, trigger >+an assertion. >+ >+Also we have to read out the possible empty packet from the socket, so >+that the kernel doesn't tell us again and again about it. >+ >+Signed-off-by: Alexander E. Patrakov <patrakov@gmail.com> >+--- >+ src/modules/rtp/rtp.c | 25 +++++++++++++++++++++++-- >+ 1 file changed, 23 insertions(+), 2 deletions(-) >+ >+diff --git a/src/modules/rtp/rtp.c b/src/modules/rtp/rtp.c >+index 570737e..7b75e0e 100644 >+--- a/src/modules/rtp/rtp.c >++++ b/src/modules/rtp/rtp.c >+@@ -182,8 +182,29 @@ int pa_rtp_recv(pa_rtp_context *c, pa_memchunk *chunk, pa_mempool *pool, struct >+ goto fail; >+ } >+ >+- if (size <= 0) >+- return 0; >++ if (size <= 0) { >++ /* size can be 0 due to any of the following reasons: >++ * >++ * 1. Somebody sent us a perfectly valid zero-length UDP packet. >++ * 2. Somebody sent us a UDP packet with a bad CRC. >++ * >++ * It is unknown whether size can actually be less than zero. >++ * >++ * In the first case, the packet has to be read out, otherwise the >++ * kernel will tell us again and again about it, thus preventing >++ * reception of any further packets. So let's just read it out >++ * now and discard it later, when comparing the number of bytes >++ * received (0) with the number of bytes wanted (1, see below). >++ * >++ * In the second case, recvmsg() will fail, thus allowing us to >++ * return the error. >++ * >++ * Just to avoid passing zero-sized memchunks and NULL pointers to >++ * recvmsg(), let's force allocation of at least one byte by setting >++ * size to 1. >++ */ >++ size = 1; >++ } >+ >+ if (c->memchunk.length < (unsigned) size) { >+ size_t l; >+-- >+1.9.3 >+ >diff --git a/pulseaudio.spec b/pulseaudio.spec >index 49e387a..1f145f2 100644 >--- a/pulseaudio.spec >+++ b/pulseaudio.spec >@@ -15,7 +15,7 @@ > Name: pulseaudio > Summary: Improved Linux Sound Server > Version: %{pa_major}%{?pa_minor:.%{pa_minor}} >-Release: 4%{?gitcommit:.git%{shortcommit}}%{?dist} >+Release: 5%{?gitcommit:.git%{shortcommit}}%{?dist} > License: LGPLv2+ > URL: http://www.freedesktop.org/wiki/Software/PulseAudio > %if 0%{?gitrel} >@@ -37,6 +37,7 @@ Patch2: pulseaudio-4.0-kde_autostart_phase.patch > # https://bugzilla.redhat.com/show_bug.cgi?id=1035025 > # https://bugs.freedesktop.org/show_bug.cgi?id=73375 > Patch136: 0036-module-switch-on-port-available-Don-t-switch-profile.patch >+Patch137: 0001-rtp-recv-fix-crash-on-empty-UDP-packets-CVE-2014-397.patch > > BuildRequires: m4 > BuildRequires: libtool-ltdl-devel >@@ -222,6 +223,7 @@ This package contains GDM integration hooks for the PulseAudio sound server. > %patch2 -p1 -b .kde_autostart_phase > > %patch136 -p1 -b .0036 >+%patch137 -p1 -b .0137 > > sed -i.no_consolekit -e \ > 's/^load-module module-console-kit/#load-module module-console-kit/' \ >@@ -534,6 +536,9 @@ exit 0 > %attr(0600, gdm, gdm) %{_localstatedir}/lib/gdm/.pulse/default.pa > > %changelog >+* Fri Jun 6 2014 Wim Taymans <wtaymans@redhat.com> - 5.0-5 >+- Fix for CVE-2014-3970 >+ > * Tue May 13 2014 Dan Horák <dan[at]danny.cz> 5.0-4 > - always run tests, but don't fail the build on big endian arches (relates #1067470) > >-- >1.9.3 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=902932">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 1104835
: 902932