diff options
Diffstat (limited to 'meta')
| -rw-r--r-- | meta/recipes-multimedia/pulseaudio/pulseaudio/CVE-2014-3970.patch | 52 | ||||
| -rw-r--r-- | meta/recipes-multimedia/pulseaudio/pulseaudio_5.0.bb | 4 |
2 files changed, 55 insertions, 1 deletions
diff --git a/meta/recipes-multimedia/pulseaudio/pulseaudio/CVE-2014-3970.patch b/meta/recipes-multimedia/pulseaudio/pulseaudio/CVE-2014-3970.patch new file mode 100644 index 0000000000..d5f33dc42e --- /dev/null +++ b/meta/recipes-multimedia/pulseaudio/pulseaudio/CVE-2014-3970.patch | |||
| @@ -0,0 +1,52 @@ | |||
| 1 | Upstream-Status: Backport | ||
| 2 | |||
| 3 | commit 26b9d22dd24c17eb118d0205bf7b02b75d435e3c upstream | ||
| 4 | |||
| 5 | rtp-recv: fix crash on empty UDP packets (CVE-2014-3970) | ||
| 6 | |||
| 7 | On FIONREAD returning 0 bytes, we cannot return success, as the caller | ||
| 8 | (rtpoll_work_cb in module-rtp-recv.c) would then try to | ||
| 9 | pa_memblock_unref(chunk.memblock) and, because memblock is NULL, trigger | ||
| 10 | an assertion. | ||
| 11 | |||
| 12 | Also we have to read out the possible empty packet from the socket, so | ||
| 13 | that the kernel doesn't tell us again and again about it. | ||
| 14 | |||
| 15 | Signed-off-by: Alexander E. Patrakov <patrakov@gmail.com> | ||
| 16 | |||
| 17 | diff --git a/src/modules/rtp/rtp.c b/src/modules/rtp/rtp.c | ||
| 18 | index 9195493..c45981e 100644 | ||
| 19 | --- a/src/modules/rtp/rtp.c | ||
| 20 | +++ b/src/modules/rtp/rtp.c | ||
| 21 | @@ -182,8 +182,29 @@ int pa_rtp_recv(pa_rtp_context *c, pa_memchunk *chunk, pa_mempool *pool, struct | ||
| 22 | goto fail; | ||
| 23 | } | ||
| 24 | |||
| 25 | - if (size <= 0) | ||
| 26 | - return 0; | ||
| 27 | + if (size <= 0) { | ||
| 28 | + /* size can be 0 due to any of the following reasons: | ||
| 29 | + * | ||
| 30 | + * 1. Somebody sent us a perfectly valid zero-length UDP packet. | ||
| 31 | + * 2. Somebody sent us a UDP packet with a bad CRC. | ||
| 32 | + * | ||
| 33 | + * It is unknown whether size can actually be less than zero. | ||
| 34 | + * | ||
| 35 | + * In the first case, the packet has to be read out, otherwise the | ||
| 36 | + * kernel will tell us again and again about it, thus preventing | ||
| 37 | + * reception of any further packets. So let's just read it out | ||
| 38 | + * now and discard it later, when comparing the number of bytes | ||
| 39 | + * received (0) with the number of bytes wanted (1, see below). | ||
| 40 | + * | ||
| 41 | + * In the second case, recvmsg() will fail, thus allowing us to | ||
| 42 | + * return the error. | ||
| 43 | + * | ||
| 44 | + * Just to avoid passing zero-sized memchunks and NULL pointers to | ||
| 45 | + * recvmsg(), let's force allocation of at least one byte by setting | ||
| 46 | + * size to 1. | ||
| 47 | + */ | ||
| 48 | + size = 1; | ||
| 49 | + } | ||
| 50 | |||
| 51 | if (c->memchunk.length < (unsigned) size) { | ||
| 52 | size_t l; | ||
diff --git a/meta/recipes-multimedia/pulseaudio/pulseaudio_5.0.bb b/meta/recipes-multimedia/pulseaudio/pulseaudio_5.0.bb index 8d8c421179..99f0ef3a46 100644 --- a/meta/recipes-multimedia/pulseaudio/pulseaudio_5.0.bb +++ b/meta/recipes-multimedia/pulseaudio/pulseaudio_5.0.bb | |||
| @@ -2,7 +2,9 @@ require pulseaudio.inc | |||
| 2 | 2 | ||
| 3 | SRC_URI = "http://freedesktop.org/software/pulseaudio/releases/pulseaudio-${PV}.tar.xz \ | 3 | SRC_URI = "http://freedesktop.org/software/pulseaudio/releases/pulseaudio-${PV}.tar.xz \ |
| 4 | file://0001-configure.ac-Check-only-for-libsystemd-not-libsystem.patch \ | 4 | file://0001-configure.ac-Check-only-for-libsystemd-not-libsystem.patch \ |
| 5 | file://volatiles.04_pulse" | 5 | file://volatiles.04_pulse \ |
| 6 | file://CVE-2014-3970.patch \ | ||
| 7 | " | ||
| 6 | SRC_URI[md5sum] = "c43749838612f4860465e83ed62ca38e" | 8 | SRC_URI[md5sum] = "c43749838612f4860465e83ed62ca38e" |
| 7 | SRC_URI[sha256sum] = "99c13a8b1249ddbd724f195579df79484e9af6418cecf6a15f003a7f36caf939" | 9 | SRC_URI[sha256sum] = "99c13a8b1249ddbd724f195579df79484e9af6418cecf6a15f003a7f36caf939" |
| 8 | 10 | ||