From 1d1efa6c6a4911ac20e1e3c4fdf0ecb2afb6f54a Mon Sep 17 00:00:00 2001 From: Mark H Weaver Date: Fri, 24 Oct 2014 03:39:34 -0400 Subject: [PATCH] gnu: pulseaudio: Fix CVE-2014-3970 and intermittent test failures. * gnu/packages/patches/pulseaudio-CVE-2014-397.patch: New file. * gnu/packages/patches/pulseaudio-fix-mult-test.patch: New file. * gnu-system.am (dist_patch_DATA): Add them. * gnu/packages/pulseaudio.scm (pulseaudio): Add patches. --- gnu-system.am | 2 + .../patches/pulseaudio-CVE-2014-3970.patch | 57 +++++++++++++++++++ .../patches/pulseaudio-fix-mult-test.patch | 16 ++++++ gnu/packages/pulseaudio.scm | 4 +- 4 files changed, 78 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/pulseaudio-CVE-2014-3970.patch create mode 100644 gnu/packages/patches/pulseaudio-fix-mult-test.patch diff --git a/gnu-system.am b/gnu-system.am index e0484d4abc..54b6a782fa 100644 --- a/gnu-system.am +++ b/gnu-system.am @@ -395,6 +395,8 @@ dist_patch_DATA = \ gnu/packages/patches/pingus-sdl-libs-config.patch \ gnu/packages/patches/plotutils-libpng-jmpbuf.patch \ gnu/packages/patches/procps-make-3.82.patch \ + gnu/packages/patches/pulseaudio-CVE-2014-3970.patch \ + gnu/packages/patches/pulseaudio-fix-mult-test.patch \ gnu/packages/patches/pybugz-encode-error.patch \ gnu/packages/patches/pybugz-stty.patch \ gnu/packages/patches/python-fix-tests.patch \ diff --git a/gnu/packages/patches/pulseaudio-CVE-2014-3970.patch b/gnu/packages/patches/pulseaudio-CVE-2014-3970.patch new file mode 100644 index 0000000000..073e663112 --- /dev/null +++ b/gnu/packages/patches/pulseaudio-CVE-2014-3970.patch @@ -0,0 +1,57 @@ +From 26b9d22dd24c17eb118d0205bf7b02b75d435e3c Mon Sep 17 00:00:00 2001 +From: "Alexander E. Patrakov" +Date: Thu, 5 Jun 2014 22:29:25 +0600 +Subject: [PATCH] rtp-recv: fix crash on empty UDP packets (CVE-2014-3970) + +On FIONREAD returning 0 bytes, we cannot return success, as the caller +(rtpoll_work_cb in module-rtp-recv.c) would then try to +pa_memblock_unref(chunk.memblock) and, because memblock is NULL, trigger +an assertion. + +Also we have to read out the possible empty packet from the socket, so +that the kernel doesn't tell us again and again about it. + +Signed-off-by: Alexander E. Patrakov +--- + src/modules/rtp/rtp.c | 25 +++++++++++++++++++++++-- + 1 file changed, 23 insertions(+), 2 deletions(-) + +diff --git a/src/modules/rtp/rtp.c b/src/modules/rtp/rtp.c +index 570737e..7b75e0e 100644 +--- a/src/modules/rtp/rtp.c ++++ b/src/modules/rtp/rtp.c +@@ -182,8 +182,29 @@ int pa_rtp_recv(pa_rtp_context *c, pa_memchunk *chunk, pa_mempool *pool, struct + goto fail; + } + +- if (size <= 0) +- return 0; ++ if (size <= 0) { ++ /* size can be 0 due to any of the following reasons: ++ * ++ * 1. Somebody sent us a perfectly valid zero-length UDP packet. ++ * 2. Somebody sent us a UDP packet with a bad CRC. ++ * ++ * It is unknown whether size can actually be less than zero. ++ * ++ * In the first case, the packet has to be read out, otherwise the ++ * kernel will tell us again and again about it, thus preventing ++ * reception of any further packets. So let's just read it out ++ * now and discard it later, when comparing the number of bytes ++ * received (0) with the number of bytes wanted (1, see below). ++ * ++ * In the second case, recvmsg() will fail, thus allowing us to ++ * return the error. ++ * ++ * Just to avoid passing zero-sized memchunks and NULL pointers to ++ * recvmsg(), let's force allocation of at least one byte by setting ++ * size to 1. ++ */ ++ size = 1; ++ } + + if (c->memchunk.length < (unsigned) size) { + size_t l; +-- +2.0.0 + diff --git a/gnu/packages/patches/pulseaudio-fix-mult-test.patch b/gnu/packages/patches/pulseaudio-fix-mult-test.patch new file mode 100644 index 0000000000..7b249645ad --- /dev/null +++ b/gnu/packages/patches/pulseaudio-fix-mult-test.patch @@ -0,0 +1,16 @@ +Avoid signed overflow during mult-s16-test which intermittently +failed. + +Patch by Mark H Weaver . + +--- pulseaudio-5.0/src/tests/mult-s16-test.c.orig 2014-01-23 13:57:55.000000000 -0500 ++++ pulseaudio-5.0/src/tests/mult-s16-test.c 2014-10-24 03:13:46.464661815 -0400 +@@ -55,7 +55,7 @@ + START_TEST (mult_s16_test) { + int16_t samples[SAMPLES]; + int32_t volumes[SAMPLES]; +- int32_t sum1 = 0, sum2 = 0; ++ uint32_t sum1 = 0, sum2 = 0; + int i; + + pa_random(samples, sizeof(samples)); diff --git a/gnu/packages/pulseaudio.scm b/gnu/packages/pulseaudio.scm index 63f343dc37..61e0d029f5 100644 --- a/gnu/packages/pulseaudio.scm +++ b/gnu/packages/pulseaudio.scm @@ -127,7 +127,9 @@ rates. ") ;; anyway. '(substitute* "src/daemon/default.pa.in" (("load-module module-console-kit" all) - (string-append "#" all "\n")))))) + (string-append "#" all "\n")))) + (patches (list (search-patch "pulseaudio-fix-mult-test.patch") + (search-patch "pulseaudio-CVE-2014-3970.patch"))))) (build-system gnu-build-system) (arguments `(#:configure-flags '("--localstatedir=/var" ;"--sysconfdir=/etc"