mirror of
https://git.in.rschanz.org/ryan77627/guix.git
synced 2024-11-07 07:26:13 -05:00
gnu: pulseaudio: Fix CVE-2014-3970 and intermittent test failures.
* gnu/packages/patches/pulseaudio-CVE-2014-397.patch: New file. * gnu/packages/patches/pulseaudio-fix-mult-test.patch: New file. * gnu-system.am (dist_patch_DATA): Add them. * gnu/packages/pulseaudio.scm (pulseaudio): Add patches.
This commit is contained in:
Mark H Weaver
parent
16755848fc
commit
1d1efa6c6a
4 changed files with 78 additions and 1 deletions
|
|
@ -395,6 +395,8 @@ dist_patch_DATA = \
|
||||||
gnu/packages/patches/pingus-sdl-libs-config.patch \
|
gnu/packages/patches/pingus-sdl-libs-config.patch \
|
||||||
gnu/packages/patches/plotutils-libpng-jmpbuf.patch \
|
gnu/packages/patches/plotutils-libpng-jmpbuf.patch \
|
||||||
gnu/packages/patches/procps-make-3.82.patch \
|
gnu/packages/patches/procps-make-3.82.patch \
|
||||||
|
gnu/packages/patches/pulseaudio-CVE-2014-3970.patch \
|
||||||
|
gnu/packages/patches/pulseaudio-fix-mult-test.patch \
|
||||||
gnu/packages/patches/pybugz-encode-error.patch \
|
gnu/packages/patches/pybugz-encode-error.patch \
|
||||||
gnu/packages/patches/pybugz-stty.patch \
|
gnu/packages/patches/pybugz-stty.patch \
|
||||||
gnu/packages/patches/python-fix-tests.patch \
|
gnu/packages/patches/python-fix-tests.patch \
|
||||||
|
|
|
||||||
57
gnu/packages/patches/pulseaudio-CVE-2014-3970.patch
Normal file
57
gnu/packages/patches/pulseaudio-CVE-2014-3970.patch
Normal file
|
|
@ -0,0 +1,57 @@
|
||||||
|
From 26b9d22dd24c17eb118d0205bf7b02b75d435e3c Mon Sep 17 00:00:00 2001
|
||||||
|
From: "Alexander E. Patrakov" <patrakov@gmail.com>
|
||||||
|
Date: Thu, 5 Jun 2014 22:29:25 +0600
|
||||||
|
Subject: [PATCH] rtp-recv: fix crash on empty UDP packets (CVE-2014-3970)
|
||||||
|
|
||||||
|
On FIONREAD returning 0 bytes, we cannot return success, as the caller
|
||||||
|
(rtpoll_work_cb in module-rtp-recv.c) would then try to
|
||||||
|
pa_memblock_unref(chunk.memblock) and, because memblock is NULL, trigger
|
||||||
|
an assertion.
|
||||||
|
|
||||||
|
Also we have to read out the possible empty packet from the socket, so
|
||||||
|
that the kernel doesn't tell us again and again about it.
|
||||||
|
|
||||||
|
Signed-off-by: Alexander E. Patrakov <patrakov@gmail.com>
|
||||||
|
---
|
||||||
|
src/modules/rtp/rtp.c | 25 +++++++++++++++++++++++--
|
||||||
|
1 file changed, 23 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/modules/rtp/rtp.c b/src/modules/rtp/rtp.c
|
||||||
|
index 570737e..7b75e0e 100644
|
||||||
|
--- a/src/modules/rtp/rtp.c
|
||||||
|
+++ b/src/modules/rtp/rtp.c
|
||||||
|
@@ -182,8 +182,29 @@ int pa_rtp_recv(pa_rtp_context *c, pa_memchunk *chunk, pa_mempool *pool, struct
|
||||||
|
goto fail;
|
||||||
|
}
|
||||||
|
|
||||||
|
- if (size <= 0)
|
||||||
|
- return 0;
|
||||||
|
+ if (size <= 0) {
|
||||||
|
+ /* size can be 0 due to any of the following reasons:
|
||||||
|
+ *
|
||||||
|
+ * 1. Somebody sent us a perfectly valid zero-length UDP packet.
|
||||||
|
+ * 2. Somebody sent us a UDP packet with a bad CRC.
|
||||||
|
+ *
|
||||||
|
+ * It is unknown whether size can actually be less than zero.
|
||||||
|
+ *
|
||||||
|
+ * In the first case, the packet has to be read out, otherwise the
|
||||||
|
+ * kernel will tell us again and again about it, thus preventing
|
||||||
|
+ * reception of any further packets. So let's just read it out
|
||||||
|
+ * now and discard it later, when comparing the number of bytes
|
||||||
|
+ * received (0) with the number of bytes wanted (1, see below).
|
||||||
|
+ *
|
||||||
|
+ * In the second case, recvmsg() will fail, thus allowing us to
|
||||||
|
+ * return the error.
|
||||||
|
+ *
|
||||||
|
+ * Just to avoid passing zero-sized memchunks and NULL pointers to
|
||||||
|
+ * recvmsg(), let's force allocation of at least one byte by setting
|
||||||
|
+ * size to 1.
|
||||||
|
+ */
|
||||||
|
+ size = 1;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
if (c->memchunk.length < (unsigned) size) {
|
||||||
|
size_t l;
|
||||||
|
--
|
||||||
|
2.0.0
|
||||||
|
|
||||||
16
gnu/packages/patches/pulseaudio-fix-mult-test.patch
Normal file
16
gnu/packages/patches/pulseaudio-fix-mult-test.patch
Normal file
|
|
@ -0,0 +1,16 @@
|
||||||
|
Avoid signed overflow during mult-s16-test which intermittently
|
||||||
|
failed.
|
||||||
|
|
||||||
|
Patch by Mark H Weaver <mhw@netris.org>.
|
||||||
|
|
||||||
|
--- pulseaudio-5.0/src/tests/mult-s16-test.c.orig 2014-01-23 13:57:55.000000000 -0500
|
||||||
|
+++ pulseaudio-5.0/src/tests/mult-s16-test.c 2014-10-24 03:13:46.464661815 -0400
|
||||||
|
@@ -55,7 +55,7 @@
|
||||||
|
START_TEST (mult_s16_test) {
|
||||||
|
int16_t samples[SAMPLES];
|
||||||
|
int32_t volumes[SAMPLES];
|
||||||
|
- int32_t sum1 = 0, sum2 = 0;
|
||||||
|
+ uint32_t sum1 = 0, sum2 = 0;
|
||||||
|
int i;
|
||||||
|
|
||||||
|
pa_random(samples, sizeof(samples));
|
||||||
|
|
@ -127,7 +127,9 @@ (define pulseaudio
|
||||||
;; anyway.
|
;; anyway.
|
||||||
'(substitute* "src/daemon/default.pa.in"
|
'(substitute* "src/daemon/default.pa.in"
|
||||||
(("load-module module-console-kit" all)
|
(("load-module module-console-kit" all)
|
||||||
(string-append "#" all "\n"))))))
|
(string-append "#" all "\n"))))
|
||||||
|
(patches (list (search-patch "pulseaudio-fix-mult-test.patch")
|
||||||
|
(search-patch "pulseaudio-CVE-2014-3970.patch")))))
|
||||||
(build-system gnu-build-system)
|
(build-system gnu-build-system)
|
||||||
(arguments
|
(arguments
|
||||||
`(#:configure-flags '("--localstatedir=/var" ;"--sysconfdir=/etc"
|
`(#:configure-flags '("--localstatedir=/var" ;"--sysconfdir=/etc"
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue