5.0-6

- rtp-recv: fix crash on empty UDP packets (CVE-2014-3970,#1104835,#1108011) - name HDMI outputs uniquely
2014-07-07 14:24:47 -05:00 · 2014-07-07 14:24:47 -05:00 · 5b666c003a
commit 5b666c003a
parent b31c2369e3
3 changed files with 154 additions and 11 deletions
--- a/0039-Name-HDMI-outputs-uniquely.patch
+++ b/0039-Name-HDMI-outputs-uniquely.patch
@ -0,0 +1,77 @@
+From a5ba31bf9627b6c7d7f5e03cdccff2d52fa3299d Mon Sep 17 00:00:00 2001
+From: "Alexander E. Patrakov" <patrakov@gmail.com>
+Date: Thu, 10 Apr 2014 21:13:43 +0600
+Subject: [PATCH 039/156] Name HDMI outputs uniquely
+
+On Haswell hardware, there are multiple HDMI outputs capable of
+digital sound output. As they were identically named, KDE's control
+center was unable to distinguish them, restored the wrong profile and
+thus routed sound to the wrong HDMI monitor.
+
+Also, having identically-named menu items in other mixer applications
+looks like a bug.
+---
+ src/modules/alsa/mixer/profile-sets/extra-hdmi.conf | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/src/modules/alsa/mixer/profile-sets/extra-hdmi.conf b/src/modules/alsa/mixer/profile-sets/extra-hdmi.conf
+index 96652f8..191a652 100644
+--- a/src/modules/alsa/mixer/profile-sets/extra-hdmi.conf
+++ b/src/modules/alsa/mixer/profile-sets/extra-hdmi.conf
+@@ -116,7 +116,7 @@ priority = 3
+ direction = output
+ 
+ [Mapping hdmi-stereo-extra1]
+-description = Digital Stereo (HDMI)
+description = Digital Stereo (HDMI 2)
+ device-strings = hdmi:%f,1
+ paths-output = hdmi-output-1
+ channel-map = left,right
+@@ -124,7 +124,7 @@ priority = 2
+ direction = output
+ 
+ [Mapping hdmi-surround-extra1]
+-description = Digital Surround 5.1 (HDMI)
+description = Digital Surround 5.1 (HDMI 2)
+ device-strings = hdmi:%f,1
+ paths-output = hdmi-output-1
+ channel-map = front-left,front-right,rear-left,rear-right,front-center,lfe
+@@ -132,7 +132,7 @@ priority = 1
+ direction = output
+ 
+ [Mapping hdmi-stereo-extra2]
+-description = Digital Stereo (HDMI)
+description = Digital Stereo (HDMI 3)
+ device-strings = hdmi:%f,2
+ paths-output = hdmi-output-2
+ channel-map = left,right
+@@ -140,7 +140,7 @@ priority = 2
+ direction = output
+ 
+ [Mapping hdmi-surround-extra2]
+-description = Digital Surround 5.1 (HDMI)
+description = Digital Surround 5.1 (HDMI 3)
+ device-strings = hdmi:%f,2
+ paths-output = hdmi-output-2
+ channel-map = front-left,front-right,rear-left,rear-right,front-center,lfe
+@@ -148,7 +148,7 @@ priority = 1
+ direction = output
+ 
+ [Mapping hdmi-stereo-extra3]
+-description = Digital Stereo (HDMI)
+description = Digital Stereo (HDMI 4)
+ device-strings = hdmi:%f,3
+ paths-output = hdmi-output-3
+ channel-map = left,right
+@@ -156,7 +156,7 @@ priority = 2
+ direction = output
+ 
+ [Mapping hdmi-surround-extra3]
+-description = Digital Surround 5.1 (HDMI)
+description = Digital Surround 5.1 (HDMI 4)
+ device-strings = hdmi:%f,3
+ paths-output = hdmi-output-3
+ channel-map = front-left,front-right,rear-left,rear-right,front-center,lfe
+-- 
+1.9.3
+
--- a/0112-rtp-recv-fix-crash-on-empty-UDP-packets-CVE-2014-397.patch
+++ b/0112-rtp-recv-fix-crash-on-empty-UDP-packets-CVE-2014-397.patch
@ -0,0 +1,58 @@
+From 26b9d22dd24c17eb118d0205bf7b02b75d435e3c Mon Sep 17 00:00:00 2001
+From: "Alexander E. Patrakov" <patrakov@gmail.com>
+Date: Thu, 5 Jun 2014 22:29:25 +0600
+Subject: [PATCH 112/156] rtp-recv: fix crash on empty UDP packets
+ (CVE-2014-3970)
+
+On FIONREAD returning 0 bytes, we cannot return success, as the caller
+(rtpoll_work_cb in module-rtp-recv.c) would then try to
+pa_memblock_unref(chunk.memblock) and, because memblock is NULL, trigger
+an assertion.
+
+Also we have to read out the possible empty packet from the socket, so
+that the kernel doesn't tell us again and again about it.
+
+Signed-off-by: Alexander E. Patrakov <patrakov@gmail.com>
+---
+ src/modules/rtp/rtp.c | 25 +++++++++++++++++++++++--
+ 1 file changed, 23 insertions(+), 2 deletions(-)
+
+diff --git a/src/modules/rtp/rtp.c b/src/modules/rtp/rtp.c
+index 570737e..7b75e0e 100644
+--- a/src/modules/rtp/rtp.c
+++ b/src/modules/rtp/rtp.c
+@@ -182,8 +182,29 @@ int pa_rtp_recv(pa_rtp_context *c, pa_memchunk *chunk, pa_mempool *pool, struct
+         goto fail;
+     }
+ 
+-    if (size <= 0)
+-        return 0;
+    if (size <= 0) {
+        /* size can be 0 due to any of the following reasons:
+         *
+         * 1. Somebody sent us a perfectly valid zero-length UDP packet.
+         * 2. Somebody sent us a UDP packet with a bad CRC.
+         *
+         * It is unknown whether size can actually be less than zero.
+         *
+         * In the first case, the packet has to be read out, otherwise the
+         * kernel will tell us again and again about it, thus preventing
+         * reception of any further packets. So let's just read it out
+         * now and discard it later, when comparing the number of bytes
+         * received (0) with the number of bytes wanted (1, see below).
+         *
+         * In the second case, recvmsg() will fail, thus allowing us to
+         * return the error.
+         *
+         * Just to avoid passing zero-sized memchunks and NULL pointers to
+         * recvmsg(), let's force allocation of at least one byte by setting
+         * size to 1.
+         */
+        size = 1;
+    }
+ 
+     if (c->memchunk.length < (unsigned) size) {
+         size_t l;
+-- 
+1.9.3
+
--- a/pulseaudio.spec
+++ b/pulseaudio.spec
@ -15,7 +15,7 @@
 Name:           pulseaudio
 Summary:        Improved Linux Sound Server
 Version:        %{pa_major}%{?pa_minor:.%{pa_minor}}
-Release:        5%{?gitcommit:.git%{shortcommit}}%{?dist}
+Release:        6%{?gitcommit:.git%{shortcommit}}%{?dist}
 License:        LGPLv2+
 URL:            http://www.freedesktop.org/wiki/Software/PulseAudio
 %if 0%{?gitrel}
@ -27,16 +27,18 @@ Source0:        http://freedesktop.org/software/pulseaudio/releases/pulseaudio-%
 %endif
 Source1:        default.pa-for-gdm

-## upstreamable patches
-# simplify and ship only 1 autostart file
-Patch1: pulseaudio-x11_device_manager.patch
-# set X-KDE-autostart-phase=1
-Patch2: pulseaudio-4.0-kde_autostart_phase.patch
-
 ## upstream patches
 # https://bugzilla.redhat.com/show_bug.cgi?id=1035025
 # https://bugs.freedesktop.org/show_bug.cgi?id=73375
-Patch136: 0036-module-switch-on-port-available-Don-t-switch-profile.patch
+Patch036: 0036-module-switch-on-port-available-Don-t-switch-profile.patch
+Patch039: 0039-Name-HDMI-outputs-uniquely.patch
+Patch112: 0112-rtp-recv-fix-crash-on-empty-UDP-packets-CVE-2014-397.patch
+
+## upstreamable patches
+# simplify and ship only 1 autostart file
+Patch501: pulseaudio-x11_device_manager.patch
+# set X-KDE-autostart-phase=1
+Patch502: pulseaudio-4.0-kde_autostart_phase.patch

 BuildRequires:  m4
 BuildRequires:  libtool-ltdl-devel
@ -218,10 +220,12 @@ This package contains GDM integration hooks for the PulseAudio sound server.
 %prep
 %setup -q -T -b0 -n %{name}-%{version}%{?gitrel:-%{gitrel}-g%{shortcommit}}

-%patch1 -p1 -b .x11_device_manager
-%patch2 -p1 -b .kde_autostart_phase
+%patch036 -p1 -b .0036
+%patch039 -p1 -b .0039
+%patch112 -p1 -b .0112

-%patch136 -p1 -b .0036
+%patch501 -p1 -b .x11_device_manager
+%patch502 -p1 -b .kde_autostart_phase

 sed -i.no_consolekit -e \
  's/^load-module module-console-kit/#load-module module-console-kit/' \
@ -534,6 +538,10 @@ exit 0
 %attr(0600, gdm, gdm) %{_localstatedir}/lib/gdm/.pulse/default.pa

 %changelog
+* Mon Jul 07 2014 Rex Dieter <rdieter@fedoraproject.org> - 5.0-6
+- rtp-recv: fix crash on empty UDP packets (CVE-2014-3970,#1104835,#1108011)
+- name HDMI outputs uniquely
+
 * Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 5.0-5
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild