diff --git a/0039-Name-HDMI-outputs-uniquely.patch b/0039-Name-HDMI-outputs-uniquely.patch new file mode 100644 index 0000000..ab8f05f --- /dev/null +++ b/0039-Name-HDMI-outputs-uniquely.patch @@ -0,0 +1,77 @@ +From a5ba31bf9627b6c7d7f5e03cdccff2d52fa3299d Mon Sep 17 00:00:00 2001 +From: "Alexander E. Patrakov" +Date: Thu, 10 Apr 2014 21:13:43 +0600 +Subject: [PATCH 039/156] Name HDMI outputs uniquely + +On Haswell hardware, there are multiple HDMI outputs capable of +digital sound output. As they were identically named, KDE's control +center was unable to distinguish them, restored the wrong profile and +thus routed sound to the wrong HDMI monitor. + +Also, having identically-named menu items in other mixer applications +looks like a bug. +--- + src/modules/alsa/mixer/profile-sets/extra-hdmi.conf | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/src/modules/alsa/mixer/profile-sets/extra-hdmi.conf b/src/modules/alsa/mixer/profile-sets/extra-hdmi.conf +index 96652f8..191a652 100644 +--- a/src/modules/alsa/mixer/profile-sets/extra-hdmi.conf ++++ b/src/modules/alsa/mixer/profile-sets/extra-hdmi.conf +@@ -116,7 +116,7 @@ priority = 3 + direction = output + + [Mapping hdmi-stereo-extra1] +-description = Digital Stereo (HDMI) ++description = Digital Stereo (HDMI 2) + device-strings = hdmi:%f,1 + paths-output = hdmi-output-1 + channel-map = left,right +@@ -124,7 +124,7 @@ priority = 2 + direction = output + + [Mapping hdmi-surround-extra1] +-description = Digital Surround 5.1 (HDMI) ++description = Digital Surround 5.1 (HDMI 2) + device-strings = hdmi:%f,1 + paths-output = hdmi-output-1 + channel-map = front-left,front-right,rear-left,rear-right,front-center,lfe +@@ -132,7 +132,7 @@ priority = 1 + direction = output + + [Mapping hdmi-stereo-extra2] +-description = Digital Stereo (HDMI) ++description = Digital Stereo (HDMI 3) + device-strings = hdmi:%f,2 + paths-output = hdmi-output-2 + channel-map = left,right +@@ -140,7 +140,7 @@ priority = 2 + direction = output + + [Mapping hdmi-surround-extra2] +-description = Digital Surround 5.1 (HDMI) ++description = Digital Surround 5.1 (HDMI 3) + device-strings = hdmi:%f,2 + paths-output = hdmi-output-2 + channel-map = front-left,front-right,rear-left,rear-right,front-center,lfe +@@ -148,7 +148,7 @@ priority = 1 + direction = output + + [Mapping hdmi-stereo-extra3] +-description = Digital Stereo (HDMI) ++description = Digital Stereo (HDMI 4) + device-strings = hdmi:%f,3 + paths-output = hdmi-output-3 + channel-map = left,right +@@ -156,7 +156,7 @@ priority = 2 + direction = output + + [Mapping hdmi-surround-extra3] +-description = Digital Surround 5.1 (HDMI) ++description = Digital Surround 5.1 (HDMI 4) + device-strings = hdmi:%f,3 + paths-output = hdmi-output-3 + channel-map = front-left,front-right,rear-left,rear-right,front-center,lfe +-- +1.9.3 + diff --git a/0112-rtp-recv-fix-crash-on-empty-UDP-packets-CVE-2014-397.patch b/0112-rtp-recv-fix-crash-on-empty-UDP-packets-CVE-2014-397.patch new file mode 100644 index 0000000..7d26bdf --- /dev/null +++ b/0112-rtp-recv-fix-crash-on-empty-UDP-packets-CVE-2014-397.patch @@ -0,0 +1,58 @@ +From 26b9d22dd24c17eb118d0205bf7b02b75d435e3c Mon Sep 17 00:00:00 2001 +From: "Alexander E. Patrakov" +Date: Thu, 5 Jun 2014 22:29:25 +0600 +Subject: [PATCH 112/156] rtp-recv: fix crash on empty UDP packets + (CVE-2014-3970) + +On FIONREAD returning 0 bytes, we cannot return success, as the caller +(rtpoll_work_cb in module-rtp-recv.c) would then try to +pa_memblock_unref(chunk.memblock) and, because memblock is NULL, trigger +an assertion. + +Also we have to read out the possible empty packet from the socket, so +that the kernel doesn't tell us again and again about it. + +Signed-off-by: Alexander E. Patrakov +--- + src/modules/rtp/rtp.c | 25 +++++++++++++++++++++++-- + 1 file changed, 23 insertions(+), 2 deletions(-) + +diff --git a/src/modules/rtp/rtp.c b/src/modules/rtp/rtp.c +index 570737e..7b75e0e 100644 +--- a/src/modules/rtp/rtp.c ++++ b/src/modules/rtp/rtp.c +@@ -182,8 +182,29 @@ int pa_rtp_recv(pa_rtp_context *c, pa_memchunk *chunk, pa_mempool *pool, struct + goto fail; + } + +- if (size <= 0) +- return 0; ++ if (size <= 0) { ++ /* size can be 0 due to any of the following reasons: ++ * ++ * 1. Somebody sent us a perfectly valid zero-length UDP packet. ++ * 2. Somebody sent us a UDP packet with a bad CRC. ++ * ++ * It is unknown whether size can actually be less than zero. ++ * ++ * In the first case, the packet has to be read out, otherwise the ++ * kernel will tell us again and again about it, thus preventing ++ * reception of any further packets. So let's just read it out ++ * now and discard it later, when comparing the number of bytes ++ * received (0) with the number of bytes wanted (1, see below). ++ * ++ * In the second case, recvmsg() will fail, thus allowing us to ++ * return the error. ++ * ++ * Just to avoid passing zero-sized memchunks and NULL pointers to ++ * recvmsg(), let's force allocation of at least one byte by setting ++ * size to 1. ++ */ ++ size = 1; ++ } + + if (c->memchunk.length < (unsigned) size) { + size_t l; +-- +1.9.3 + diff --git a/pulseaudio.spec b/pulseaudio.spec index 28a7aca..248548d 100644 --- a/pulseaudio.spec +++ b/pulseaudio.spec @@ -15,7 +15,7 @@ Name: pulseaudio Summary: Improved Linux Sound Server Version: %{pa_major}%{?pa_minor:.%{pa_minor}} -Release: 5%{?gitcommit:.git%{shortcommit}}%{?dist} +Release: 6%{?gitcommit:.git%{shortcommit}}%{?dist} License: LGPLv2+ URL: http://www.freedesktop.org/wiki/Software/PulseAudio %if 0%{?gitrel} @@ -27,16 +27,18 @@ Source0: http://freedesktop.org/software/pulseaudio/releases/pulseaudio-% %endif Source1: default.pa-for-gdm -## upstreamable patches -# simplify and ship only 1 autostart file -Patch1: pulseaudio-x11_device_manager.patch -# set X-KDE-autostart-phase=1 -Patch2: pulseaudio-4.0-kde_autostart_phase.patch - ## upstream patches # https://bugzilla.redhat.com/show_bug.cgi?id=1035025 # https://bugs.freedesktop.org/show_bug.cgi?id=73375 -Patch136: 0036-module-switch-on-port-available-Don-t-switch-profile.patch +Patch036: 0036-module-switch-on-port-available-Don-t-switch-profile.patch +Patch039: 0039-Name-HDMI-outputs-uniquely.patch +Patch112: 0112-rtp-recv-fix-crash-on-empty-UDP-packets-CVE-2014-397.patch + +## upstreamable patches +# simplify and ship only 1 autostart file +Patch501: pulseaudio-x11_device_manager.patch +# set X-KDE-autostart-phase=1 +Patch502: pulseaudio-4.0-kde_autostart_phase.patch BuildRequires: m4 BuildRequires: libtool-ltdl-devel @@ -218,10 +220,12 @@ This package contains GDM integration hooks for the PulseAudio sound server. %prep %setup -q -T -b0 -n %{name}-%{version}%{?gitrel:-%{gitrel}-g%{shortcommit}} -%patch1 -p1 -b .x11_device_manager -%patch2 -p1 -b .kde_autostart_phase +%patch036 -p1 -b .0036 +%patch039 -p1 -b .0039 +%patch112 -p1 -b .0112 -%patch136 -p1 -b .0036 +%patch501 -p1 -b .x11_device_manager +%patch502 -p1 -b .kde_autostart_phase sed -i.no_consolekit -e \ 's/^load-module module-console-kit/#load-module module-console-kit/' \ @@ -534,6 +538,10 @@ exit 0 %attr(0600, gdm, gdm) %{_localstatedir}/lib/gdm/.pulse/default.pa %changelog +* Mon Jul 07 2014 Rex Dieter - 5.0-6 +- rtp-recv: fix crash on empty UDP packets (CVE-2014-3970,#1104835,#1108011) +- name HDMI outputs uniquely + * Sat Jun 07 2014 Fedora Release Engineering - 5.0-5 - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild