Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 512516 (CVE-2014-3970) - <media-sound/pulseaudio-5.0-r2: denial of service in module-rtp-recv (CVE-2014-3970)
Summary: <media-sound/pulseaudio-5.0-r2: denial of service in module-rtp-recv (CVE-20...
Status: RESOLVED FIXED
Alias: CVE-2014-3970
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2014-06-05 14:26 UTC by Agostino Sarubbo
Modified: 2014-11-13 12:24 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-06-05 14:26:43 UTC
From ${URL} :

It was reported [1],[2] that PulseAudio suffers from a remote denial of service if the module-rtp-recv 
module is loaded.  A remote attacker could crash this instance of PulseAudio by sending an empty UDP 
packet to the multicast address that module-rtp-recv is listening (due to a previous SAP/SDP 
announcement).  The problematic code is in the pa_rtp_recv() function [3], when it handles the results of 
the FIONREAD ioctl.

The problem has existed in PulseAudio since 2006-04-16 (git commit f1ddf0523, so probably around 0.8.1).

A potential patch has been submitted upstream [4] but has not yet been accepted.

[1] http://lists.freedesktop.org/archives/pulseaudio-discuss/2014-May/020740.html
[2] http://openwall.com/lists/oss-security/2014/06/04/8
[3] http://cgit.freedesktop.org/pulseaudio/pulseaudio/tree/src/modules/rtp/rtp.c#n185
[4] http://lists.freedesktop.org/archives/pulseaudio-discuss/2014-May/020741.html


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Pacho Ramos gentoo-dev 2014-06-12 17:43:41 UTC
+*pulseaudio-5.0-r2 (12 Jun 2014)
+
+  12 Jun 2014; Pacho Ramos <pacho@gentoo.org>
+  +files/pulseaudio-5.0-crash-udp.patch,
+  +files/pulseaudio-5.0-module-switch.patch, +pulseaudio-5.0-r2.ebuild:
+  Fix CVE-2014-3970 (#512516), bash-completion dir (#509486 by poncho) and apply
+  a patch from upstream used in Fedora to fix the profiles switching.
+
Comment 2 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2014-06-12 19:07:17 UTC
amd64 stable
Comment 3 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2014-06-12 19:10:06 UTC
x86 stable
Comment 4 Jeroen Roovers (RETIRED) gentoo-dev 2014-06-12 19:43:00 UTC
You mean this?

Arch teams, please test and mark stable:
=media-sound/pulseaudio-5.0-r2
Targeted stable KEYWORDS : alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2014-06-13 19:04:23 UTC
Stable for HPPA.
Comment 6 Markus Meier gentoo-dev 2014-06-15 12:38:38 UTC
arm stable
Comment 7 Tobias Klausmann (RETIRED) gentoo-dev 2014-06-17 11:47:05 UTC
Stable on alpha.
Comment 8 Agostino Sarubbo gentoo-dev 2014-07-05 12:41:03 UTC
ia64 stable
Comment 9 Agostino Sarubbo gentoo-dev 2014-07-05 12:51:33 UTC
ppc64 stable
Comment 10 Agostino Sarubbo gentoo-dev 2014-07-05 12:54:32 UTC
ppc stable
Comment 11 Agostino Sarubbo gentoo-dev 2014-07-05 12:56:12 UTC
sparc stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 12 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2014-07-05 13:01:36 UTC
GLSA vote: no.
Comment 13 Yury German Gentoo Infrastructure gentoo-dev 2014-07-06 18:39:36 UTC
Arches, Thank you for your work
Maintainer(s), please drop the vulnerable version.

GLSA Vote: No
Comment 14 GLSAMaker/CVETool Bot gentoo-dev 2014-07-06 18:44:47 UTC
CVE-2014-3970 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3970):
  The pa_rtp_recv function in modules/rtp/rtp.c in the module-rtp-recv module
  in PulseAudio 5.0 and earlier allows remote attackers to cause a denial of
  service (assertion failure and abort) via an empty UDP packet.
Comment 15 Yury German Gentoo Infrastructure gentoo-dev 2014-08-25 22:09:02 UTC
Maintainer(s), please drop the vulnerable version(s).
Comment 16 Yury German Gentoo Infrastructure gentoo-dev 2014-09-16 00:11:51 UTC
Vulnerable versions have been around for two months.

Maintaner(s): Please drop affected versions, security will remove in 30 days if no response.
Comment 17 Pacho Ramos gentoo-dev 2014-11-13 12:21:40 UTC
+  13 Nov 2014; Pacho Ramos <pacho@gentoo.org> -pulseaudio-2.1-r1.ebuild,
+  -pulseaudio-4.0.ebuild:
+  Drop old (#508854)
+
Comment 18 Kristian Fiskerstrand (RETIRED) gentoo-dev 2014-11-13 12:24:00 UTC
Thank you for cleanup. Closing bug as noglsa.